Ubuntu
socat package

Merge lp:~ubuntu-branches/ubuntu/quantal/socat/quantal-201207210015 into lp:ubuntu/quantal/socat

  1. Quantal (12.10)
  2. quantal-201207210015
  3. Merge into quantal
Proposed by Ubuntu Package Importer
Status: Rejected
Rejected by: James Westby
Proposed branch: lp:~ubuntu-branches/ubuntu/quantal/socat/quantal-201207210015
Merge into: lp:ubuntu/quantal/socat
Diff against target: 27502 lines (+27415/-0) (has conflicts)
15 files modified
.pc/fix-segfault-xio-gopen.patch/xio-gopen.c (+123/-0)
.pc/socat-opensslcompress.patch/sslcls.c (+320/-0)
.pc/socat-opensslcompress.patch/sslcls.h (+104/-0)
.pc/socat-opensslcompress.patch/xio-openssl.c (+1229/-0)
.pc/socat-opensslcompress2.patch/doc/socat.yo (+3501/-0)
.pc/socat-opensslcompress2.patch/doc/xio.help (+4959/-0)
.pc/socat-opensslcompress2.patch/test.sh (+10369/-0)
.pc/socat-opensslcompress2.patch/xio-openssl.c (+1157/-0)
.pc/socat-opensslcompress2.patch/xio-openssl.h (+52/-0)
.pc/socat-opensslcompress2.patch/xioopts.c (+4166/-0)
.pc/socat-opensslcompress2.patch/xioopts.h (+987/-0)
debian/patches/fix-segfault-xio-gopen.patch (+18/-0)
debian/patches/socat-opensslcompress.patch (+128/-0)
debian/patches/socat-opensslcompress2.patch (+291/-0)
xio-gopen.c.rej (+11/-0)
Conflict adding file .pc/fix-segfault-xio-gopen.patch.  Moved existing file to .pc/fix-segfault-xio-gopen.patch.moved.
Conflict adding file .pc/socat-opensslcompress.patch.  Moved existing file to .pc/socat-opensslcompress.patch.moved.
Conflict adding file .pc/socat-opensslcompress2.patch.  Moved existing file to .pc/socat-opensslcompress2.patch.moved.
Conflict adding file debian/patches/fix-segfault-xio-gopen.patch.  Moved existing file to debian/patches/fix-segfault-xio-gopen.patch.moved.
Conflict adding file debian/patches/socat-opensslcompress.patch.  Moved existing file to debian/patches/socat-opensslcompress.patch.moved.
Conflict adding file debian/patches/socat-opensslcompress2.patch.  Moved existing file to debian/patches/socat-opensslcompress2.patch.moved.
To merge this branch: bzr merge lp:~ubuntu-branches/ubuntu/quantal/socat/quantal-201207210015
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+116100@code.launchpad.net

Description of the change

The package importer has detected a possible inconsistency between the package history in the archive and the history in bzr. As the archive is authoritative the importer has made lp:ubuntu/quantal/socat reflect what is in the archive and the old bzr branch has been pushed to lp:~ubuntu-branches/ubuntu/quantal/socat/quantal-201207210015. This merge proposal was created so that an Ubuntu developer can review the situations and perform a merge/upload if necessary. There are three typical cases where this can happen.
  1. Where someone pushes a change to bzr and someone else uploads the package without that change. This is the reason that this check is done by the importer. If this appears to be the case then a merge/upload should be done if the changes that were in bzr are still desirable.
  2. The importer incorrectly detected the above situation when someone made a change in bzr and then uploaded it.
  3. The importer incorrectly detected the above situation when someone just uploaded a package and didn't touch bzr.

If this case doesn't appear to be the first situation then set the status of the merge proposal to "Rejected" and help avoid the problem in future by filing a bug at https://bugs.launchpad.net/udd linking to this merge proposal.

(this is an automatically generated message)

To post a comment you must log in.

Unmerged revisions

18. By Clint Byrum

releasing version 1.7.1.3-1.4ubuntu1

17. By Clint Byrum

d/patches/fix-segfault-xio-gopen.patch: Applying patch to prevent
segfaults. (LP: #481776) This is also included in socat 2.0.

16. By Clint Byrum

d/patches/socat-opensslcompress*.patch: Add OpenSSL compression
patches from upstream. (LP: #745603) These are included in 2.0 so
these patches can be dropped when it is synced from Debian.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory '.pc/fix-segfault-xio-gopen.patch'
2=== renamed directory '.pc/fix-segfault-xio-gopen.patch' => '.pc/fix-segfault-xio-gopen.patch.moved'
3=== added file '.pc/fix-segfault-xio-gopen.patch/.timestamp'
4=== added file '.pc/fix-segfault-xio-gopen.patch/xio-gopen.c'
5--- .pc/fix-segfault-xio-gopen.patch/xio-gopen.c 1970-01-01 00:00:00 +0000
6+++ .pc/fix-segfault-xio-gopen.patch/xio-gopen.c 2012-07-21 00:23:19 +0000
7@@ -0,0 +1,123 @@
8+/* source: xio-gopen.c */
9+/* Copyright Gerhard Rieger 2001-2008 */
10+/* Published under the GNU General Public License V.2, see file COPYING */
11+
12+/* this file contains the source for opening addresses of generic open type */
13+
14+#include "xiosysincludes.h"
15+#include "xioopen.h"
16+
17+#include "xio-named.h"
18+#include "xio-unix.h"
19+#include "xio-gopen.h"
20+
21+
22+#if WITH_GOPEN
23+
24+static int xioopen_gopen(int argc, const char *argv[], struct opt *opts, int xioflags, xiofile_t *fd, unsigned groups, int dummy1, int dummy2, int dummy3);
25+
26+
27+const struct addrdesc addr_gopen = { "gopen", 3, xioopen_gopen, GROUP_FD|GROUP_FIFO|GROUP_CHR|GROUP_BLK|GROUP_REG|GROUP_NAMED|GROUP_OPEN|GROUP_FILE|GROUP_TERMIOS|GROUP_SOCKET|GROUP_SOCK_UNIX, 0, 0, 0 HELP(":<filename>") };
28+
29+static int xioopen_gopen(int argc, const char *argv[], struct opt *opts, int xioflags, xiofile_t *fd, unsigned groups, int dummy1, int dummy2, int dummy3) {
30+ const char *filename = argv[1];
31+ flags_t openflags = (xioflags & XIO_ACCMODE);
32+ mode_t st_mode;
33+ bool exists;
34+ bool opt_unlink_close = false;
35+ int result;
36+
37+ if ((result =
38+ _xioopen_named_early(argc, argv, fd, GROUP_NAMED|groups, &exists, opts)) < 0) {
39+ return result;
40+ }
41+ st_mode = result;
42+
43+ if (exists) {
44+ /* file (or at least named entry) exists */
45+ if ((xioflags&XIO_ACCMODE) != XIO_RDONLY) {
46+ openflags |= O_APPEND;
47+ }
48+ } else {
49+ openflags |= O_CREAT;
50+ }
51+
52+ /* note: when S_ISSOCK was undefined, it always gives 0 */
53+ if (exists && S_ISSOCK(st_mode)) {
54+#if WITH_UNIX
55+ union sockaddr_union us;
56+ socklen_t uslen;
57+ char infobuff[256];
58+
59+ Info1("\"%s\" is a socket, connecting to it", filename);
60+
61+ result =
62+ _xioopen_unix_client(&fd->stream, xioflags, groups, 0, opts, filename);
63+ if (result < 0) {
64+ return result;
65+ }
66+ applyopts_named(filename, opts, PH_PASTOPEN); /* unlink-late */
67+
68+ if (Getsockname(fd->stream.fd, (struct sockaddr *)&us, &uslen) < 0) {
69+ Warn4("getsockname(%d, %p, {%d}): %s",
70+ fd->stream.fd, &us, uslen, strerror(errno));
71+ } else {
72+ Notice1("successfully connected via %s",
73+ sockaddr_unix_info(&us.un, uslen,
74+ infobuff, sizeof(infobuff)));
75+ }
76+#else
77+ Error("\"%s\" is a socket, but UNIX socket support is not compiled in");
78+ return -1;
79+#endif /* WITH_UNIX */
80+
81+ } else {
82+ /* a file name */
83+
84+ Info1("\"%s\" is not a socket, open()'ing it", filename);
85+
86+ retropt_bool(opts, OPT_UNLINK_CLOSE, &opt_unlink_close);
87+ if (opt_unlink_close) {
88+ if ((fd->stream.unlink_close = strdup(filename)) == NULL) {
89+ Error1("strdup(\"%s\"): out of memory", filename);
90+ }
91+ fd->stream.opt_unlink_close = true;
92+ }
93+
94+ Notice3("opening %s \"%s\" for %s",
95+ filetypenames[(st_mode&S_IFMT)>>12], filename, ddirection[(xioflags&XIO_ACCMODE)]);
96+ if ((result = _xioopen_open(filename, openflags, opts)) < 0)
97+ return result;
98+#ifdef I_PUSH
99+ if (S_ISCHR(st_mode)) {
100+ Ioctl(result, I_PUSH, "ptem");
101+ Ioctl(result, I_PUSH, "ldterm");
102+ Ioctl(result, I_PUSH, "ttcompat");
103+ }
104+#endif
105+ fd->stream.fd = result;
106+
107+#if WITH_TERMIOS
108+ if (Isatty(fd->stream.fd)) {
109+ if (Tcgetattr(fd->stream.fd, &fd->stream.savetty) < 0) {
110+ Warn2("cannot query current terminal settings on fd %d: %s",
111+ fd->stream.fd, strerror(errno));
112+ } else {
113+ fd->stream.ttyvalid = true;
114+ }
115+ }
116+#endif /* WITH_TERMIOS */
117+ applyopts_named(filename, opts, PH_FD);
118+ applyopts(fd->stream.fd, opts, PH_FD);
119+ applyopts_cloexec(fd->stream.fd, opts);
120+ }
121+
122+ if ((result = applyopts2(fd->stream.fd, opts, PH_PASTSOCKET, PH_CONNECTED)) < 0)
123+ return result;
124+
125+ if ((result = _xio_openlate(&fd->stream, opts)) < 0)
126+ return result;
127+ return 0;
128+}
129+
130+#endif /* WITH_GOPEN */
131
132=== added directory '.pc/socat-opensslcompress.patch'
133=== renamed directory '.pc/socat-opensslcompress.patch' => '.pc/socat-opensslcompress.patch.moved'
134=== added file '.pc/socat-opensslcompress.patch/.timestamp'
135=== added file '.pc/socat-opensslcompress.patch/sslcls.c'
136--- .pc/socat-opensslcompress.patch/sslcls.c 1970-01-01 00:00:00 +0000
137+++ .pc/socat-opensslcompress.patch/sslcls.c 2012-07-21 00:23:19 +0000
138@@ -0,0 +1,320 @@
139+/* source: sslcls.c */
140+/* Copyright Gerhard Rieger 2001-2007 */
141+/* Published under the GNU General Public License V.2, see file COPYING */
142+
143+/* explicit system call and C library trace function, for those who miss strace
144+ */
145+
146+#include "config.h"
147+#include "xioconfig.h" /* what features are enabled */
148+
149+#if WITH_SYCLS && WITH_OPENSSL
150+
151+#include "sysincludes.h"
152+
153+#include "mytypes.h"
154+#include "compat.h"
155+#include "errno.h"
156+
157+#include "error.h"
158+#include "filan.h"
159+#include "sysutils.h"
160+#include "sycls.h"
161+
162+void sycSSL_load_error_strings(void) {
163+ Debug("SSL_load_error_strings()");
164+ SSL_load_error_strings();
165+ Debug("SSL_load_error_strings() ->");
166+}
167+
168+int sycSSL_library_init(void) {
169+ int result;
170+ Debug("SSL_library_init()");
171+ result = SSL_library_init();
172+ Debug1("SSL_library_init() -> %d", result);
173+ return result;
174+}
175+
176+#ifndef OPENSSL_NO_SSL2
177+SSL_METHOD *sycSSLv2_client_method(void) {
178+ SSL_METHOD *result;
179+ Debug("SSLv2_client_method()");
180+ result = SSLv2_client_method();
181+ Debug1("SSLv2_client_method() -> %p", result);
182+ return result;
183+}
184+
185+SSL_METHOD *sycSSLv2_server_method(void) {
186+ SSL_METHOD *result;
187+ Debug("SSLv2_server_method()");
188+ result = SSLv2_server_method();
189+ Debug1("SSLv2_server_method() -> %p", result);
190+ return result;
191+}
192+#endif
193+
194+SSL_METHOD *sycSSLv3_client_method(void) {
195+ SSL_METHOD *result;
196+ Debug("SSLv3_client_method()");
197+ result = SSLv3_client_method();
198+ Debug1("SSLv3_client_method() -> %p", result);
199+ return result;
200+}
201+
202+SSL_METHOD *sycSSLv3_server_method(void) {
203+ SSL_METHOD *result;
204+ Debug("SSLv3_server_method()");
205+ result = SSLv3_server_method();
206+ Debug1("SSLv3_server_method() -> %p", result);
207+ return result;
208+}
209+
210+SSL_METHOD *sycSSLv23_client_method(void) {
211+ SSL_METHOD *result;
212+ Debug("SSLv23_client_method()");
213+ result = SSLv23_client_method();
214+ Debug1("SSLv23_client_method() -> %p", result);
215+ return result;
216+}
217+
218+SSL_METHOD *sycSSLv23_server_method(void) {
219+ SSL_METHOD *result;
220+ Debug("SSLv23_server_method()");
221+ result = SSLv23_server_method();
222+ Debug1("SSLv23_server_method() -> %p", result);
223+ return result;
224+}
225+
226+SSL_METHOD *sycTLSv1_client_method(void) {
227+ SSL_METHOD *result;
228+ Debug("TLSv1_client_method()");
229+ result = TLSv1_client_method();
230+ Debug1("TLSv1_client_method() -> %p", result);
231+ return result;
232+}
233+
234+SSL_METHOD *sycTLSv1_server_method(void) {
235+ SSL_METHOD *result;
236+ Debug("TLSv1_server_method()");
237+ result = TLSv1_server_method();
238+ Debug1("TLSv1_server_method() -> %p", result);
239+ return result;
240+}
241+
242+SSL_CTX *sycSSL_CTX_new(SSL_METHOD *method) {
243+ SSL_CTX *result;
244+ Debug1("SSL_CTX_new(%p)", method);
245+ result = SSL_CTX_new(method);
246+ Debug1("SSL_CTX_new() -> %p", result);
247+ return result;
248+}
249+
250+SSL *sycSSL_new(SSL_CTX *ctx) {
251+ SSL *result;
252+ Debug1("SSL_new(%p)", ctx);
253+ result = SSL_new(ctx);
254+ Debug1("SSL_new() -> %p", result);
255+ return result;
256+}
257+
258+int sycSSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
259+ const char *CApath) {
260+ int result;
261+ Debug7("SSL_CTX_load_verify_locations(%p, %s%s%s, %s%s%s)", ctx,
262+ CAfile?"\"":"", CAfile?CAfile:NULL, CAfile?"\"":"",
263+ CApath?"\"":"", CApath?CApath:NULL, CApath?"\"":"");
264+ result = SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
265+ Debug1("SSL_CTX_load_verify_locations() -> %d", result);
266+ return result;
267+}
268+
269+int sycSSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) {
270+ int result;
271+ Debug3("SSL_CTX_use_certificate_file(%p, \"%s\", %d)", ctx, file, type);
272+ result = SSL_CTX_use_certificate_file(ctx, file, type);
273+ Debug1("SSL_CTX_use_certificate_file() -> %d", result);
274+ return result;
275+}
276+
277+int sycSSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
278+ int result;
279+ Debug2("SSL_CTX_use_certificate_chain_file(%p, \"%s\")", ctx, file);
280+ result = SSL_CTX_use_certificate_chain_file(ctx, file);
281+ Debug1("SSL_CTX_use_certificate_chain_file() -> %d", result);
282+ return result;
283+}
284+
285+int sycSSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) {
286+ int result;
287+ Debug3("SSL_CTX_use_PrivateKey_file(%p, \"%s\", %d)", ctx, file, type);
288+ result = SSL_CTX_use_PrivateKey_file(ctx, file, type);
289+ Debug1("SSL_CTX_use_PrivateKey_file() -> %d", result);
290+ return result;
291+}
292+
293+void sycSSL_CTX_set_verify(SSL_CTX *ctx, int mode,
294+ int (*verify_callback)(int, X509_STORE_CTX *)) {
295+ Debug3("SSL_CTX_set_verify(%p, %u, %p)", ctx, mode, verify_callback);
296+ SSL_CTX_set_verify(ctx, mode, verify_callback);
297+ Debug("SSL_CTX_set_verify() -> ");
298+}
299+
300+int sycSSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
301+ int result;
302+ Debug2("SSL_CTX_set_cipher_list(%p, \"%s\")", ctx, str);
303+ result = SSL_CTX_set_cipher_list(ctx, str);
304+ Debug1("SSL_CTX_set_cipher_list() -> %d", result);
305+ return result;
306+}
307+
308+int sycSSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) {
309+ int result;
310+ Debug2("SSL_CTX_set_tmp_dh(%p, %p)", ctx, dh);
311+ result = SSL_CTX_set_tmp_dh(ctx, dh);
312+ Debug1("SSL_CTX_set_tmp_dh() -> %d", result);
313+ return result;
314+}
315+
316+int sycSSL_set_cipher_list(SSL *ssl, const char *str) {
317+ int result;
318+ Debug2("SSL_set_cipher_list(%p, \"%s\")", ssl, str);
319+ result = SSL_set_cipher_list(ssl, str);
320+ Debug1("SSL_set_cipher_list() -> %d", result);
321+ return result;
322+}
323+
324+long sycSSL_get_verify_result(SSL *ssl) {
325+ long result;
326+ Debug1("SSL_get_verify_result(%p)", ssl);
327+ result = SSL_get_verify_result(ssl);
328+ Debug1("SSL_get_verify_result() -> %lx", result);
329+ return result;
330+}
331+
332+int sycSSL_set_fd(SSL *ssl, int fd) {
333+ int result;
334+ Debug2("SSL_set_fd(%p, %d)", ssl, fd);
335+ result = SSL_set_fd(ssl, fd);
336+ Debug1("SSL_set_fd() -> %d", result);
337+ return result;
338+}
339+
340+int sycSSL_connect(SSL *ssl) {
341+ int result;
342+ Debug1("SSL_connect(%p)", ssl);
343+ result = SSL_connect(ssl);
344+ Debug1("SSL_connect() -> %d", result);
345+ return result;
346+}
347+
348+int sycSSL_accept(SSL *ssl) {
349+ int result;
350+ Debug1("SSL_accept(%p)", ssl);
351+ result = SSL_accept(ssl);
352+ Debug1("SSL_accept() -> %d", result);
353+ return result;
354+}
355+
356+int sycSSL_read(SSL *ssl, void *buf, int num) {
357+ int result;
358+ Debug3("SSL_read(%p, %p, %d)", ssl, buf, num);
359+ result = SSL_read(ssl, buf, num);
360+ Debug1("SSL_read() -> %d", result);
361+ return result;
362+}
363+
364+int sycSSL_pending(SSL *ssl) {
365+ int result;
366+ Debug1("SSL_pending(%p)", ssl);
367+ result = SSL_pending(ssl);
368+ Debug1("SSL_pending() -> %d", result);
369+ return result;
370+}
371+
372+int sycSSL_write(SSL *ssl, const void *buf, int num) {
373+ int result;
374+ Debug3("SSL_write(%p, %p, %d)", ssl, buf, num);
375+ result = SSL_write(ssl, buf, num);
376+ Debug1("SSL_write() -> %d", result);
377+ return result;
378+}
379+
380+X509 *sycSSL_get_peer_certificate(SSL *ssl) {
381+ X509 *result;
382+ Debug1("SSL_get_peer_certificate(%p)", ssl);
383+ result = SSL_get_peer_certificate(ssl);
384+ if (result) {
385+ Debug1("SSL_get_peer_certificate() -> %p", result);
386+ } else {
387+ Debug("SSL_get_peer_certificate() -> NULL");
388+ }
389+ return result;
390+}
391+
392+int sycSSL_shutdown(SSL *ssl) {
393+ int result;
394+ Debug1("SSL_shutdown(%p)", ssl);
395+ result = SSL_shutdown(ssl);
396+ Debug1("SSL_shutdown() -> %d", result);
397+ return result;
398+}
399+
400+void sycSSL_CTX_free(SSL_CTX *ctx) {
401+ Debug1("SSL_CTX_free(%p)", ctx);
402+ SSL_CTX_free(ctx);
403+ Debug("SSL_CTX_free() -> void");
404+ return;
405+}
406+
407+void sycSSL_free(SSL *ssl) {
408+ Debug1("SSL_free(%p)", ssl);
409+ SSL_free(ssl);
410+ Debug("SSL_free() -> void");
411+ return;
412+}
413+
414+int sycRAND_egd(const char *path) {
415+ int result;
416+ Debug1("RAND_egd(\"%s\")", path);
417+ result = RAND_egd(path);
418+ Debug1("RAND_egd() -> %d", result);
419+ return result;
420+}
421+
422+DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
423+ DH *result;
424+ Debug4("PEM_read_bio_DHparams(%p, %p, %p, %p)",
425+ bp, x, cb, u);
426+ result = PEM_read_bio_DHparams(bp, x, cb, u);
427+ if (result) {
428+ /*Debug2("PEM_read_bio_DHparams(, {%p},,) -> %p", *x, result);*/
429+ Debug1("PEM_read_bio_DHparams() -> %p", result);
430+ } else {
431+ Debug("PEM_read_bio_DHparams() -> NULL");
432+ }
433+ return result;
434+}
435+
436+BIO *sycBIO_new_file(const char *filename, const char *mode) {
437+ BIO *result;
438+ Debug2("BIO_new_file(\"%s\", \"%s\")", filename, mode);
439+ result = BIO_new_file(filename, mode);
440+ if (result) {
441+ Debug1("BIO_new_file() -> %p", result);
442+ } else {
443+ Debug("BIO_new_file() -> NULL");
444+ }
445+ return result;
446+}
447+
448+#if WITH_FIPS
449+int sycFIPS_mode_set(int onoff) {
450+ int result;
451+ Debug1("FIPS_mode_set(%d)", onoff);
452+ result = FIPS_mode_set(onoff);
453+ Debug1("FIPS_mode_set() -> %d", result);
454+ return result;
455+}
456+#endif /* WITH_FIPS */
457+
458+#endif /* WITH_SYCLS && WITH_OPENSSL */
459
460=== added file '.pc/socat-opensslcompress.patch/sslcls.h'
461--- .pc/socat-opensslcompress.patch/sslcls.h 1970-01-01 00:00:00 +0000
462+++ .pc/socat-opensslcompress.patch/sslcls.h 2012-07-21 00:23:19 +0000
463@@ -0,0 +1,104 @@
464+/* source: sslcls.h */
465+/* Copyright Gerhard Rieger 2001-2007 */
466+/* Published under the GNU General Public License V.2, see file COPYING */
467+
468+#ifndef __sslcls_h_included
469+#define __sslcls_h_included 1
470+
471+#if WITH_SYCLS
472+#if WITH_OPENSSL
473+
474+void sycSSL_load_error_strings(void);
475+int sycSSL_library_init(void);
476+#ifndef OPENSSL_NO_SSL2
477+SSL_METHOD *sycSSLv2_client_method(void);
478+SSL_METHOD *sycSSLv2_server_method(void);
479+#endif
480+SSL_METHOD *sycSSLv3_client_method(void);
481+SSL_METHOD *sycSSLv3_server_method(void);
482+SSL_METHOD *sycSSLv23_client_method(void);
483+SSL_METHOD *sycSSLv23_server_method(void);
484+SSL_METHOD *sycTLSv1_client_method(void);
485+SSL_METHOD *sycTLSv1_server_method(void);
486+SSL_CTX *sycSSL_CTX_new(SSL_METHOD *method);
487+SSL *sycSSL_new(SSL_CTX *ctx);
488+int sycSSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
489+ const char *CApath);
490+int sycSSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
491+int sycSSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
492+int sycSSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
493+void sycSSL_CTX_set_verify(SSL_CTX *ctx, int mode,
494+ int (*verify_callback)(int, X509_STORE_CTX *));
495+int sycSSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
496+int sycSSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
497+int sycSSL_set_cipher_list(SSL *ssl, const char *str);
498+long sycSSL_get_verify_result(SSL *ssl);
499+int sycSSL_set_fd(SSL *ssl, int fd);
500+int sycSSL_connect(SSL *ssl);
501+int sycSSL_accept(SSL *ssl);
502+int sycSSL_read(SSL *ssl, void *buf, int num);
503+int sycSSL_pending(SSL *ssl);
504+int sycSSL_write(SSL *ssl, const void *buf, int num);
505+X509 *sycSSL_get_peer_certificate(SSL *ssl);
506+int sycSSL_shutdown(SSL *ssl);
507+void sycSSL_CTX_free(SSL_CTX *ctx);
508+void sycSSL_free(SSL *ssl);
509+int sycRAND_egd(const char *path);
510+
511+DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
512+
513+BIO *sycBIO_new_file(const char *filename, const char *mode);
514+
515+int sycFIPS_mode_set(int onoff);
516+
517+#endif /* WITH_OPENSSL */
518+
519+#else /* !WITH_SYCLS */
520+
521+#if WITH_OPENSSL
522+
523+#define sycSSL_load_error_strings() SSL_load_error_strings()
524+#define sycSSL_library_init() SSL_library_init()
525+#define sycSSLv2_client_method() SSLv2_client_method()
526+#define sycSSLv2_server_method() SSLv2_server_method()
527+#define sycSSLv3_client_method() SSLv3_client_method()
528+#define sycSSLv3_server_method() SSLv3_server_method()
529+#define sycSSLv23_client_method() SSLv23_client_method()
530+#define sycSSLv23_server_method() SSLv23_server_method()
531+#define sycTLSv1_client_method() TLSv1_client_method()
532+#define sycTLSv1_server_method() TLSv1_server_method()
533+#define sycSSL_CTX_new(m) SSL_CTX_new(m)
534+#define sycSSL_new(c) SSL_new(c)
535+#define sycSSL_CTX_load_verify_locations(c,f,p) SSL_CTX_load_verify_locations(c,f,p)
536+#define sycSSL_CTX_use_certificate_file(c,f,t) SSL_CTX_use_certificate_file(c,f,t)
537+#define sycSSL_CTX_use_certificate_chain_file(c,f) SSL_CTX_use_certificate_chain_file(c,f)
538+#define sycSSL_CTX_use_PrivateKey_file(c,f,t) SSL_CTX_use_PrivateKey_file(c,f,t)
539+#define sycSSL_CTX_set_verify(c,m,v) SSL_CTX_set_verify(c,m,v)
540+#define sycSSL_CTX_set_tmp_dh(c,d) SSL_CTX_set_tmp_dh(c,d)
541+#define sycSSL_CTX_set_cipher_list(c,s) SSL_CTX_set_cipher_list(c,s)
542+#define sycSSL_set_cipher_list(s,t) SSL_set_cipher_list(s,t)
543+#define sycSSL_get_verify_result(s) SSL_get_verify_result(s)
544+#define sycSSL_set_fd(s,f) SSL_set_fd(s,f)
545+#define sycSSL_connect(s) SSL_connect(s)
546+#define sycSSL_accept(s) SSL_accept(s)
547+#define sycSSL_read(s,b,n) SSL_read(s,b,n)
548+#define sycSSL_pending(s) SSL_pending(s)
549+#define sycSSL_write(s,b,n) SSL_write(s,b,n)
550+#define sycSSL_get_peer_certificate(s) SSL_get_peer_certificate(s)
551+#define sycSSL_shutdown(s) SSL_shutdown(s)
552+#define sycSSL_CTX_free(c) SSL_CTX_free(c)
553+#define sycSSL_free(s) SSL_free(s)
554+#define sycRAND_egd(p) RAND_egd(p)
555+
556+#define sycPEM_read_bio_DHparams(b,x,p,u) PEM_read_bio_DHparams(b,x,p,u)
557+
558+#define sycBIO_new_file(f,m) BIO_new_file(f,m)
559+
560+#endif /* WITH_OPENSSL */
561+
562+#define sycFIPS_mode_set(o) FIPS_mode_set(o)
563+
564+#endif /* !WITH_SYCLS */
565+
566+#endif /* !defined(__sslcls_h_included) */
567+
568
569=== added file '.pc/socat-opensslcompress.patch/xio-openssl.c'
570--- .pc/socat-opensslcompress.patch/xio-openssl.c 1970-01-01 00:00:00 +0000
571+++ .pc/socat-opensslcompress.patch/xio-openssl.c 2012-07-21 00:23:19 +0000
572@@ -0,0 +1,1229 @@
573+/* source: xio-openssl.c */
574+/* Copyright Gerhard Rieger 2002-2009 */
575+/* Published under the GNU General Public License V.2, see file COPYING */
576+
577+/* this file contains the implementation of the openssl addresses */
578+
579+#include "xiosysincludes.h"
580+#if WITH_OPENSSL /* make this address configure dependend */
581+#include "xioopen.h"
582+
583+#include "xio-fd.h"
584+#include "xio-socket.h" /* _xioopen_connect() */
585+#include "xio-listen.h"
586+#include "xio-ipapp.h"
587+#include "xio-openssl.h"
588+
589+/* the openssl library requires a file descriptor for external communications.
590+ so our best effort is to provide any possible kind of un*x file descriptor
591+ (not only tcp, but also pipes, stdin, files...)
592+ for tcp we want to provide support for socks and proxy.
593+ read and write functions must use the openssl crypt versions.
594+ but currently only plain tcp4 is implemented.
595+*/
596+
597+/* Linux: "man 3 ssl" */
598+
599+/* generate a simple openssl server for testing:
600+ 1) generate a private key
601+ openssl genrsa -out server.key 1024
602+ 2) generate a self signed cert
603+ openssl req -new -key server.key -x509 -days 3653 -out server.crt
604+ enter fields...
605+ 3) generate the pem file
606+ cat server.key server.crt >server.pem
607+ openssl s_server (listens on 4433/tcp)
608+ */
609+
610+/* static declaration of ssl's open function */
611+static int xioopen_openssl_connect(int argc, const char *argv[], struct opt *opts,
612+ int xioflags, xiofile_t *fd, unsigned groups,
613+ int dummy1, int dummy2, int dummy3);
614+
615+/* static declaration of ssl's open function */
616+static int xioopen_openssl_listen(int argc, const char *argv[], struct opt *opts,
617+ int xioflags, xiofile_t *fd, unsigned groups,
618+ int dummy1, int dummy2, int dummy3);
619+static int openssl_SSL_ERROR_SSL(int level, const char *funcname);
620+static int openssl_handle_peer_certificate(struct single *xfd, bool opt_ver,
621+ int level);
622+static int xioSSL_set_fd(struct single *xfd, int level);
623+static int xioSSL_connect(struct single *xfd, bool opt_ver, int level);
624+
625+
626+/* description record for ssl connect */
627+const struct addrdesc addr_openssl = {
628+ "openssl", /* keyword for selecting this address type in xioopen calls
629+ (canonical or main name) */
630+ 3, /* data flow directions this address supports on API layer:
631+ 1..read, 2..write, 3..both */
632+ xioopen_openssl_connect, /* a function pointer used to "open" these addresses.*/
633+ GROUP_FD|GROUP_SOCKET|GROUP_SOCK_IP4|GROUP_SOCK_IP6|GROUP_IP_TCP|GROUP_CHILD|GROUP_OPENSSL|GROUP_RETRY, /* bitwise OR of address groups this address belongs to.
634+ You might have to specify a new group in xioopts.h */
635+ 0, /* an integer passed to xioopen_openssl; makes it possible to
636+ use the same xioopen_openssl function for slightly different
637+ address types. */
638+ 0, /* like previous argument */
639+ 0 /* like previous arguments, but pointer type.
640+ No trailing comma or semicolon! */
641+ HELP(":<host>:<port>") /* a text displayed from xio help function.
642+ No trailing comma or semicolon!
643+ only generates this text if WITH_HELP is != 0 */
644+} ;
645+
646+#if WITH_LISTEN
647+/* description record for ssl listen */
648+const struct addrdesc addr_openssl_listen = {
649+ "openssl-listen", /* keyword for selecting this address type in xioopen calls
650+ (canonical or main name) */
651+ 3, /* data flow directions this address supports on API layer:
652+ 1..read, 2..write, 3..both */
653+ xioopen_openssl_listen, /* a function pointer used to "open" these addresses.*/
654+ GROUP_FD|GROUP_SOCKET|GROUP_SOCK_IP4|GROUP_SOCK_IP6|GROUP_IP_TCP|GROUP_LISTEN|GROUP_CHILD|GROUP_RANGE|GROUP_OPENSSL|GROUP_RETRY, /* bitwise OR of address groups this address belongs to.
655+ You might have to specify a new group in xioopts.h */
656+ 0, /* an integer passed to xioopen_openssl_listen; makes it possible to
657+ use the same xioopen_openssl_listen function for slightly different
658+ address types. */
659+ 0, /* like previous argument */
660+ 0 /* like previous arguments, but pointer type.
661+ No trailing comma or semicolon! */
662+ HELP(":<port>") /* a text displayed from xio help function.
663+ No trailing comma or semicolon!
664+ only generates this text if WITH_HELP is != 0 */
665+} ;
666+#endif /* WITH_LISTEN */
667+
668+/* both client and server */
669+const struct optdesc opt_openssl_cipherlist = { "openssl-cipherlist", "ciphers", OPT_OPENSSL_CIPHERLIST, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
670+const struct optdesc opt_openssl_method = { "openssl-method", "method", OPT_OPENSSL_METHOD, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
671+const struct optdesc opt_openssl_verify = { "openssl-verify", "verify", OPT_OPENSSL_VERIFY, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC };
672+const struct optdesc opt_openssl_certificate = { "openssl-certificate", "cert", OPT_OPENSSL_CERTIFICATE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
673+const struct optdesc opt_openssl_key = { "openssl-key", "key", OPT_OPENSSL_KEY, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
674+const struct optdesc opt_openssl_dhparam = { "openssl-dhparam", "dh", OPT_OPENSSL_DHPARAM, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
675+const struct optdesc opt_openssl_cafile = { "openssl-cafile", "cafile", OPT_OPENSSL_CAFILE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
676+const struct optdesc opt_openssl_capath = { "openssl-capath", "capath", OPT_OPENSSL_CAPATH, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
677+const struct optdesc opt_openssl_egd = { "openssl-egd", "egd", OPT_OPENSSL_EGD, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
678+const struct optdesc opt_openssl_pseudo = { "openssl-pseudo", "pseudo", OPT_OPENSSL_PSEUDO, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC };
679+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
680+const struct optdesc opt_openssl_compress = { "openssl-compress", "compress", OPT_OPENSSL_COMPRESS, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
681+#endif
682+#if WITH_FIPS
683+const struct optdesc opt_openssl_fips = { "openssl-fips", "fips", OPT_OPENSSL_FIPS, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC };
684+#endif
685+
686+
687+/* If FIPS is compiled in, we need to track if the user asked for FIPS mode.
688+ * On forks, the FIPS mode must be reset by a disable, then enable since
689+ * FIPS tracks the process ID that initializes things.
690+ * If FIPS is not compiled in, no tracking variable is needed
691+ * and we make the reset code compile out. This keeps the
692+ * rest of the code below free of FIPS related #ifs
693+ */
694+#if WITH_FIPS
695+static bool xio_openssl_fips = false;
696+int xio_reset_fips_mode(void) {
697+ if (xio_openssl_fips) {
698+ if(!sycFIPS_mode_set(0) || !sycFIPS_mode_set(1)) {
699+ ERR_load_crypto_strings();
700+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
701+ Error("Failed to reset OpenSSL FIPS mode");
702+ xio_openssl_fips = false;
703+ return -1;
704+ }
705+ }
706+ return 0;
707+}
708+#else
709+#define xio_reset_fips_mode() 0
710+#endif
711+
712+/* the open function for OpenSSL client */
713+static int
714+ xioopen_openssl_connect(int argc,
715+ const char *argv[], /* the arguments in the address string */
716+ struct opt *opts,
717+ int xioflags, /* is the open meant for reading (0),
718+ writing (1), or both (2) ? */
719+ xiofile_t *xxfd, /* a xio file descriptor structure,
720+ already allocated */
721+ unsigned groups, /* the matching address groups... */
722+ int dummy1, /* first transparent integer value from
723+ addr_openssl */
724+ int dummy2, /* second transparent integer value from
725+ addr_openssl */
726+ int dummy3) /* transparent pointer value from
727+ addr_openssl */
728+{
729+ struct single *xfd = &xxfd->stream;
730+ struct opt *opts0 = NULL;
731+ const char *hostname, *portname;
732+ int pf = PF_UNSPEC;
733+ int ipproto = IPPROTO_TCP;
734+ int socktype = SOCK_STREAM;
735+ bool dofork = false;
736+ union sockaddr_union us_sa, *us = &us_sa;
737+ union sockaddr_union them_sa, *them = &them_sa;
738+ socklen_t uslen = sizeof(us_sa);
739+ socklen_t themlen = sizeof(them_sa);
740+ bool needbind = false;
741+ bool lowport = false;
742+ int level;
743+ SSL_CTX* ctx;
744+ bool opt_ver = true; /* verify peer certificate */
745+ char *opt_cert = NULL; /* file name of client certificate */
746+ int result;
747+
748+ if (!(xioflags & XIO_MAYCONVERT)) {
749+ Error("address with data processing not allowed here");
750+ return STAT_NORETRY;
751+ }
752+ xfd->flags |= XIO_DOESCONVERT;
753+
754+ if (argc != 3) {
755+ Error1("%s: 2 parameters required", argv[0]);
756+ return STAT_NORETRY;
757+ }
758+ hostname = argv[1];
759+ portname = argv[2];
760+
761+ xfd->howtoend = END_SHUTDOWN;
762+ if (applyopts_single(xfd, opts, PH_INIT) < 0) return -1;
763+ applyopts(-1, opts, PH_INIT);
764+
765+ retropt_bool(opts, OPT_FORK, &dofork);
766+
767+ retropt_string(opts, OPT_OPENSSL_CERTIFICATE, &opt_cert);
768+
769+ result =
770+ _xioopen_openssl_prepare(opts, xfd, false, &opt_ver, opt_cert, &ctx);
771+ if (result != STAT_OK) return STAT_NORETRY;
772+
773+ result =
774+ _xioopen_ipapp_prepare(opts, &opts0, hostname, portname, &pf, ipproto,
775+ xfd->para.socket.ip.res_opts[1],
776+ xfd->para.socket.ip.res_opts[0],
777+ them, &themlen, us, &uslen,
778+ &needbind, &lowport, socktype);
779+ if (result != STAT_OK) return STAT_NORETRY;
780+
781+ if (xioopts.logopt == 'm') {
782+ Info("starting connect loop, switching to syslog");
783+ diag_set('y', xioopts.syslogfac); xioopts.logopt = 'y';
784+ } else {
785+ Info("starting connect loop");
786+ }
787+
788+ do { /* loop over failed connect and SSL handshake attempts */
789+
790+#if WITH_RETRY
791+ if (xfd->forever || xfd->retry) {
792+ level = E_INFO;
793+ } else
794+#endif /* WITH_RETRY */
795+ level = E_ERROR;
796+
797+ /* this cannot fork because we retrieved fork option above */
798+ result =
799+ _xioopen_connect(xfd,
800+ needbind?(struct sockaddr *)us:NULL, sizeof(*us),
801+ (struct sockaddr *)them, themlen,
802+ opts, pf, socktype, ipproto, lowport, level);
803+ switch (result) {
804+ case STAT_OK: break;
805+#if WITH_RETRY
806+ case STAT_RETRYLATER:
807+ case STAT_RETRYNOW:
808+ if (xfd->forever || xfd->retry) {
809+ dropopts(opts, PH_ALL); opts = copyopts(opts0, GROUP_ALL);
810+ if (result == STAT_RETRYLATER) {
811+ Nanosleep(&xfd->intervall, NULL);
812+ }
813+ --xfd->retry;
814+ continue;
815+ }
816+ return STAT_NORETRY;
817+#endif /* WITH_RETRY */
818+ default:
819+ return result;
820+ }
821+
822+ /*! isn't this too early? */
823+ if ((result = _xio_openlate(xfd, opts)) < 0) {
824+ return result;
825+ }
826+
827+ result = _xioopen_openssl_connect(xfd, opt_ver, ctx, level);
828+ switch (result) {
829+ case STAT_OK: break;
830+#if WITH_RETRY
831+ case STAT_RETRYLATER:
832+ case STAT_RETRYNOW:
833+ if (xfd->forever || xfd->retry) {
834+ Close(xfd->fd);
835+ dropopts(opts, PH_ALL); opts = copyopts(opts0, GROUP_ALL);
836+ if (result == STAT_RETRYLATER) {
837+ Nanosleep(&xfd->intervall, NULL);
838+ }
839+ --xfd->retry;
840+ continue;
841+ }
842+#endif /* WITH_RETRY */
843+ default: return STAT_NORETRY;
844+ }
845+
846+ if (dofork) {
847+ xiosetchilddied(); /* set SIGCHLD handler */
848+ }
849+
850+#if WITH_RETRY
851+ if (dofork) {
852+ pid_t pid;
853+ int level = E_ERROR;
854+ if (xfd->forever || xfd->retry) {
855+ level = E_WARN;
856+ }
857+ while ((pid = xio_fork(false, level)) < 0) {
858+ if (xfd->forever || --xfd->retry) {
859+ Nanosleep(&xfd->intervall, NULL); continue;
860+ }
861+ return STAT_RETRYLATER;
862+ }
863+
864+ if (pid == 0) { /* child process */
865+ xfd->forever = false; xfd->retry = 0;
866+ break;
867+ }
868+
869+ /* parent process */
870+ Close(xfd->fd);
871+ sycSSL_free(xfd->para.openssl.ssl);
872+ xfd->para.openssl.ssl = NULL;
873+ /* with and without retry */
874+ Nanosleep(&xfd->intervall, NULL);
875+ dropopts(opts, PH_ALL); opts = copyopts(opts0, GROUP_ALL);
876+ continue; /* with next socket() bind() connect() */
877+ }
878+#endif /* WITH_RETRY */
879+ break;
880+ } while (true); /* drop out on success */
881+
882+ Notice1("SSL connection using %s", SSL_get_cipher(xfd->para.openssl.ssl));
883+
884+ /* fill in the fd structure */
885+ return STAT_OK;
886+}
887+
888+
889+/* this function is typically called within the OpenSSL client fork/retry loop.
890+ xfd must be of type DATA_OPENSSL, and its fd must be set with a valid file
891+ descriptor. this function then performs all SSL related step to make a valid
892+ SSL connection from an FD and a CTX. */
893+int _xioopen_openssl_connect(struct single *xfd,
894+ bool opt_ver,
895+ SSL_CTX *ctx,
896+ int level) {
897+ SSL *ssl;
898+ unsigned long err;
899+ int result;
900+
901+ /* create a SSL object */
902+ if ((ssl = sycSSL_new(ctx)) == NULL) {
903+ if (ERR_peek_error() == 0) Msg(level, "SSL_new() failed");
904+ while (err = ERR_get_error()) {
905+ Msg1(level, "SSL_new(): %s", ERR_error_string(err, NULL));
906+ }
907+ /*Error("SSL_new()");*/
908+ return STAT_RETRYLATER;
909+ }
910+ xfd->para.openssl.ssl = ssl;
911+
912+ result = xioSSL_set_fd(xfd, level);
913+ if (result != STAT_OK) {
914+ sycSSL_free(xfd->para.openssl.ssl);
915+ xfd->para.openssl.ssl = NULL;
916+ return result;
917+ }
918+
919+ result = xioSSL_connect(xfd, opt_ver, level);
920+ if (result != STAT_OK) {
921+ sycSSL_free(xfd->para.openssl.ssl);
922+ xfd->para.openssl.ssl = NULL;
923+ return result;
924+ }
925+
926+ result = openssl_handle_peer_certificate(xfd, opt_ver, level);
927+ if (result != STAT_OK) {
928+ sycSSL_free(xfd->para.openssl.ssl);
929+ xfd->para.openssl.ssl = NULL;
930+ return result;
931+ }
932+
933+ return STAT_OK;
934+}
935+
936+
937+#if WITH_LISTEN
938+
939+static int
940+ xioopen_openssl_listen(int argc,
941+ const char *argv[], /* the arguments in the address string */
942+ struct opt *opts,
943+ int xioflags, /* is the open meant for reading (0),
944+ writing (1), or both (2) ? */
945+ xiofile_t *xxfd, /* a xio file descriptor structure,
946+ already allocated */
947+ unsigned groups, /* the matching address groups... */
948+ int dummy1, /* first transparent integer value from
949+ addr_openssl */
950+ int dummy2, /* second transparent integer value from
951+ addr_openssl */
952+ int dummy3) /* transparent pointer value from
953+ addr_openssl */
954+{
955+ struct single *xfd = &xxfd->stream;
956+ const char *portname;
957+ struct opt *opts0 = NULL;
958+ union sockaddr_union us_sa, *us = &us_sa;
959+ socklen_t uslen = sizeof(us_sa);
960+ int pf;
961+ int socktype = SOCK_STREAM;
962+ int ipproto = IPPROTO_TCP;
963+ /*! lowport? */
964+ int level;
965+ SSL_CTX* ctx;
966+ bool opt_ver = true; /* verify peer certificate - changed with 1.6.0 */
967+ char *opt_cert = NULL; /* file name of server certificate */
968+ int result;
969+
970+ if (!(xioflags & XIO_MAYCONVERT)) {
971+ Error("address with data processing not allowed here");
972+ return STAT_NORETRY;
973+ }
974+ xfd->flags |= XIO_DOESCONVERT;
975+
976+ if (argc != 2) {
977+ Error1("%s: 1 parameter required", argv[0]);
978+ return STAT_NORETRY;
979+ }
980+
981+#if WITH_IP4 && WITH_IP6
982+ pf = xioopts.default_ip=='6'?PF_INET6:PF_INET;
983+#elif WITH_IP6
984+ pf = PF_INET6;
985+#else
986+ pf = PF_INET;
987+#endif
988+
989+ portname = argv[1];
990+
991+ xfd->howtoend = END_SHUTDOWN;
992+ if (applyopts_single(xfd, opts, PH_INIT) < 0) return -1;
993+ applyopts(-1, opts, PH_INIT);
994+
995+ retropt_string(opts, OPT_OPENSSL_CERTIFICATE, &opt_cert);
996+ if (opt_cert == NULL) {
997+ Warn("no certificate given; consider option \"cert\"");
998+ }
999+
1000+ applyopts(-1, opts, PH_EARLY);
1001+
1002+ result =
1003+ _xioopen_openssl_prepare(opts, xfd, true, &opt_ver, opt_cert, &ctx);
1004+ if (result != STAT_OK) return STAT_NORETRY;
1005+
1006+ if (_xioopen_ipapp_listen_prepare(opts, &opts0, portname, &pf, ipproto,
1007+ xfd->para.socket.ip.res_opts[1],
1008+ xfd->para.socket.ip.res_opts[0],
1009+ us, &uslen, socktype)
1010+ != STAT_OK) {
1011+ return STAT_NORETRY;
1012+ }
1013+
1014+ xfd->addr = &addr_openssl_listen;
1015+ xfd->dtype = XIODATA_OPENSSL;
1016+
1017+ while (true) { /* loop over failed attempts */
1018+
1019+#if WITH_RETRY
1020+ if (xfd->forever || xfd->retry) {
1021+ level = E_INFO;
1022+ } else
1023+#endif /* WITH_RETRY */
1024+ level = E_ERROR;
1025+
1026+ /* tcp listen; this can fork() for us; it only returns on error or on
1027+ successful establishment of tcp connection */
1028+ result = _xioopen_listen(xfd, xioflags,
1029+ (struct sockaddr *)us, uslen,
1030+ opts, pf, socktype, IPPROTO_TCP,
1031+#if WITH_RETRY
1032+ (xfd->retry||xfd->forever)?E_INFO:E_ERROR
1033+#else
1034+ E_ERROR
1035+#endif /* WITH_RETRY */
1036+ );
1037+ /*! not sure if we should try again on retry/forever */
1038+ switch (result) {
1039+ case STAT_OK: break;
1040+#if WITH_RETRY
1041+ case STAT_RETRYLATER:
1042+ case STAT_RETRYNOW:
1043+ if (xfd->forever || xfd->retry) {
1044+ dropopts(opts, PH_ALL); opts = copyopts(opts0, GROUP_ALL);
1045+ if (result == STAT_RETRYLATER) {
1046+ Nanosleep(&xfd->intervall, NULL);
1047+ }
1048+ dropopts(opts, PH_ALL); opts = copyopts(opts0, GROUP_ALL);
1049+ --xfd->retry;
1050+ continue;
1051+ }
1052+ return STAT_NORETRY;
1053+#endif /* WITH_RETRY */
1054+ default:
1055+ return result;
1056+ }
1057+
1058+ result = _xioopen_openssl_listen(xfd, opt_ver, ctx, level);
1059+ switch (result) {
1060+ case STAT_OK: break;
1061+#if WITH_RETRY
1062+ case STAT_RETRYLATER:
1063+ case STAT_RETRYNOW:
1064+ if (xfd->forever || xfd->retry) {
1065+ dropopts(opts, PH_ALL); opts = copyopts(opts0, GROUP_ALL);
1066+ if (result == STAT_RETRYLATER) {
1067+ Nanosleep(&xfd->intervall, NULL);
1068+ }
1069+ dropopts(opts, PH_ALL); opts = copyopts(opts0, GROUP_ALL);
1070+ --xfd->retry;
1071+ continue;
1072+ }
1073+ return STAT_NORETRY;
1074+#endif /* WITH_RETRY */
1075+ default:
1076+ return result;
1077+ }
1078+
1079+ Notice1("SSL connection using %s",
1080+ SSL_get_cipher(xfd->para.openssl.ssl));
1081+ break;
1082+
1083+ } /* drop out on success */
1084+
1085+ /* fill in the fd structure */
1086+
1087+ return STAT_OK;
1088+}
1089+
1090+
1091+int _xioopen_openssl_listen(struct single *xfd,
1092+ bool opt_ver,
1093+ SSL_CTX *ctx,
1094+ int level) {
1095+ char error_string[120];
1096+ unsigned long err;
1097+ int errint, ret;
1098+
1099+ /* create an SSL object */
1100+ if ((xfd->para.openssl.ssl = sycSSL_new(ctx)) == NULL) {
1101+ if (ERR_peek_error() == 0) Msg(level, "SSL_new() failed");
1102+ while (err = ERR_get_error()) {
1103+ Msg1(level, "SSL_new(): %s", ERR_error_string(err, NULL));
1104+ }
1105+ /*Error("SSL_new()");*/
1106+ return STAT_NORETRY;
1107+ }
1108+
1109+ /* assign the network connection to the SSL object */
1110+ if (sycSSL_set_fd(xfd->para.openssl.ssl, xfd->fd) <= 0) {
1111+ if (ERR_peek_error() == 0) Msg(level, "SSL_set_fd() failed");
1112+ while (err = ERR_get_error()) {
1113+ Msg2(level, "SSL_set_fd(, %d): %s",
1114+ xfd->fd, ERR_error_string(err, NULL));
1115+ }
1116+ }
1117+
1118+#if WITH_DEBUG
1119+ {
1120+ int i = 0;
1121+ const char *ciphers = NULL;
1122+ Debug("available ciphers:");
1123+ do {
1124+ ciphers = SSL_get_cipher_list(xfd->para.openssl.ssl, i);
1125+ if (ciphers == NULL) break;
1126+ Debug2("CIPHERS pri=%d: %s", i, ciphers);
1127+ ++i;
1128+ } while (1);
1129+ }
1130+#endif /* WITH_DEBUG */
1131+
1132+ /* connect via SSL by performing handshake */
1133+ if ((ret = sycSSL_accept(xfd->para.openssl.ssl)) <= 0) {
1134+ /*if (ERR_peek_error() == 0) Msg(level, "SSL_accept() failed");*/
1135+ errint = SSL_get_error(xfd->para.openssl.ssl, ret);
1136+ switch (errint) {
1137+ case SSL_ERROR_NONE:
1138+ Msg(level, "ok"); break;
1139+ case SSL_ERROR_ZERO_RETURN:
1140+ Msg(level, "connection closed (wrong version number?)"); break;
1141+ case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE:
1142+ case SSL_ERROR_WANT_CONNECT:
1143+ case SSL_ERROR_WANT_X509_LOOKUP:
1144+ Msg(level, "nonblocking operation did not complete"); break; /*!*/
1145+ case SSL_ERROR_SYSCALL:
1146+ if (ERR_peek_error() == 0) {
1147+ if (ret == 0) {
1148+ Msg(level, "SSL_accept(): socket closed by peer");
1149+ } else if (ret == -1) {
1150+ Msg1(level, "SSL_accept(): %s", strerror(errno));
1151+ }
1152+ } else {
1153+ Msg(level, "I/O error"); /*!*/
1154+ while (err = ERR_get_error()) {
1155+ ERR_error_string_n(err, error_string, sizeof(error_string));
1156+ Msg4(level, "SSL_accept(): %s / %s / %s / %s", error_string,
1157+ ERR_lib_error_string(err), ERR_func_error_string(err),
1158+ ERR_reason_error_string(err));
1159+ }
1160+ /* Msg1(level, "SSL_connect(): %s", ERR_error_string(e, buf));*/
1161+ }
1162+ break;
1163+ case SSL_ERROR_SSL:
1164+ /*ERR_print_errors_fp(stderr);*/
1165+ openssl_SSL_ERROR_SSL(level, "SSL_accept");
1166+ break;
1167+ default:
1168+ Msg(level, "unknown error");
1169+ }
1170+
1171+ return STAT_RETRYLATER;
1172+ }
1173+
1174+ if (openssl_handle_peer_certificate(xfd, opt_ver, E_ERROR/*!*/) < 0) {
1175+ return STAT_NORETRY;
1176+ }
1177+
1178+ return STAT_OK;
1179+}
1180+
1181+#endif /* WITH_LISTEN */
1182+
1183+
1184+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
1185+/* In OpenSSL 0.9.7 compression methods could be added using
1186+ * SSL_COMP_add_compression_method(3), but the implemntation is not compatible
1187+ * with the standard (RFC3749).
1188+ */
1189+static int openssl_setup_compression(SSL_CTX *ctx, char *method)
1190+{
1191+ STACK_OF(SSL_COMP)* comp_methods;
1192+
1193+ assert(method);
1194+
1195+ /* Getting the stack of compression methods has the intended side-effect of
1196+ * initializing the SSL library's compression part.
1197+ */
1198+ comp_methods = SSL_COMP_get_compression_methods();
1199+ if (!comp_methods) {
1200+ Info("OpenSSL built without compression support");
1201+ return STAT_OK;
1202+ }
1203+
1204+ if (strcasecmp(method, "auto") == 0) {
1205+ Info("Using default OpenSSL compression");
1206+ return STAT_OK;
1207+ }
1208+
1209+ if (strcasecmp(method, "none") == 0) {
1210+ /* Disable compression */
1211+#ifdef SSL_OP_NO_COMPRESSION
1212+ Info("Disabling OpenSSL compression");
1213+ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
1214+#else
1215+ /* SSL_OP_NO_COMPRESSION was only introduced in OpenSSL 0.9.9 (released
1216+ * as 1.0.0). Removing all compression methods is a work-around for
1217+ * earlier versions of OpenSSL, but it affects all SSL connections.
1218+ */
1219+ Info("Disabling OpenSSL compression globally");
1220+ sk_SSL_COMP_zero(comp_methods);
1221+#endif
1222+ return STAT_OK;
1223+ }
1224+
1225+ /* zlib compression in OpenSSL before version 0.9.8e-beta1 uses the libc's
1226+ * default malloc/free instead of the ones passed to OpenSSL. Should socat
1227+ * ever use custom malloc/free functions for OpenSSL, this must be taken
1228+ * into consideration. See OpenSSL bug #1468.
1229+ */
1230+
1231+ Error1("openssl-compress=\"%s\": unknown compression method", method);
1232+ return STAT_NORETRY;
1233+}
1234+#endif
1235+
1236+
1237+int
1238+ _xioopen_openssl_prepare(struct opt *opts,
1239+ struct single *xfd,/* a xio file descriptor
1240+ structure, already allocated
1241+ */
1242+ bool server, /* SSL client: false */
1243+ bool *opt_ver,
1244+ const char *opt_cert,
1245+ SSL_CTX **ctx)
1246+{
1247+ bool opt_fips = false;
1248+ SSL_METHOD *method;
1249+ char *me_str = NULL; /* method string */
1250+ char *ci_str = NULL; /* cipher string */
1251+ char *opt_key = NULL; /* file name of client private key */
1252+ char *opt_dhparam = NULL; /* file name of DH params */
1253+ char *opt_cafile = NULL; /* certificate authority file */
1254+ char *opt_capath = NULL; /* certificate authority directory */
1255+ char *opt_egd = NULL; /* entropy gathering daemon socket path */
1256+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
1257+ char *opt_compress = NULL; /* compression method */
1258+#endif
1259+ bool opt_pseudo = false; /* use pseudo entropy if nothing else */
1260+ unsigned long err;
1261+ int result;
1262+
1263+ xfd->addr = &addr_openssl;
1264+ xfd->dtype = XIODATA_OPENSSL;
1265+
1266+ retropt_bool(opts, OPT_OPENSSL_FIPS, &opt_fips);
1267+ retropt_string(opts, OPT_OPENSSL_METHOD, &me_str);
1268+ retropt_string(opts, OPT_OPENSSL_CIPHERLIST, &ci_str);
1269+ retropt_bool(opts, OPT_OPENSSL_VERIFY, opt_ver);
1270+ retropt_string(opts, OPT_OPENSSL_CAFILE, &opt_cafile);
1271+ retropt_string(opts, OPT_OPENSSL_CAPATH, &opt_capath);
1272+ retropt_string(opts, OPT_OPENSSL_KEY, &opt_key);
1273+ retropt_string(opts, OPT_OPENSSL_DHPARAM, &opt_dhparam);
1274+ retropt_string(opts, OPT_OPENSSL_EGD, &opt_egd);
1275+ retropt_bool(opts,OPT_OPENSSL_PSEUDO, &opt_pseudo);
1276+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
1277+ retropt_string(opts, OPT_OPENSSL_COMPRESS, &opt_compress);
1278+#endif
1279+
1280+#if WITH_FIPS
1281+ if (opt_fips) {
1282+ if (!sycFIPS_mode_set(1)) {
1283+ ERR_load_crypto_strings();
1284+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
1285+ Error("Failed to set FIPS mode");
1286+ } else {
1287+ xio_openssl_fips = true;
1288+ }
1289+ }
1290+#endif
1291+
1292+ OpenSSL_add_all_algorithms();
1293+ OpenSSL_add_all_ciphers();
1294+ OpenSSL_add_all_digests();
1295+ sycSSL_load_error_strings();
1296+
1297+ /* OpenSSL preparation */
1298+ sycSSL_library_init();
1299+
1300+ /*! actions_to_seed_PRNG();*/
1301+
1302+ if (!server) {
1303+ if (me_str != 0) {
1304+#ifndef OPENSSL_NO_SSL2
1305+ if (!strcasecmp(me_str, "SSLv2") || !strcasecmp(me_str, "SSL2")) {
1306+ method = sycSSLv2_client_method();
1307+ } else
1308+#endif
1309+ if (!strcasecmp(me_str, "SSLv3") || !strcasecmp(me_str, "SSL3")) {
1310+ method = sycSSLv3_client_method();
1311+ } else if (!strcasecmp(me_str, "SSLv23") || !strcasecmp(me_str, "SSL23") ||
1312+ !strcasecmp(me_str, "SSL")) {
1313+ method = sycSSLv23_client_method();
1314+ } else if (!strcasecmp(me_str, "TLSv1") || !strcasecmp(me_str, "TLS1") ||
1315+ !strcasecmp(me_str, "TLS")) {
1316+ method = sycTLSv1_client_method();
1317+ } else {
1318+ Error1("openssl-method=\"%s\": unknown method", me_str);
1319+ method = sycSSLv23_client_method()/*!*/;
1320+ }
1321+ } else {
1322+ method = sycSSLv23_client_method()/*!*/;
1323+ }
1324+ } else /* server */ {
1325+ if (me_str != 0) {
1326+#ifndef OPENSSL_NO_SSL2
1327+ if (!strcasecmp(me_str, "SSLv2") || !strcasecmp(me_str, "SSL2")) {
1328+ method = sycSSLv2_server_method();
1329+ } else
1330+#endif
1331+ if (!strcasecmp(me_str, "SSLv3") || !strcasecmp(me_str, "SSL3")) {
1332+ method = sycSSLv3_server_method();
1333+ } else if (!strcasecmp(me_str, "SSLv23") || !strcasecmp(me_str, "SSL23") ||
1334+ !strcasecmp(me_str, "SSL")) {
1335+ method = sycSSLv23_server_method();
1336+ } else if (!strcasecmp(me_str, "TLSv1") || !strcasecmp(me_str, "TLS1") ||
1337+ !strcasecmp(me_str, "TLS")) {
1338+ method = sycTLSv1_server_method();
1339+ } else {
1340+ Error1("openssl-method=\"%s\": unknown method", me_str);
1341+ method = sycSSLv23_server_method()/*!*/;
1342+ }
1343+ } else {
1344+ method = sycSSLv23_server_method()/*!*/;
1345+ }
1346+ }
1347+
1348+ if (opt_egd) {
1349+ sycRAND_egd(opt_egd);
1350+ }
1351+
1352+ if (opt_pseudo) {
1353+ long int randdata;
1354+ /* initialize libc random from actual microseconds */
1355+ struct timeval tv;
1356+ struct timezone tz;
1357+ tz.tz_minuteswest = 0;
1358+ tz.tz_dsttime = 0;
1359+ if ((result = Gettimeofday(&tv, &tz)) < 0) {
1360+ Warn2("gettimeofday(%p, {0,0}): %s", &tv, strerror(errno));
1361+ }
1362+ srandom(tv.tv_sec*1000000+tv.tv_usec);
1363+
1364+ while (!RAND_status()) {
1365+ randdata = random();
1366+ Debug2("RAND_seed(0x{%lx}, "F_Zu")",
1367+ randdata, sizeof(randdata));
1368+ RAND_seed(&randdata, sizeof(randdata));
1369+ }
1370+ }
1371+
1372+ if ((*ctx = sycSSL_CTX_new(method)) == NULL) {
1373+ if (ERR_peek_error() == 0) Error("SSL_CTX_new()");
1374+ while (err = ERR_get_error()) {
1375+ Error1("SSL_CTX_new(): %s", ERR_error_string(err, NULL));
1376+ }
1377+
1378+ /*ERR_clear_error;*/
1379+ return STAT_RETRYLATER;
1380+ }
1381+
1382+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
1383+ if (opt_compress) {
1384+ int result;
1385+ result = openssl_setup_compression(*ctx, opt_compress);
1386+ if (result != STAT_OK) {
1387+ return result;
1388+ }
1389+ }
1390+#endif
1391+
1392+ if (opt_cafile != NULL || opt_capath != NULL) {
1393+ if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {
1394+ int result;
1395+
1396+ if ((result =
1397+ openssl_SSL_ERROR_SSL(E_ERROR, "SSL_CTX_load_verify_locations"))
1398+ != STAT_OK) {
1399+ /*! free ctx */
1400+ return STAT_RETRYLATER;
1401+ }
1402+ }
1403+ }
1404+
1405+ if (opt_cert) {
1406+ BIO *bio;
1407+ DH *dh;
1408+
1409+ if (sycSSL_CTX_use_certificate_chain_file(*ctx, opt_cert) <= 0) {
1410+ /*! trace functions */
1411+ /*0 ERR_print_errors_fp(stderr);*/
1412+ if (ERR_peek_error() == 0)
1413+ Error2("SSL_CTX_use_certificate_file(%p, \"%s\", SSL_FILETYPE_PEM) failed",
1414+ *ctx, opt_cert);
1415+ while (err = ERR_get_error()) {
1416+ Error1("SSL_CTX_use_certificate_file(): %s",
1417+ ERR_error_string(err, NULL));
1418+ }
1419+ return STAT_RETRYLATER;
1420+ }
1421+
1422+ if (sycSSL_CTX_use_PrivateKey_file(*ctx, opt_key?opt_key:opt_cert, SSL_FILETYPE_PEM) <= 0) {
1423+ /*ERR_print_errors_fp(stderr);*/
1424+ openssl_SSL_ERROR_SSL(E_ERROR/*!*/, "SSL_CTX_use_PrivateKey_file");
1425+ return STAT_RETRYLATER;
1426+ }
1427+
1428+ if (opt_dhparam == NULL) {
1429+ opt_dhparam = (char *)opt_cert;
1430+ }
1431+ if ((bio = sycBIO_new_file(opt_dhparam, "r")) == NULL) {
1432+ Warn2("BIO_new_file(\"%s\", \"r\"): %s",
1433+ opt_dhparam, strerror(errno));
1434+ } else {
1435+ if ((dh = sycPEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL) {
1436+ Info1("PEM_read_bio_DHparams(%p, NULL, NULL, NULL): error", bio);
1437+ } else {
1438+ BIO_free(bio);
1439+ if (sycSSL_CTX_set_tmp_dh(*ctx, dh) == 0) {
1440+ Error2("SSL_CTX_set_tmp_dh(%p, %p): error", ctx, dh);
1441+ }
1442+ }
1443+ }
1444+ }
1445+
1446+ /* set pre ssl-connect options */
1447+ /* SSL_CIPHERS */
1448+ if (ci_str != NULL) {
1449+ if (sycSSL_CTX_set_cipher_list(*ctx, ci_str) <= 0) {
1450+ if (ERR_peek_error() == 0)
1451+ Error1("SSL_set_cipher_list(, \"%s\") failed", ci_str);
1452+ while (err = ERR_get_error()) {
1453+ Error2("SSL_set_cipher_list(, \"%s\"): %s",
1454+ ci_str, ERR_error_string(err, NULL));
1455+ }
1456+ /*Error("SSL_new()");*/
1457+ return STAT_RETRYLATER;
1458+ }
1459+ }
1460+
1461+ if (*opt_ver) {
1462+ sycSSL_CTX_set_verify(*ctx,
1463+ SSL_VERIFY_PEER| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1464+ NULL);
1465+ } else {
1466+ sycSSL_CTX_set_verify(*ctx,
1467+ SSL_VERIFY_NONE,
1468+ NULL);
1469+ }
1470+
1471+ return STAT_OK;
1472+}
1473+
1474+
1475+/* analyses an OpenSSL error condition, prints the appropriate messages with
1476+ severity 'level' and returns one of STAT_OK, STAT_RETRYLATER, or
1477+ STAT_NORETRY */
1478+static int openssl_SSL_ERROR_SSL(int level, const char *funcname) {
1479+ unsigned long e;
1480+ char buf[120]; /* this value demanded by "man ERR_error_string" */
1481+
1482+ e = ERR_get_error();
1483+ Debug1("ERR_get_error(): %lx", e);
1484+ if (e == ((ERR_LIB_RAND<<24)|
1485+ (RAND_F_SSLEAY_RAND_BYTES<<12)|
1486+ (RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
1487+ Error("too few entropy; use options \"egd\" or \"pseudo\"");
1488+ return STAT_NORETRY;
1489+ } else {
1490+ Msg2(level, "%s(): %s", funcname, ERR_error_string(e, buf));
1491+ return level==E_ERROR ? STAT_NORETRY : STAT_RETRYLATER;
1492+ }
1493+ return STAT_OK;
1494+}
1495+
1496+static const char *openssl_verify_messages[] = {
1497+ /* 0 */ "ok",
1498+ /* 1 */ NULL,
1499+ /* 2 */ "unable to get issuer certificate",
1500+ /* 3 */ "unable to get certificate CRL",
1501+ /* 4 */ "unable to decrypt certificate's signature",
1502+ /* 5 */ "unable to decrypt CRL's signature",
1503+ /* 6 */ "unable to decode issuer public key",
1504+ /* 7 */ "certificate signature failure",
1505+ /* 8 */ "CRL signature failure",
1506+ /* 9 */ "certificate is not yet valid",
1507+ /* 10 */ "certificate has expired",
1508+ /* 11 */ "CRL is not yet valid",
1509+ /* 12 */ "CRL has expired",
1510+ /* 13 */ "format error in certificate's notBefore field",
1511+ /* 14 */ "format error in certificate's notAfter field",
1512+ /* 15 */ "format error in CRL's lastUpdate field",
1513+ /* 16 */ "format error in CRL's nextUpdate field",
1514+ /* 17 */ "out of memory",
1515+ /* 18 */ "self signed certificate",
1516+ /* 19 */ "self signed certificate in certificate chain",
1517+ /* 20 */ "unable to get local issuer certificate",
1518+ /* 21 */ "unable to verify the first certificate",
1519+ /* 22 */ "certificate chain too long",
1520+ /* 23 */ "certificate revoked",
1521+ /* 24 */ "invalid CA certificate",
1522+ /* 25 */ "path length constraint exceeded",
1523+ /* 26 */ "unsupported certificate purpose",
1524+ /* 27 */ "certificate not trusted",
1525+ /* 28 */ "certificate rejected",
1526+ /* 29 */ "subject issuer mismatch",
1527+ /* 30 */ "authority and subject key identifier mismatch",
1528+ /* 31 */ "authority and issuer serial number mismatch",
1529+ /* 32 */ "key usage does not include certificate signing",
1530+ /* 33 */ NULL,
1531+ /* 34 */ NULL,
1532+ /* 35 */ NULL,
1533+ /* 36 */ NULL,
1534+ /* 37 */ NULL,
1535+ /* 38 */ NULL,
1536+ /* 39 */ NULL,
1537+ /* 40 */ NULL,
1538+ /* 41 */ NULL,
1539+ /* 42 */ NULL,
1540+ /* 43 */ NULL,
1541+ /* 44 */ NULL,
1542+ /* 45 */ NULL,
1543+ /* 46 */ NULL,
1544+ /* 47 */ NULL,
1545+ /* 48 */ NULL,
1546+ /* 49 */ NULL,
1547+ /* 50 */ "application verification failure",
1548+} ;
1549+
1550+static int openssl_handle_peer_certificate(struct single *xfd,
1551+ bool opt_ver, int level) {
1552+ X509 *peer_cert;
1553+ char *str;
1554+ char buff[2048]; /* hold peer certificate */
1555+ int status;
1556+
1557+ /* SSL_CTX_add_extra_chain_cert
1558+ SSL_get_verify_result
1559+ */
1560+ if ((peer_cert = SSL_get_peer_certificate(xfd->para.openssl.ssl)) != NULL) {
1561+ Debug("peer certificate:");
1562+ if ((str = X509_NAME_oneline(X509_get_subject_name(peer_cert), buff, sizeof(buff))) != NULL)
1563+ Debug1("\tsubject: %s", str); /*free (str); SIGSEGV*/
1564+ if ((str = X509_NAME_oneline(X509_get_issuer_name(peer_cert), buff, sizeof(buff))) != NULL)
1565+ Debug1("\tissuer: %s", str); /*free (str); SIGSEGV*/
1566+ }
1567+
1568+ if (peer_cert) {
1569+ if (opt_ver) {
1570+ long verify_result;
1571+ if ((verify_result = sycSSL_get_verify_result(xfd->para.openssl.ssl)) == X509_V_OK) {
1572+ Info("accepted peer certificate");
1573+ status = STAT_OK;
1574+ } else {
1575+ const char *message = NULL;
1576+ if (verify_result >= 0 &&
1577+ (size_t)verify_result <
1578+ sizeof(openssl_verify_messages)/sizeof(char*))
1579+ {
1580+ message = openssl_verify_messages[verify_result];
1581+ }
1582+ if (message) {
1583+ Msg1(level, "%s", message);
1584+ } else {
1585+ Msg1(level, "rejected peer certificate with error %ld", verify_result);
1586+ }
1587+ status = STAT_RETRYLATER;
1588+ }
1589+ } else {
1590+ Notice("no check of certificate");
1591+ status = STAT_OK;
1592+ }
1593+ } else {
1594+ if (opt_ver) {
1595+ Msg(level, "no peer certificate");
1596+ status = STAT_RETRYLATER;
1597+ } else {
1598+ Notice("no peer certificate and no check");
1599+ status = STAT_OK;
1600+ }
1601+ }
1602+
1603+ X509_free(peer_cert);
1604+ return status;
1605+}
1606+
1607+static int xioSSL_set_fd(struct single *xfd, int level) {
1608+ unsigned long err;
1609+
1610+ /* assign a network connection to the SSL object */
1611+ if (sycSSL_set_fd(xfd->para.openssl.ssl, xfd->fd) <= 0) {
1612+ Msg(level, "SSL_set_fd() failed");
1613+ while (err = ERR_get_error()) {
1614+ Msg2(level, "SSL_set_fd(, %d): %s",
1615+ xfd->fd, ERR_error_string(err, NULL));
1616+ }
1617+ return STAT_RETRYLATER;
1618+ }
1619+ return STAT_OK;
1620+}
1621+
1622+
1623+/* ...
1624+ in case of an error condition, this function check forever and retry
1625+ options and ev. sleeps an interval. It returns NORETRY when the caller
1626+ should not retry for any reason. */
1627+static int xioSSL_connect(struct single *xfd, bool opt_ver, int level) {
1628+ char error_string[120];
1629+ int errint, status, ret;
1630+ unsigned long err;
1631+
1632+ /* connect via SSL by performing handshake */
1633+ if ((ret = sycSSL_connect(xfd->para.openssl.ssl)) <= 0) {
1634+ /*if (ERR_peek_error() == 0) Msg(level, "SSL_connect() failed");*/
1635+ errint = SSL_get_error(xfd->para.openssl.ssl, ret);
1636+ switch (errint) {
1637+ case SSL_ERROR_NONE:
1638+ /* this is not an error, but I dare not continue for security reasons*/
1639+ Msg(level, "ok");
1640+ status = STAT_RETRYLATER;
1641+ case SSL_ERROR_ZERO_RETURN:
1642+ Msg(level, "connection closed (wrong version number?)");
1643+ status = STAT_RETRYLATER;
1644+ break;
1645+ case SSL_ERROR_WANT_READ:
1646+ case SSL_ERROR_WANT_WRITE:
1647+ case SSL_ERROR_WANT_CONNECT:
1648+ case SSL_ERROR_WANT_X509_LOOKUP:
1649+ Msg(level, "nonblocking operation did not complete");
1650+ status = STAT_RETRYLATER;
1651+ break; /*!*/
1652+ case SSL_ERROR_SYSCALL:
1653+ if (ERR_peek_error() == 0) {
1654+ if (ret == 0) {
1655+ Msg(level, "SSL_connect(): socket closed by peer");
1656+ } else if (ret == -1) {
1657+ Msg1(level, "SSL_connect(): %s", strerror(errno));
1658+ }
1659+ } else {
1660+ Msg(level, "I/O error"); /*!*/
1661+ while (err = ERR_get_error()) {
1662+ ERR_error_string_n(err, error_string, sizeof(error_string));
1663+ Msg4(level, "SSL_connect(): %s / %s / %s / %s", error_string,
1664+ ERR_lib_error_string(err), ERR_func_error_string(err),
1665+ ERR_reason_error_string(err));
1666+ }
1667+ }
1668+ status = STAT_RETRYLATER;
1669+ break;
1670+ case SSL_ERROR_SSL:
1671+ status = openssl_SSL_ERROR_SSL(level, "SSL_connect");
1672+ if (openssl_handle_peer_certificate(xfd, opt_ver, level/*!*/) < 0) {
1673+ return STAT_RETRYLATER;
1674+ }
1675+ break;
1676+ default:
1677+ Msg(level, "unknown error");
1678+ status = STAT_RETRYLATER;
1679+ break;
1680+ }
1681+ return status;
1682+ }
1683+ return STAT_OK;
1684+}
1685+
1686+/* on result < 0: errno is set (at least to EIO) */
1687+ssize_t xioread_openssl(struct single *pipe, void *buff, size_t bufsiz) {
1688+ unsigned long err;
1689+ char error_string[120];
1690+ int _errno = EIO; /* if we have no better idea about nature of error */
1691+ int errint, ret;
1692+
1693+ ret = sycSSL_read(pipe->para.openssl.ssl, buff, bufsiz);
1694+ if (ret < 0) {
1695+ errint = SSL_get_error(pipe->para.openssl.ssl, ret);
1696+ switch (errint) {
1697+ case SSL_ERROR_NONE:
1698+ /* this is not an error, but I dare not continue for security reasons*/
1699+ Error("ok");
1700+ case SSL_ERROR_ZERO_RETURN:
1701+ Error("connection closed by peer");
1702+ break;
1703+ case SSL_ERROR_WANT_READ:
1704+ case SSL_ERROR_WANT_WRITE:
1705+ case SSL_ERROR_WANT_CONNECT:
1706+ case SSL_ERROR_WANT_X509_LOOKUP:
1707+ Info("nonblocking operation did not complete");
1708+ errno = EAGAIN;
1709+ return -1;
1710+ case SSL_ERROR_SYSCALL:
1711+ if (ERR_peek_error() == 0) {
1712+ if (ret == 0) {
1713+ Error("SSL_read(): socket closed by peer");
1714+ } else if (ret == -1) {
1715+ _errno = errno;
1716+ Error1("SSL_read(): %s", strerror(errno));
1717+ }
1718+ } else {
1719+ Error("I/O error"); /*!*/
1720+ while (err = ERR_get_error()) {
1721+ ERR_error_string_n(err, error_string, sizeof(error_string));
1722+ Error4("SSL_read(): %s / %s / %s / %s", error_string,
1723+ ERR_lib_error_string(err), ERR_func_error_string(err),
1724+ ERR_reason_error_string(err));
1725+ }
1726+ }
1727+ break;
1728+ case SSL_ERROR_SSL:
1729+ openssl_SSL_ERROR_SSL(E_ERROR, "SSL_connect");
1730+ break;
1731+ default:
1732+ Error("unknown error");
1733+ break;
1734+ }
1735+ errno = _errno;
1736+ return -1;
1737+ }
1738+ return ret;
1739+}
1740+
1741+ssize_t xiopending_openssl(struct single *pipe) {
1742+ int bytes = sycSSL_pending(pipe->para.openssl.ssl);
1743+ return bytes;
1744+}
1745+
1746+/* on result < 0: errno is set (at least to EIO) */
1747+ssize_t xiowrite_openssl(struct single *pipe, const void *buff, size_t bufsiz) {
1748+ unsigned long err;
1749+ char error_string[120];
1750+ int _errno = EIO; /* if we have no better idea about nature of error */
1751+ int errint, ret;
1752+
1753+ ret = sycSSL_write(pipe->para.openssl.ssl, buff, bufsiz);
1754+ if (ret < 0) {
1755+ errint = SSL_get_error(pipe->para.openssl.ssl, ret);
1756+ switch (errint) {
1757+ case SSL_ERROR_NONE:
1758+ /* this is not an error, but I dare not continue for security reasons*/
1759+ Error("ok");
1760+ case SSL_ERROR_ZERO_RETURN:
1761+ Error("connection closed by peer");
1762+ break;
1763+ case SSL_ERROR_WANT_READ:
1764+ case SSL_ERROR_WANT_WRITE:
1765+ case SSL_ERROR_WANT_CONNECT:
1766+ case SSL_ERROR_WANT_X509_LOOKUP:
1767+ Error("nonblocking operation did not complete");
1768+ break; /*!*/
1769+ case SSL_ERROR_SYSCALL:
1770+ if (ERR_peek_error() == 0) {
1771+ if (ret == 0) {
1772+ Error("SSL_write(): socket closed by peer");
1773+ } else if (ret == -1) {
1774+ _errno = errno;
1775+ Error1("SSL_write(): %s", strerror(errno));
1776+ }
1777+ } else {
1778+ Error("I/O error"); /*!*/
1779+ while (err = ERR_get_error()) {
1780+ ERR_error_string_n(err, error_string, sizeof(error_string));
1781+ Error4("SSL_write(): %s / %s / %s / %s", error_string,
1782+ ERR_lib_error_string(err), ERR_func_error_string(err),
1783+ ERR_reason_error_string(err));
1784+ }
1785+ }
1786+ break;
1787+ case SSL_ERROR_SSL:
1788+ openssl_SSL_ERROR_SSL(E_ERROR, "SSL_connect");
1789+ break;
1790+ default:
1791+ Error("unknown error");
1792+ break;
1793+ }
1794+ errno = _errno;
1795+ return -1;
1796+ }
1797+ return ret;
1798+}
1799+
1800+
1801+#endif /* WITH_OPENSSL */
1802
1803=== added directory '.pc/socat-opensslcompress2.patch'
1804=== renamed directory '.pc/socat-opensslcompress2.patch' => '.pc/socat-opensslcompress2.patch.moved'
1805=== added file '.pc/socat-opensslcompress2.patch/.timestamp'
1806=== added directory '.pc/socat-opensslcompress2.patch/doc'
1807=== added file '.pc/socat-opensslcompress2.patch/doc/socat.yo'
1808--- .pc/socat-opensslcompress2.patch/doc/socat.yo 1970-01-01 00:00:00 +0000
1809+++ .pc/socat-opensslcompress2.patch/doc/socat.yo 2012-07-21 00:23:19 +0000
1810@@ -0,0 +1,3501 @@
1811+COMMENT(source: socat.yo)
1812+mailto(socat@dest-unreach.org)
1813+
1814+def(unix)(0)(UN*X)
1815+def(unixdomain)(0)(UNIX domain)
1816+def(socat)(0)(bf(socat))
1817+def(Socat)(0)(bf(Socat))
1818+def(filan)(0)(bf(filan))
1819+def(Filan)(0)(bf(Filan))
1820+def(procan)(0)(bf(procan))
1821+def(Procan)(0)(bf(Procan))
1822+
1823+manpage(socat)(1)(Jan 2010)()()
1824+
1825+whenhtml(
1826+label(CONTENTS)
1827+manpagesection(CONTENTS)
1828+link(NAME)(NAME)nl()
1829+link(SYNOPSIS)(SYNOPSIS)nl()
1830+link(DESCRIPTION)(DESCRIPTION)nl()
1831+link(OPTIONS)(OPTIONS)nl()
1832+link(ADDRESS SPECIFICATIONS)(ADDRESS_SPECIFICATIONS)nl()
1833+link(ADDRESS TYPES)(ADDRESS_TYPES)nl()
1834+link(ADDRESS OPTIONS)(ADDRESS_OPTIONS)nl()
1835+link(DATA VALUES)(VALUES)nl()
1836+link(EXAMPLES)(EXAMPLES)nl()
1837+link(DIAGNOSTICS)(DIAGNOSTICS)nl()
1838+link(FILES)(FILES)nl()
1839+link(ENVIRONMENT VARIABLES)(ENVIRONMENT_VARIABLES)nl()
1840+link(CREDITS)(CREDITS)nl()
1841+link(VERSION)(VERSION)nl()
1842+link(BUGS)(BUGS)nl()
1843+link(SEE ALSO)(SEEALSO)nl()
1844+)
1845+
1846+label(NAME)
1847+manpagename(socat) (Multipurpose relay (SOcket CAT))
1848+
1849+label(SYNOPSIS)
1850+manpagesynopsis()
1851+tt(socat [options] <address> <address>)nl()
1852+tt(socat -V)nl()
1853+tt(socat -h[h[h]] | -?[?[?]])nl()
1854+tt(filan)nl()
1855+tt(procan)
1856+
1857+label(DESCRIPTION)
1858+manpagedescription()
1859+
1860+Socat() is a command line based utility that establishes two bidirectional byte
1861+streams and transfers data between them. Because the streams can be constructed
1862+from a large set of different types of data sinks and sources
1863+(see link(address types)(ADDRESS_TYPES)), and because lots of
1864+link(address options)(ADDRESS_OPTIONS) may be applied to the streams, socat can
1865+be used for many different purposes.
1866+
1867+Filan() is a utility that prints information about its active file
1868+descriptors to stdout. It has been written for debugging socat(), but might be
1869+useful for other purposes too. Use the -h option to find more infos.
1870+
1871+Procan() is a utility that prints information about process parameters to
1872+stdout. It has been written to better understand
1873+some UNIX process properties and for debugging socat(), but might be
1874+useful for other purposes too.
1875+
1876+The life cycle of a socat() instance typically consists of four phases.
1877+
1878+In the em(init) phase, the command line options are parsed and logging is
1879+initialized.
1880+
1881+During the em(open) phase, socat() opens the first address and afterwards the
1882+second address. These steps are usually blocking; thus, especially for complex address types like socks,
1883+connection requests or authentication dialogs must be completed before the next
1884+step is started.
1885+
1886+In the em(transfer) phase, socat() watches both streams' read and write file
1887+descriptors via code(select()), and, when data is available on one side em(and)
1888+can be written to the other side, socat reads it, performs newline
1889+character conversions if required, and writes the data to the write file
1890+descriptor of the other stream, then continues waiting for more data in both
1891+directions.
1892+
1893+When one of the streams effectively reaches EOF, the em(closing) phase
1894+begins. Socat() transfers the EOF condition to the other stream,
1895+i.e. tries to shutdown only its write stream, giving it a chance to
1896+terminate gracefully. For a defined time socat() continues to transfer data in
1897+the other direction, but then closes all remaining channels and terminates.
1898+
1899+
1900+label(OPTIONS)
1901+manpageoptions()
1902+
1903+Socat() provides some command line options that modify the behaviour of the
1904+program. They have nothing to do with so called
1905+link(address options)(ADDRESS_OPTIONS) that are used as parts of link(address specifications)(ADDRESS_SPECIFICATIONS).
1906+
1907+startdit()
1908+dit(bf(tt(-V)))
1909+ Print version and available feature information to stdout, and exit.
1910+dit(bf(tt(-h | -?)))
1911+ Print a help text to stdout describing command line options and available address
1912+ types, and exit.
1913+dit(bf(tt(-hh | -??)))
1914+ Like -h, plus a list of the short names of all available address options. Some options are
1915+ platform dependend, so this output is helpful for checking the particular
1916+ implementation.
1917+dit(bf(tt(-hhh | -???)))
1918+ Like -hh, plus a list of all available address option names.
1919+label(option_d)dit(bf(tt(-d)))
1920+ Without this option, only fatal and error messages are generated; applying
1921+ this option also prints warning messages. See link(DIAGNOSTICS)(DIAGNOSTICS)
1922+ for more information.
1923+label(option_d_d)dit(bf(tt(-d -d))) Prints fatal, error, warning, and notice messages.
1924+dit(bf(tt(-d -d -d))) Prints fatal, error, warning, notice, and info messages.
1925+dit(bf(tt(-d -d -d -d))) Prints fatal, error, warning, notice, info, and debug
1926+ messages.
1927+dit(bf(tt(-D)))
1928+ Logs information about file descriptors before starting the transfer phase.
1929+dit(bf(tt(-ly[<facility>])))
1930+ Writes messages to syslog instead of stderr; severity as defined with -d
1931+ option. With optional link(<facility>)(TYPE_FACILITY), the syslog type can
1932+ be selected, default is "daemon".
1933+dit(bf(tt(-lf))tt( <logfile>))
1934+ Writes messages to <logfile> [link(filename)(TYPE_FILENAME)] instead of
1935+ stderr.
1936+dit(bf(tt(-ls)))
1937+ Writes messages to stderr (this is the default).
1938+label(option_lp)dit(bf(tt(-lp))tt(<progname>))
1939+ Overrides the program name printed in error messages and used for
1940+ constructing environment variable names.
1941+dit(bf(tt(-lu)))
1942+ Extends the timestamp of error messages to microsecond resolution. Does not
1943+ work when logging to syslog.
1944+label(option_lm)dit(bf(tt(-lm[<facility>])))
1945+ Mixed log mode. During startup messages are printed to stderr; when socat()
1946+ starts the transfer phase loop or daemon mode (i.e. after opening all
1947+ streams and before starting data transfer, or, with listening sockets with
1948+ fork option, before the first accept call), it switches logging to syslog.
1949+ With optional link(<facility>)(TYPE_FACILITY), the syslog type can be
1950+ selected, default is "daemon".
1951+label(option_lh)dit(bf(tt(-lh)))
1952+ Adds hostname to log messages. Uses the value from environment variable
1953+ HOSTNAME or the value retrieved with tt(uname()) if HOSTNAME is not set.
1954+dit(bf(tt(-v)))
1955+ Writes the transferred data not only to their target streams, but also to
1956+ stderr. The output format is text with some conversions for readability, and
1957+ prefixed with "> " or "< " indicating flow directions.
1958+dit(bf(tt(-x)))
1959+ Writes the transferred data not only to their target streams, but also to
1960+ stderr. The output format is hexadecimal, prefixed with "> " or "< "
1961+ indicating flow directions. Can be combined with code(-v).
1962+label(option_b)dit(bf(tt(-b))tt(<size>))
1963+ Sets the data transfer block <size> [link(size_t)(TYPE_SIZE_T)].
1964+ At most <size> bytes are transferred per step. Default is 8192 bytes.
1965+label(option_s)dit(bf(tt(-s)))
1966+ By default, socat() terminates when an error occurred to prevent the process
1967+ from running when some option could not be applied. With this
1968+ option, socat() is sloppy with errors and tries to continue. Even with this
1969+ option, socat will exit on fatals, and will abort connection attempts when
1970+ security checks failed.
1971+label(option_t)dit(bf(tt(-t))tt(<timeout>))
1972+ When one channel has reached EOF, the write part of the other channel is shut
1973+ down. Then, socat() waits <timeout> [link(timeval)(TYPE_TIMEVAL)] seconds
1974+ before terminating. Default is 0.5 seconds. This timeout only applies to
1975+ addresses where write and read part can be closed independently. When during
1976+ the timeout interval the read part gives EOF, socat terminates without
1977+ awaiting the timeout.
1978+label(option_T)dit(bf(tt(-T))tt(<timeout>))
1979+ Total inactivity timeout: when socat is already in the transfer loop and
1980+ nothing has happened for <timeout> [link(timeval)(TYPE_TIMEVAL)] seconds
1981+ (no data arrived, no interrupt occurred...) then it terminates.
1982+ Useful with protocols like UDP that cannot transfer EOF.
1983+label(option_u)dit(bf(tt(-u)))
1984+ Uses unidirectional mode. The first address is only used for reading, and the
1985+ second address is only used for writing (link(example)(EXAMPLE_option_u)).
1986+label(option_U)dit(bf(tt(-U)))
1987+ Uses unidirectional mode in reverse direction. The first address is only
1988+ used for writing, and the second address is only used for reading.
1989+label(option_g)dit(bf(tt(-g)))
1990+ During address option parsing, don't check if the option is considered
1991+ useful in the given address environment. Use it if you want to force, e.g.,
1992+ appliance of a socket option to a serial device.
1993+label(option_L)dit(bf(tt(-L))tt(<lockfile>))
1994+ If lockfile exists, exits with error. If lockfile does not exist, creates it
1995+ and continues, unlinks lockfile on exit.
1996+label(option_W)dit(bf(tt(-W))tt(<lockfile>))
1997+ If lockfile exists, waits until it disappears. When lockfile does not exist,
1998+ creates it and continues, unlinks lockfile on exit.
1999+label(option_4)dit(bf(tt(-4)))
2000+ Use IP version 4 in case that the addresses do not implicitly or explicitly
2001+ specify a version; this is the default.
2002+label(option_6)dit(bf(tt(-6)))
2003+ Use IP version 6 in case that the addresses do not implicitly or explicitly
2004+ specify a version.
2005+enddit()
2006+
2007+
2008+label(ADDRESS_SPECIFICATIONS)
2009+manpagesection(ADDRESS SPECIFICATIONS)
2010+
2011+With the address command line arguments, the user gives socat() instructions and
2012+the necessary information for establishing the byte streams.
2013+
2014+An address specification usually consists of an address type
2015+keyword, zero or more required address parameters separated by ':' from the keyword and
2016+from each
2017+other, and zero or more address options separated by ','.
2018+
2019+The keyword specifies the address type (e.g., TCP4, OPEN, EXEC). For some
2020+keywords there exist synonyms ('-' for STDIO, TCP for TCP4). Keywords are case
2021+insensitive.
2022+For a few special address types, the keyword may be omitted:
2023+Address specifications starting with a number are assumed to be FD (raw file
2024+descriptor) addresses;
2025+if a '/' is found before the first ':' or ',', GOPEN (generic file open) is
2026+assumed.
2027+
2028+The required number and type of address parameters depend on the address
2029+type. E.g., TCP4 requires a server specification (name or address), and a port
2030+specification (number or service name).
2031+
2032+Zero or more address options may be given with each address. They influence the
2033+address in some ways.
2034+Options consist of an option keyword or an option keyword and a value,
2035+separated by '='. Option keywords are case insensitive.
2036+For filtering the options that are useful with an address
2037+type, each option is member of one option group. For
2038+each address type there is a set of option groups allowed. Only options
2039+belonging to one of these address groups may be used (except with link(option -g)(option_g)).
2040+
2041+label(ADDRESS_DUAL)
2042+Address specifications following the above schema are also called em(single)
2043+address specifications.
2044+Two single addresses can be combined with "!!" to form a em(dual) type
2045+address for one channel. Here, the first address is used by socat() for reading
2046+data, and the
2047+second address for writing data. There is no way to specify an option only once
2048+for being applied to both single addresses.
2049+
2050+Usually, addresses are opened in read/write
2051+mode. When an address is part of a dual address specification, or when
2052+link(option -u)(option_u) or link(-U)(option_U) is used, an address might be
2053+used only for reading or for writing. Considering this is important with some
2054+address types.
2055+
2056+With socat version 1.5.0 and higher, the lexical analysis tries to handle
2057+quotes and parenthesis meaningfully and allows escaping of special characters.
2058+If one of the characters ( { [ ' is found, the corresponding closing
2059+character - ) } ] ' - is looked for; they may also be nested. Within these
2060+constructs, socats special characters and strings : , !! are not handled
2061+specially. All those characters and strings can be escaped with \ or within ""
2062+
2063+label(ADDRESS_TYPES)
2064+manpagesection(ADDRESS TYPES)
2065+
2066+This section describes the available address types with their keywords,
2067+parameters, and semantics.
2068+
2069+startdit()
2070+label(ADDRESS_CREAT)dit(bf(tt(CREATE:<filename>)))
2071+ Opens link(<filename>)(TYPE_FILENAME) with code(creat()) and uses the file
2072+ descriptor for writing.
2073+ This address type requires write-only context, because a file opened with
2074+ code(creat) cannot be read from.
2075+ <filename> must be a valid existing or not existing path.
2076+ If <filename> is a named pipe, code(creat()) might block;
2077+ if <filename> refers to a socket, this is an error.nl()
2078+ Option groups: link(FD)(GROUP_FD),link(REG)(GROUP_REG),link(NAMED)(GROUP_NAMED) nl()
2079+ Useful options:
2080+ link(mode)(OPTION_MODE),
2081+ link(user)(OPTION_USER),
2082+ link(group)(OPTION_GROUP),
2083+ link(unlink-early)(OPTION_UNLINK_EARLY),
2084+ link(unlink-late)(OPTION_UNLINK_LATE),
2085+ link(append)(OPTION_APPEND)nl()
2086+ See also: link(OPEN)(ADDRESS_OPEN), link(GOPEN)(ADDRESS_GOPEN)
2087+label(ADDRESS_EXEC)dit(bf(tt(EXEC:<command-line>)))
2088+ Forks a sub process that establishes communication with its parent process
2089+ and invokes the specified program with code(execvp()).
2090+ link(<command-line>)(TYPE_COMMAND_LINE) is a simple command
2091+ with arguments separated by single spaces. If the program name
2092+ contains a '/', the part after the last '/' is taken as ARGV[0]. If the
2093+ program name is a relative
2094+ path, the code(execvp()) semantics for finding the program via
2095+ code($PATH)
2096+ apply. After successful program start, socat() writes data to stdin of the
2097+ process and reads from its stdout using a unixdomain() socket generated by
2098+ code(socketpair()) per default. (link(example)(EXAMPLE_ADDRESS_EXEC)) nl()
2099+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(EXEC)(GROUP_EXEC),link(FORK)(GROUP_FORK),link(TERMIOS)(GROUP_TERMIOS) nl()
2100+ Useful options:
2101+ link(path)(OPTION_PATH),
2102+ link(fdin)(OPTION_FDIN),
2103+ link(fdout)(OPTION_FDOUT),
2104+ link(chroot)(OPTION_CHROOT),
2105+ link(su)(OPTION_SUBSTUSER),
2106+ link(su-d)(OPTION_SUBSTUSER_DELAYED),
2107+ link(nofork)(OPTION_NOFORK),
2108+ link(pty)(OPTION_PTY),
2109+ link(stderr)(OPTION_STDERR),
2110+ link(ctty)(OPTION_CTTY),
2111+ link(setsid)(OPTION_SETSID),
2112+ link(pipes)(OPTION_PIPES),
2113+ link(login)(OPTION_LOGIN),
2114+ link(sigint)(OPTION_SIGINT),
2115+ link(sigquit)(OPTION_SIGQUIT)nl()
2116+ See also: link(SYSTEM)(ADDRESS_SYSTEM)
2117+label(ADDRESS_FD)dit(bf(tt(FD:<fdnum>)))
2118+ Uses the file descriptor link(<fdnum>)(TYPE_FDNUM). It must already exist as
2119+ valid unix() file descriptor.nl()
2120+ Option groups: link(FD)(GROUP_FD) (link(TERMIOS)(GROUP_TERMIOS),link(REG)(GROUP_REG),link(SOCKET)(GROUP_SOCKET)) nl()
2121+ See also:
2122+ link(STDIO)(ADDRESS_STDIO),
2123+ link(STDIN)(ADDRESS_STDIN),
2124+ link(STDOUT)(ADDRESS_STDOUT),
2125+ link(STDERR)(ADDRESS_STDERR)
2126+label(ADDRESS_GOPEN)dit(bf(tt(GOPEN:<filename>)))
2127+ (Generic open) This address type tries to handle any file system entry
2128+ except directories usefully. link(<filename>)(TYPE_FILENAME) may be a
2129+ relative or absolute path. If it already exists, its type is checked.
2130+ In case of a unixdomain() socket, socat() connects; if connecting fails,
2131+ socat() assumes a datagram socket and uses code(sendto()) calls.
2132+ If the entry is not a socket, socat() opens it applying the code(O_APPEND)
2133+ flag.
2134+ If it does not exist, it is opened with flag
2135+ code(O_CREAT) as a regular file (link(example)(EXAMPLE_ADDRESS_GOPEN)).nl()
2136+ Option groups: link(FD)(GROUP_FD),link(REG)(GROUP_REG),link(SOCKET)(GROUP_SOCKET),link(NAMED)(GROUP_NAMED),link(OPEN)(GROUP_OPEN) nl()
2137+ See also:
2138+ link(OPEN)(ADDRESS_OPEN),
2139+ link(CREATE)(ADDRESS_CREAT),
2140+ link(UNIX-CONNECT)(ADDRESS_UNIX_CONNECT)
2141+
2142+label(ADDRESS_IP_SENDTO)dit(bf(tt(IP-SENDTO:<host>:<protocol>)))
2143+ Opens a raw IP socket. Depending on host specification or option link(pf)(OPTION_PROTOCOL_FAMILY), IP procotol version
2144+ 4 or 6 is used. It uses link(<protocol>)(TYPE_PROTOCOL) to send packets
2145+ to <host> [link(IP address)(TYPE_IP_ADDRESS)] and receives packets from
2146+ host, ignores packets from other hosts.
2147+ Protocol 255 uses the raw socket with the IP header being part of the
2148+ data.nl()
2149+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6) nl()
2150+ Useful options:
2151+ link(pf)(OPTION_PROTOCOL_FAMILY),
2152+ link(ttl)(OPTION_TTL) nl()
2153+ See also:
2154+ link(IP4-SENDTO)(ADDRESS_IP4_SENDTO),
2155+ link(IP6-SENDTO)(ADDRESS_IP6_SENDTO),
2156+ link(IP-RECVFROM)(ADDRESS_IP_RECVFROM),
2157+ link(IP-RECV)(ADDRESS_IP_RECV),
2158+ link(UDP-SENDTO)(ADDRESS_UDP_SENDTO),
2159+ link(UNIX-SENDTO)(ADDRESS_UNIX_SENDTO)
2160+label(ADDRESS_INTERFACE)dit(bf(tt(INTERFACE:<interface>)))
2161+ Communicates with a network connected on an interface using raw packets
2162+ including link level data. link(<interface>)(TYPE_INTERFACE) is the name of
2163+ the network interface. Currently only available on Linux.
2164+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET) nl()
2165+ Useful options:
2166+ link(pf)(OPTION_PROTOCOL_FAMILY),
2167+ link(type)(OPTION_SO_TYPE)nl()
2168+ See also: link(ip-recv)(ADDRESS_IP_RECV)
2169+label(ADDRESS_IP4_SENDTO)dit(bf(tt(IP4-SENDTO:<host>:<protocol>)))
2170+ Like link(IP-SENDTO)(ADDRESS_IP_SENDTO), but always uses IPv4.nl()
2171+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4) nl()
2172+label(ADDRESS_IP6_SENDTO)dit(bf(tt(IP6-SENDTO:<host>:<protocol>)))
2173+ Like link(IP-SENDTO)(ADDRESS_IP_SENDTO), but always uses IPv6.nl()
2174+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6) nl()
2175+
2176+label(ADDRESS_IP_DATAGRAM)dit(bf(tt(IP-DATAGRAM:<address>:<protocol>)))
2177+ Sends outgoing data to the specified address which may in particular be a
2178+ broadcast or multicast address. Packets arriving on the local socket are
2179+ checked if their source addresses match
2180+ link(RANGE)(OPTION_RANGE) or link(TCPWRAP)(OPTION_TCPWRAPPERS)
2181+ options. This address type can for example be used for implementing
2182+ symmetric or asymmetric broadcast or multicast communications.nl()
2183+ Option groups: link(FD)(GROUP_FD), link(SOCKET)(GROUP_SOCKET),
2184+ link(IP4)(GROUP_IP4), link(IP6)(GROUP_IP6), link(RANGE)(GROUP_RANGE) nl()
2185+ Useful options:
2186+ link(bind)(OPTION_BIND),
2187+ link(range)(OPTION_RANGE),
2188+ link(tcpwrap)(OPTION_TCPWRAPPERS),
2189+ link(broadcast)(OPTION_SO_BROADCAST),
2190+ link(ip-multicast-loop)(OPTION_IP_MULTICAST_LOOP),
2191+ link(ip-multicast-ttl)(OPTION_IP_MULTICAST_TTL),
2192+ link(ip-multicast-if)(OPTION_IP_MULTICAST_IF),
2193+ link(ip-add-membership)(OPTION_IP_ADD_MEMBERSHIP),
2194+ link(ttl)(OPTION_TTL),
2195+ link(tos)(OPTION_TOS),
2196+ link(pf)(OPTION_PROTOCOL_FAMILY)nl()
2197+ See also:
2198+ link(IP4-DATAGRAM)(ADDRESS_IP4_DATAGRAM),
2199+ link(IP6-DATAGRAM)(ADDRESS_IP6_DATAGRAM),
2200+ link(IP-SENDTO)(ADDRESS_IP_SENDTO),
2201+ link(IP-RECVFROM)(ADDRESS_IP_RECVFROM),
2202+ link(IP-RECV)(ADDRESS_IP_RECV),
2203+ link(UDP-DATAGRAM)(ADDRESS_UDP_DATAGRAM)
2204+label(ADDRESS_IP4_DATAGRAM)dit(bf(tt(IP4-DATAGRAM:<host>:<protocol>)))
2205+ Like link(IP-DATAGRAM)(ADDRESS_IP_DATAGRAM), but always uses IPv4.
2206+ (link(example)(EXAMPLE_ADDRESS_IP4_BROADCAST_CLIENT))nl()
2207+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(RANGE)(GROUP_RANGE) nl()
2208+label(ADDRESS_IP6_DATAGRAM)dit(bf(tt(IP6-DATAGRAM:<host>:<protocol>)))
2209+ Like link(IP-DATAGRAM)(ADDRESS_IP_DATAGRAM), but always uses IPv6. Please
2210+ note that IPv6 does not know broadcasts.nl()
2211+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(RANGE)(GROUP_RANGE) nl()
2212+
2213+label(ADDRESS_IP_RECVFROM)dit(bf(tt(IP-RECVFROM:<protocol>)))
2214+ Opens a raw IP socket of link(<protocol>)(TYPE_PROTOCOL). Depending on option link(pf)(OPTION_PROTOCOL_FAMILY), IP procotol version
2215+ 4 or 6 is used. It receives one packet from an unspecified peer and may send one or more answer packets to that peer.
2216+ This mode is particularly useful with fork option where each arriving packet - from arbitrary peers - is handled by its own sub process.
2217+ This allows a behaviour similar to typical UDP based servers like ntpd or
2218+ named.nl()
2219+ Please note that the reply packets might be fetched as incoming traffic when
2220+ sender and receiver IP address are identical because there is no port number
2221+ to distinguish the sockets.nl()
2222+ This address works well with IP-SENDTO address peers (see above).
2223+ Protocol 255 uses the raw socket with the IP header being part of the
2224+ data.nl()
2225+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE) nl()
2226+ Useful options:
2227+ link(pf)(OPTION_PROTOCOL_FAMILY),
2228+ link(fork)(OPTION_FORK),
2229+ link(range)(OPTION_RANGE),
2230+ link(ttl)(OPTION_TTL),
2231+ link(broadcast)(OPTION_SO_BROADCAST)nl()
2232+ See also:
2233+ link(IP4-RECVFROM)(ADDRESS_IP4_RECVFROM),
2234+ link(IP6-RECVFROM)(ADDRESS_IP6_RECVFROM),
2235+ link(IP-SENDTO)(ADDRESS_IP_SENDTO),
2236+ link(IP-RECV)(ADDRESS_IP_RECV),
2237+ link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM),
2238+ link(UNIX-RECVFROM)(ADDRESS_UNIX_RECVFROM)
2239+label(ADDRESS_IP4_RECVFROM)dit(bf(tt(IP4-RECVFROM:<protocol>)))
2240+ Like link(IP-RECVFROM)(ADDRESS_IP_RECVFROM), but always uses IPv4.nl()
2241+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE) nl()
2242+label(ADDRESS_IP6_RECVFROM)dit(bf(tt(IP6-RECVFROM:<protocol>)))
2243+ Like link(IP-RECVFROM)(ADDRESS_IP_RECVFROM), but always uses IPv6.nl()
2244+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE) nl()
2245+
2246+label(ADDRESS_IP_RECV)dit(bf(tt(IP-RECV:<protocol>)))
2247+ Opens a raw IP socket of link(<protocol>)(TYPE_PROTOCOL). Depending on option link(pf)(OPTION_PROTOCOL_FAMILY), IP procotol version
2248+ 4 or 6 is used. It receives packets from multiple unspecified peers and merges the data.
2249+ No replies are possible.
2250+ It can be, e.g., addressed by socat IP-SENDTO address peers.
2251+ Protocol 255 uses the raw socket with the IP header being part of the
2252+ data.nl()
2253+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(RANGE)(GROUP_RANGE) nl()
2254+ Useful options:
2255+ link(pf)(OPTION_PROTOCOL_FAMILY),
2256+ link(range)(OPTION_RANGE)nl()
2257+ See also:
2258+ link(IP4-RECV)(ADDRESS_IP4_RECV),
2259+ link(IP6-RECV)(ADDRESS_IP6_RECV),
2260+ link(IP-SENDTO)(ADDRESS_IP_SENDTO),
2261+ link(IP-RECVFROM)(ADDRESS_IP_RECVFROM),
2262+ link(UDP-RECV)(ADDRESS_UDP_RECV),
2263+ link(UNIX-RECV)(ADDRESS_UNIX_RECV)
2264+label(ADDRESS_IP4_RECV)dit(bf(tt(IP4-RECV:<protocol>)))
2265+ Like link(IP-RECV)(ADDRESS_IP_RECV), but always uses IPv4.nl()
2266+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(RANGE)(GROUP_RANGE) nl()
2267+label(ADDRESS_IP6_RECV)dit(bf(tt(IP6-RECV:<protocol>)))
2268+ Like link(IP-RECV)(ADDRESS_IP_RECV), but always uses IPv6.nl()
2269+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(RANGE)(GROUP_RANGE) nl()
2270+
2271+label(ADDRESS_OPEN)dit(bf(tt(OPEN:<filename>)))
2272+ Opens link(<filename>)(TYPE_FILENAME) using the code(open()) system call
2273+ (link(example)(EXAMPLE_ADDRESS_OPEN)).
2274+ This operation fails on unixdomain() sockets. nl()
2275+ Note: This address type is rarly useful in bidirectional mode.nl()
2276+ Option groups: link(FD)(GROUP_FD),link(REG)(GROUP_REG),link(NAMED)(GROUP_NAMED),link(OPEN)(GROUP_OPEN) nl()
2277+ Useful options:
2278+ link(creat)(OPTION_CREAT),
2279+ link(excl)(OPTION_EXCL),
2280+ link(noatime)(OPTION_O_NOATIME),
2281+ link(nofollow)(OPTION_NOFOLLOW),
2282+ link(append)(OPTION_APPEND),
2283+ link(rdonly)(OPTION_RDONLY),
2284+ link(wronly)(OPTION_WRONLY),
2285+ link(lock)(OPTION_LOCK),
2286+ link(readbytes)(OPTION_READBYTES),
2287+ link(ignoreeof)(OPTION_IGNOREEOF)nl()
2288+ See also:
2289+ link(CREATE)(ADDRESS_CREAT),
2290+ link(GOPEN)(ADDRESS_GOPEN),
2291+ link(UNIX-CONNECT)(ADDRESS_UNIX_CONNECT)
2292+label(ADDRESS_OPENSSL_CONNECT)dit(bf(tt(OPENSSL:<host>:<port>)))
2293+ Tries to establish a SSL connection to <port> [link(TCP
2294+ service)(TYPE_TCP_SERVICE)] on
2295+ <host> [link(IP address)(TYPE_IP_ADDRESS)] using TCP/IP version 4 or 6
2296+ depending on address specification, name resolution, or option
2297+ link(pf)(OPTION_PROTOCOL_FAMILY).nl()
2298+ NOTE: The server certificate is only checked for validity against
2299+ link(cafile)(OPTION_OPENSSL_CAFILE) or link(capath)(OPTION_OPENSSL_CAPATH),
2300+ but not for match with the server's name or its IP address!nl()
2301+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(OPENSSL)(GROUP_OPENSSL),link(RETRY)(GROUP_RETRY) nl()
2302+ Useful options:
2303+ link(cipher)(OPTION_OPENSSL_CIPHERLIST),
2304+ link(method)(OPTION_OPENSSL_METHOD),
2305+ link(verify)(OPTION_OPENSSL_VERIFY),
2306+ link(cafile)(OPTION_OPENSSL_CAFILE),
2307+ link(capath)(OPTION_OPENSSL_CAPATH),
2308+ link(certificate)(OPTION_OPENSSL_CERTIFICATE),
2309+ link(key)(OPTION_OPENSSL_KEY),
2310+ link(bind)(OPTION_BIND),
2311+ link(pf)(OPTION_PROTOCOL_FAMILY),
2312+ link(connect-timeout)(OPTION_CONNECT_TIMEOUT),
2313+ link(sourceport)(OPTION_SOURCEPORT),
2314+ link(retry)(OPTION_RETRY)nl()
2315+ See also:
2316+ link(OPENSSL-LISTEN)(ADDRESS_OPENSSL_LISTEN),
2317+ link(TCP)(ADDRESS_TCP_CONNECT)
2318+label(ADDRESS_OPENSSL_LISTEN)dit(bf(tt(OPENSSL-LISTEN:<port>)))
2319+ Listens on tcp <port> [link(TCP service)(TYPE_TCP_SERVICE)].
2320+ The IP version is 4 or the one specified with
2321+ link(pf)(OPTION_PROTOCOL_FAMILY). When a
2322+ connection is accepted, this address behaves as SSL server.nl()
2323+ Note: You probably want to use the link(certificate)(OPTION_OPENSSL_CERTIFICATE) option with this address.nl()
2324+ NOTE: The client certificate is only checked for validity against
2325+ link(cafile)(OPTION_OPENSSL_CAFILE) or link(capath)(OPTION_OPENSSL_CAPATH),
2326+ but not for match with the client's name or its IP address!nl()
2327+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(LISTEN)(GROUP_LISTEN),link(OPENSSL)(GROUP_OPENSSL),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(RETRY)(GROUP_RETRY) nl()
2328+ Useful options:
2329+ link(pf)(OPTION_PROTOCOL_FAMILY),
2330+ link(cipher)(OPTION_OPENSSL_CIPHERLIST),
2331+ link(method)(OPTION_OPENSSL_METHOD),
2332+ link(verify)(OPTION_OPENSSL_VERIFY),
2333+ link(cafile)(OPTION_OPENSSL_CAFILE),
2334+ link(capath)(OPTION_OPENSSL_CAPATH),
2335+ link(certificate)(OPTION_OPENSSL_CERTIFICATE),
2336+ link(key)(OPTION_OPENSSL_KEY),
2337+ link(fork)(OPTION_FORK),
2338+ link(bind)(OPTION_BIND),
2339+ link(range)(OPTION_RANGE),
2340+ link(tcpwrap)(OPTION_TCPWRAPPERS),
2341+ link(su)(OPTION_SUBSTUSER),
2342+ link(reuseaddr)(OPTION_REUSEADDR),
2343+ link(retry)(OPTION_RETRY)nl()
2344+ See also:
2345+ link(OPENSSL)(ADDRESS_OPENSSL_CONNECT),
2346+ link(TCP)(ADDRESS_TCP_CONNECT)
2347+label(ADDRESS_NAMED_PIPE)dit(bf(tt(PIPE:<filename>)))
2348+ If link(<filename>)(TYPE_FILENAME) already exists, it is opened.
2349+ If it does not exist, a named pipe is created and opened. Beginning with
2350+ socat version 1.4.3, the named pipe is removed when the address is closed
2351+ (but see option link(unlink-close)(OPTION_UNLINK_CLOSE)nl()
2352+ Note: When a pipe is used for both reading and writing, it works
2353+ as echo service.nl()
2354+ Note: When a pipe is used for both reading and writing, and socat tries
2355+ to write more bytes than the pipe can buffer (Linux 2.4: 2048 bytes), socat
2356+ might block. Consider using socat option, e.g., code(-b 2048) nl()
2357+ Option groups: link(FD)(GROUP_FD),link(NAMED)(GROUP_NAMED),link(OPEN)(GROUP_OPEN) nl()
2358+ Useful options:
2359+ link(rdonly)(OPTION_RDONLY),
2360+ link(nonblock)(OPTION_NONBLOCK),
2361+ link(group)(OPTION_GROUP),
2362+ link(user)(OPTION_USER),
2363+ link(mode)(OPTION_MODE),
2364+ link(unlink-early)(OPTION_UNLINK_EARLY)nl()
2365+ See also: link(unnamed pipe)(ADDRESS_UNNAMED_PIPE)
2366+label(ADDRESS_UNNAMED_PIPE)dit(bf(tt(PIPE)))
2367+ Creates an unnamed pipe and uses it for reading and writing. It works as an
2368+ echo, because everything written
2369+ to it appeares immediately as read data.nl()
2370+ Note: When socat tries to write more bytes than the pipe can queue (Linux
2371+ 2.4: 2048 bytes), socat might block. Consider, e.g., using
2372+ option code(-b 2048) nl()
2373+ Option groups: link(FD)(GROUP_FD) nl()
2374+ See also: link(named pipe)(ADDRESS_NAMED_PIPE)
2375+label(ADDRESS_PROXY_CONNECT)dit(bf(tt(PROXY:<proxy>:<hostname>:<port>)))
2376+ Connects to an HTTP proxy server on port 8080 using TCP/IP version 4 or 6
2377+ depending on address specification, name resolution, or option
2378+ link(pf)(OPTION_PROTOCOL_FAMILY), and sends a CONNECT
2379+ request for hostname:port. If the proxy grants access and succeeds to
2380+ connect to the target, data transfer between socat and the target can
2381+ start. Note that the traffic need not be HTTP but can be an arbitrary
2382+ protocol. nl()
2383+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(HTTP)(GROUP_HTTP),link(RETRY)(GROUP_RETRY) nl()
2384+ Useful options:
2385+ link(proxyport)(OPTION_PROXYPORT),
2386+ link(ignorecr)(OPTION_IGNORECR),
2387+ link(proxyauth)(OPTION_PROXY_AUTHORIZATION),
2388+ link(resolve)(OPTION_PROXY_RESOLVE),
2389+ link(crnl)(OPTION_CRNL),
2390+ link(bind)(OPTION_BIND),
2391+ link(connect-timeout)(OPTION_CONNECT_TIMEOUT),
2392+ link(mss)(OPTION_MSS),
2393+ link(sourceport)(OPTION_SOURCEPORT),
2394+ link(retry)(OPTION_RETRY) nl()
2395+ See also: link(SOCKS)(ADDRESS_SOCKS4), link(TCP)(ADDRESS_TCP_CONNECT)
2396+label(ADDRESS_PTY)dit(bf(tt(PTY)))
2397+ Generates a pseudo terminal (pty) and uses its master side. Another process
2398+ may open the pty's slave side using it like a serial line or terminal.
2399+ (link(example)(EXAMPLE_ADDRESS_PTY)). If
2400+ both the ptmx and the openpty mechanisms are available, ptmx is used
2401+ (POSIX).nl()
2402+ Option groups: link(FD)(GROUP_FD),link(NAMED)(GROUP_NAMED),link(PTY)(GROUP_PTY),link(TERMIOS)(GROUP_TERMIOS) nl()
2403+ Useful options:
2404+ link(link)(OPTION_SYMBOLIC_LINK),
2405+ link(openpty)(OPTION_OPENPTY),
2406+ link(wait-slave)(OPTION_PTY_WAIT_SLAVE),
2407+ link(mode)(OPTION_MODE),
2408+ link(user)(OPTION_USER),
2409+ link(group)(OPTION_GROUP)nl()
2410+ See also:
2411+ link(UNIX-LISTEN)(ADDRESS_UNIX_LISTEN),
2412+ link(PIPE)(ADDRESS_NAMED_PIPE),
2413+ link(EXEC)(ADDRESS_EXEC), link(SYSTEM)(ADDRESS_SYSTEM)
2414+label(ADDRESS_READLINE)dit(bf(tt(READLINE)))
2415+ Uses GNU readline and history on stdio to allow editing and reusing input
2416+ lines (link(example)(EXAMPLE_ADDRESS_READLINE)). This requires the GNU readline and
2417+ history libraries. Note that stdio should be a (pseudo) terminal device,
2418+ otherwise readline does not seem to work.nl()
2419+ Option groups: link(FD)(GROUP_FD),link(READLINE)(GROUP_READLINE),link(TERMIOS)(GROUP_TERMIOS) nl()
2420+ Useful options:
2421+ link(history)(OPTION_HISTORY),
2422+ link(noecho)(OPTION_NOECHO)nl()
2423+ See also:
2424+ link(STDIO)(ADDRESS_STDIO)
2425+label(ADDRESS_SCTP_CONNECT)dit(bf(tt(SCTP-CONNECT:<host>:<port>)))
2426+ Establishes an SCTP stream connection to the specified <host> [link(IP
2427+ address)(TYPE_IP_ADDRESS)] and <port> [link(TCP service)(TYPE_TCP_SERVICE)]
2428+ using TCP/IP version 4 or 6 depending on address specification, name
2429+ resolution, or option link(pf)(OPTION_PROTOCOL_FAMILY).nl()
2430+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(SCTP)(GROUP_SCTP),link(CHILD)(GROUP_CHILD),link(RETRY)(GROUP_RETRY) nl()
2431+ Useful options:
2432+ link(bind)(OPTION_BIND),
2433+ link(pf)(OPTION_PROTOCOL_FAMILY),
2434+ link(connect-timeout)(OPTION_CONNECT_TIMEOUT),
2435+ link(tos)(OPTION_TOS),
2436+ link(mtudiscover)(OPTION_MTUDISCOVER),
2437+ link(sctp-maxseg)(OPTION_SCTP_MAXSEG),
2438+ link(sctp-nodelay)(OPTION_SCTP_NODELAY),
2439+ link(nonblock)(OPTION_NONBLOCK),
2440+ link(sourceport)(OPTION_SOURCEPORT),
2441+ link(retry)(OPTION_RETRY),
2442+ link(readbytes)(OPTION_READBYTES)nl()
2443+ See also:
2444+ link(SCTP4-CONNECT)(ADDRESS_SCTP4_CONNECT),
2445+ link(SCTP6-CONNECT)(ADDRESS_SCTP6_CONNECT),
2446+ link(SCTP-LISTEN)(ADDRESS_SCTP_LISTEN),
2447+ link(TCP-CONNECT)(ADDRESS_TCP_CONNECT)
2448+label(ADDRESS_SCTP4_CONNECT)dit(bf(tt(SCTP4-CONNECT:<host>:<port>)))
2449+ Like link(SCTP-CONNECT)(ADDRESS_SCTP_CONNECT), but only supports IPv4 protocol.nl()
2450+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(SCTP)(GROUP_SCTP),link(CHILD)(GROUP_CHILD),link(RETRY)(GROUP_RETRY) nl()
2451+label(ADDRESS_SCTP6_CONNECT)dit(bf(tt(SCTP6-CONNECT:<host>:<port>)))
2452+ Like link(SCTP-CONNECT)(ADDRESS_SCTP_CONNECT), but only supports IPv6 protocol.nl()
2453+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(SCTP)(GROUP_SCTP),link(CHILD)(GROUP_CHILD),link(RETRY)(GROUP_RETRY) nl()
2454+label(ADDRESS_SCTP_LISTEN)dit(bf(tt(SCTP-LISTEN:<port>)))
2455+ Listens on <port> [link(TCP service)(TYPE_TCP_SERVICE)] and accepts a
2456+ TCP/IP connection. The IP version is 4 or the one specified with
2457+ address option link(pf)(OPTION_PROTOCOL_FAMILY), socat option
2458+ (link(-4)(option_4), link(-6)(option_6)), or environment variable link(SOCAT_DEFAULT_LISTEN_IP)(ENV_SOCAT_DEFAULT_LISTEN_IP).
2459+ Note that opening
2460+ this address usually blocks until a client connects.nl()
2461+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(SCTP)(GROUP_SCTP),link(RETRY)(GROUP_RETRY) nl()
2462+ Useful options:
2463+ link(crnl)(OPTION_CRNL),
2464+ link(fork)(OPTION_FORK),
2465+ link(bind)(OPTION_BIND),
2466+ link(range)(OPTION_RANGE),
2467+ link(tcpwrap)(OPTION_TCPWRAPPERS),
2468+ link(pf)(OPTION_PROTOCOL_FAMILY),
2469+ link(backlog)(OPTION_BACKLOG),
2470+ link(sctp-maxseg)(OPTION_SCTP_MAXSEG),
2471+ link(sctp-nodelay)(OPTION_SCTP_NODELAY),
2472+ link(su)(OPTION_SUBSTUSER),
2473+ link(reuseaddr)(OPTION_REUSEADDR),
2474+ link(retry)(OPTION_RETRY),
2475+ link(cool-write)(OPTION_COOL_WRITE)nl()
2476+ See also:
2477+ link(SCTP4-LISTEN)(ADDRESS_SCTP4_LISTEN),
2478+ link(SCTP6-LISTEN)(ADDRESS_SCTP6_LISTEN),
2479+ link(TCP-LISTEN)(ADDRESS_TCP_LISTEN),
2480+ link(SCTP-CONNECT)(ADDRESS_SCTP_CONNECT)
2481+label(ADDRESS_SCTP4_LISTEN)dit(bf(tt(SCTP4-LISTEN:<port>)))
2482+ Like link(SCTP-LISTEN)(ADDRESS_SCTP_LISTEN), but only supports IPv4
2483+ protocol.nl()
2484+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP4)(GROUP_IP4),link(SCTP)(GROUP_SCTP),link(RETRY)(GROUP_RETRY) nl()
2485+label(ADDRESS_SCTP6_LISTEN)dit(bf(tt(SCTP6-LISTEN:<port>)))
2486+ Like link(SCTP-LISTEN)(ADDRESS_SCTP_LISTEN), but only supports IPv6
2487+ protocol.nl()
2488+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP6)(GROUP_IP6),link(SCTP)(GROUP_SCTP),link(RETRY)(GROUP_RETRY) nl()
2489+label(ADDRESS_SOCKET_CONNECT)dit(bf(tt(SOCKET-CONNECT:<domain>:<protocol>:<remote-address>)))
2490+ Creates a stream socket using the first and second given socket parameters
2491+ and tt(SOCK_STREAM) (see man socket\(2)) and connects to the remote-address.
2492+ The two socket parameters have to be specified by link(int)(TYPE_INT)
2493+ numbers. Consult your OS documentation and include files to find the
2494+ appropriate values. The remote-address must be the link(data)(TYPE_DATA)
2495+ representation of a sockaddr structure without sa_family and (BSD) sa_len
2496+ components.nl()
2497+ Please note that you can - beyond the options of the specified groups - also
2498+ use options of higher level protocols when you apply socat option
2499+ link(-g)(option_g).nl()
2500+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(CHILD)(GROUP_CHILD),link(RETRY)(GROUP_RETRY)nl()
2501+ Useful options:
2502+ link(bind)(OPTION_BIND),
2503+ link(setsockopt-int)(OPTION_SETSOCKOPT_INT),
2504+ link(setsockopt-bin)(OPTION_SETSOCKOPT_BIN),
2505+ link(setsockopt-string)(OPTION_SETSOCKOPT_STRING)
2506+ nl()
2507+ See also:
2508+ link(TCP)(ADDRESS_TCP_CONNECT),
2509+ link(UDP-CONNECT)(ADDRESS_UDP_CONNECT),
2510+ link(UNIX-CONNECT)(ADDRESS_UNIX_CONNECT),
2511+ link(SOCKET-LISTEN)(ADDRESS_SOCKET_LISTEN),
2512+ link(SOCKET-SENDTO)(ADDRESS_SOCKET_SENDTO)
2513+label(ADDRESS_SOCKET_DATAGRAM)dit(bf(tt(SOCKET-DATAGRAM:<domain>:<type>:<protocol>:<remote-address>)))
2514+ Creates a datagram socket using the first three given socket parameters (see
2515+ man socket\(2)) and sends outgoing data to the remote-address. The three
2516+ socket parameters have to be specified by link(int)(TYPE_INT)
2517+ numbers. Consult your OS documentation and include files to find the
2518+ appropriate values. The remote-address must be the link(data)(TYPE_DATA)
2519+ representation of a sockaddr structure without sa_family and (BSD) sa_len
2520+ components.nl()
2521+ Please note that you can - beyond the options of the specified groups - also
2522+ use options of higher level protocols when you apply socat option
2523+ link(-g)(option_g).nl()
2524+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(RANGE)(GROUP_RANGE)nl()
2525+ Useful options:
2526+ link(bind)(OPTION_BIND),
2527+ link(range)(OPTION_RANGE),
2528+ link(setsockopt-int)(OPTION_SETSOCKOPT_INT),
2529+ link(setsockopt-bin)(OPTION_SETSOCKOPT_BIN),
2530+ link(setsockopt-string)(OPTION_SETSOCKOPT_STRING)
2531+ nl()
2532+ See also:
2533+ link(UDP-DATAGRAM)(ADDRESS_UDP_DATAGRAM),
2534+ link(IP-DATAGRAM)(ADDRESS_IP_DATAGRAM),
2535+ link(SOCKET-SENDTO)(ADDRESS_SOCKET_SENDTO),
2536+ link(SOCKET-RECV)(ADDRESS_SOCKET_RECV),
2537+ link(SOCKET-RECVFROM)(ADDRESS_SOCKET_RECVFROM)
2538+label(ADDRESS_SOCKET_LISTEN)dit(bf(tt(SOCKET-LISTEN:<domain>:<protocol>:<local-address>)))
2539+ Creates a stream socket using the first and second given socket parameters
2540+ and tt(SOCK_STREAM) (see man socket\(2)) and waits for incoming connections
2541+ on local-address. The two socket parameters have to be specified by
2542+ link(int)(TYPE_INT) numbers. Consult your OS documentation and include files
2543+ to find the appropriate values. The local-address must be the
2544+ link(data)(TYPE_DATA) representation of a sockaddr structure without
2545+ sa_family and (BSD) sa_len components.nl()
2546+ Please note that you can - beyond the options of the specified groups - also
2547+ use options of higher level protocols when you apply socat option
2548+ link(-g)(option_g).nl()
2549+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(RANGE)(GROUP_RANGE),link(CHILD)(GROUP_CHILD),link(RETRY)(GROUP_RETRY)nl()
2550+ Useful options:
2551+ link(setsockopt-int)(OPTION_SETSOCKOPT_INT),
2552+ link(setsockopt-bin)(OPTION_SETSOCKOPT_BIN),
2553+ link(setsockopt-string)(OPTION_SETSOCKOPT_STRING)
2554+ nl()
2555+ See also:
2556+ link(TCP)(ADDRESS_TCP_LISTEN),
2557+ link(UDP-CONNECT)(ADDRESS_UDP_LISTEN),
2558+ link(UNIX-CONNECT)(ADDRESS_UNIX_LISTEN),
2559+ link(SOCKET-LISTEN)(ADDRESS_SOCKET_CONNECT),
2560+ link(SOCKET-SENDTO)(ADDRESS_SOCKET_RECVFROM),
2561+ link(SOCKET-SENDTO)(ADDRESS_SOCKET_RECV)
2562+label(ADDRESS_SOCKET_RECV)dit(bf(tt(SOCKET-RECV:<domain>:<type>:<protocol>:<local-address>)))
2563+ Creates a socket using the three given socket parameters (see man socket\(2))
2564+ and binds it to <local-address>. Receives arriving data. The three
2565+ parameters have to be specified by link(int)(TYPE_INT) numbers. Consult your
2566+ OS documentation and include files to find the appropriate values. The
2567+ local-address must be the link(data)(TYPE_DATA) representation of a sockaddr
2568+ structure without sa_family and (BSD) sa_len components.nl()
2569+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(RANGE)(GROUP_RANGE)nl()
2570+ Useful options:
2571+ link(range)(OPTION_RANGE),
2572+ link(setsockopt-int)(OPTION_SETSOCKOPT_INT),
2573+ link(setsockopt-bin)(OPTION_SETSOCKOPT_BIN),
2574+ link(setsockopt-string)(OPTION_SETSOCKOPT_STRING)
2575+ nl()
2576+ See also:
2577+ link(UDP-RECV)(ADDRESS_UDP_RECV),
2578+ link(IP-RECV)(ADDRESS_IP_RECV),
2579+ link(UNIX-RECV)(ADDRESS_UNIX_RECV),
2580+ link(SOCKET-DATAGRAM)(ADDRESS_SOCKET_DATAGRAM),
2581+ link(SOCKET-SENDTO)(ADDRESS_SOCKET_SENDTO),
2582+ link(SOCKET-RECVFROM)(ADDRESS_SOCKET_RECVFROM)
2583+label(ADDRESS_SOCKET_RECVFROM)dit(bf(tt(SOCKET-RECVFROM:<domain>:<type>:<protocol>:<local-address>)))
2584+ Creates a socket using the three given socket parameters (see man socket\(2))
2585+ and binds it to <local-address>. Receives arriving data and sends replies
2586+ back to the sender. The first three parameters have to be specified as
2587+ link(int)(TYPE_INT) numbers. Consult your OS documentation and include files
2588+ to find the appropriate values. The local-address must be the
2589+ link(data)(TYPE_DATA) representation of a sockaddr structure without
2590+ sa_family and (BSD) sa_len components.nl()
2591+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE)nl()
2592+ Useful options:
2593+ link(fork)(OPTION_FORK),
2594+ link(range)(OPTION_RANGE),
2595+ link(setsockopt-int)(OPTION_SETSOCKOPT_INT),
2596+ link(setsockopt-bin)(OPTION_SETSOCKOPT_BIN),
2597+ link(setsockopt-string)(OPTION_SETSOCKOPT_STRING)
2598+ nl()
2599+ See also:
2600+ link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM),
2601+ link(IP-RECVFROM)(ADDRESS_IP_RECVFROM),
2602+ link(UNIX-RECVFROM)(ADDRESS_UNIX_RECVFROM),
2603+ link(SOCKET-DATAGRAM)(ADDRESS_SOCKET_DATAGRAM),
2604+ link(SOCKET-SENDTO)(ADDRESS_SOCKET_SENDTO),
2605+ link(SOCKET-RECV)(ADDRESS_SOCKET_RECV)
2606+label(ADDRESS_SOCKET_SENDTO)dit(bf(tt(SOCKET-SENDTO:<domain>:<type>:<protocol>:<remote-address>)))
2607+ Creates a socket using the three given socket parameters (see man
2608+ socket\(2)). Sends outgoing data to the given address and receives replies.
2609+ The three parameters have to be specified as link(int)(TYPE_INT)
2610+ numbers. Consult your OS documentation and include files to find the
2611+ appropriate values. The remote-address must be the link(data)(TYPE_DATA)
2612+ representation of a sockaddr structure without sa_family and (BSD) sa_len
2613+ components.nl()
2614+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET)nl()
2615+ Useful options:
2616+ link(bind)(OPTION_BIND),
2617+ link(setsockopt-int)(OPTION_SETSOCKOPT_INT),
2618+ link(setsockopt-bin)(OPTION_SETSOCKOPT_BIN),
2619+ link(setsockopt-string)(OPTION_SETSOCKOPT_STRING)
2620+ nl()
2621+ See also:
2622+ link(UDP-SENDTO)(ADDRESS_UDP_SENDTO),
2623+ link(IP-SENDTO)(ADDRESS_IP_SENDTO),
2624+ link(UNIX-SENDTO)(ADDRESS_UNIX_SENDTO),
2625+ link(SOCKET-DATAGRAM)(ADDRESS_SOCKET_DATAGRAM),
2626+ link(SOCKET-RECV)(ADDRESS_SOCKET_RECV)
2627+ link(SOCKET-RECVFROM)(ADDRESS_SOCKET_RECVFROM)
2628+label(ADDRESS_SOCKS4)dit(bf(tt(SOCKS4:<socks-server>:<host>:<port>)))
2629+ Connects via <socks-server> [link(IP address)(TYPE_IP_ADDRESS)]
2630+ to <host> [link(IPv4 address)(TYPE_IPV4_ADDRESS)]
2631+ on <port> [link(TCP service)(TYPE_TCP_SERVICE)],
2632+ using socks version 4 protocol over IP version 4 or 6 depending on address specification, name resolution, or option
2633+ link(pf)(OPTION_PROTOCOL_FAMILY) (link(example)(EXAMPLE_ADDRESS_SOCKS4)).nl()
2634+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(SOCKS4)(GROUP_SOCKS),link(RETRY)(GROUP_RETRY) nl()
2635+ Useful options:
2636+ link(socksuser)(OPTION_SOCKSUSER),
2637+ link(socksport)(OPTION_SOCKSPORT),
2638+ link(sourceport)(OPTION_SOURCEPORT),
2639+ link(pf)(OPTION_PROTOCOL_FAMILY),
2640+ link(retry)(OPTION_RETRY)nl()
2641+ See also:
2642+ link(SOCKS4A)(ADDRESS_SOCKS4A),
2643+ link(PROXY)(ADDRESS_PROXY_CONNECT),
2644+ link(TCP)(ADDRESS_TCP_CONNECT)
2645+label(ADDRESS_SOCKS4A)dit(bf(tt(SOCKS4A:<socks-server>:<host>:<port>)))
2646+ like link(SOCKS4)(ADDRESS_SOCKS4), but uses socks protocol version 4a, thus
2647+ leaving host name resolution to the socks server.nl()
2648+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(SOCKS4)(GROUP_SOCKS),link(RETRY)(GROUP_RETRY) nl()
2649+label(ADDRESS_STDERR)dit(bf(tt(STDERR)))
2650+ Uses file descriptor 2.nl()
2651+ Option groups: link(FD)(GROUP_FD) (link(TERMIOS)(GROUP_TERMIOS),link(REG)(GROUP_REG),link(SOCKET)(GROUP_SOCKET)) nl()
2652+ See also: link(FD)(ADDRESS_FD)
2653+label(ADDRESS_STDIN)dit(bf(tt(STDIN)))
2654+ Uses file descriptor 0.nl()
2655+ Option groups: link(FD)(GROUP_FD) (link(TERMIOS)(GROUP_TERMIOS),link(REG)(GROUP_REG),link(SOCKET)(GROUP_SOCKET)) nl()
2656+ Useful options:
2657+ link(readbytes)(OPTION_READBYTES)nl()
2658+ See also: link(FD)(ADDRESS_FD)
2659+label(ADDRESS_STDIO)dit(bf(tt(STDIO)))
2660+ Uses file descriptor 0 for reading, and 1 for writing.nl()
2661+ Option groups: link(FD)(GROUP_FD) (link(TERMIOS)(GROUP_TERMIOS),link(REG)(GROUP_REG),link(SOCKET)(GROUP_SOCKET)) nl()
2662+ Useful options:
2663+ link(readbytes)(OPTION_READBYTES)nl()
2664+ See also: link(FD)(ADDRESS_FD)
2665+label(ADDRESS_STDOUT)dit(bf(tt(STDOUT)))
2666+ Uses file descriptor 1.nl()
2667+ Option groups: link(FD)(GROUP_FD) (link(TERMIOS)(GROUP_TERMIOS),link(REG)(GROUP_REG),link(SOCKET)(GROUP_SOCKET)) nl()
2668+ See also: link(FD)(ADDRESS_FD)
2669+label(ADDRESS_SYSTEM)dit(bf(tt(SYSTEM:<shell-command>)))
2670+ Forks a sub process that establishes communication with its parent process
2671+ and invokes the specified program with code(system()). Please note that
2672+ <shell-command> [link(string)(TYPE_STRING)] must
2673+ not contain ',' or "!!", and that shell meta characters may have to be
2674+ protected.
2675+ After successful program start, socat() writes data to stdin of the
2676+ process and reads from its stdout.nl()
2677+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(EXEC)(GROUP_EXEC),link(FORK)(GROUP_FORK),link(TERMIOS)(GROUP_TERMIOS) nl()
2678+ Useful options:
2679+ link(path)(OPTION_PATH),
2680+ link(fdin)(OPTION_FDIN),
2681+ link(fdout)(OPTION_FDOUT),
2682+ link(chroot)(OPTION_CHROOT),
2683+ link(su)(OPTION_SUBSTUSER),
2684+ link(su-d)(OPTION_SUBSTUSER_DELAYED),
2685+ link(nofork)(OPTION_NOFORK),
2686+ link(pty)(OPTION_PTY),
2687+ link(stderr)(OPTION_STDERR),
2688+ link(ctty)(OPTION_CTTY),
2689+ link(setsid)(OPTION_SETSID),
2690+ link(pipes)(OPTION_PIPES),
2691+ link(sigint)(OPTION_SIGINT),
2692+ link(sigquit)(OPTION_SIGQUIT)nl()
2693+ See also: link(EXEC)(ADDRESS_EXEC)
2694+label(ADDRESS_TCP_CONNECT)dit(bf(tt(TCP:<host>:<port>)))
2695+ Connects to <port> [link(TCP service)(TYPE_TCP_SERVICE)] on
2696+ <host> [link(IP address)(TYPE_IP_ADDRESS)] using TCP/IP version 4 or 6
2697+ depending on address specification, name resolution, or option
2698+ link(pf)(OPTION_PROTOCOL_FAMILY).nl()
2699+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(RETRY)(GROUP_RETRY) nl()
2700+ Useful options:
2701+ link(crnl)(OPTION_CRNL),
2702+ link(bind)(OPTION_BIND),
2703+ link(pf)(OPTION_PROTOCOL_FAMILY),
2704+ link(connect-timeout)(OPTION_CONNECT_TIMEOUT),
2705+ link(tos)(OPTION_TOS),
2706+ link(mtudiscover)(OPTION_MTUDISCOVER),
2707+ link(mss)(OPTION_MSS),
2708+ link(nodelay)(OPTION_NODELAY),
2709+ link(nonblock)(OPTION_NONBLOCK),
2710+ link(sourceport)(OPTION_SOURCEPORT),
2711+ link(retry)(OPTION_RETRY),
2712+ link(readbytes)(OPTION_READBYTES)nl()
2713+ See also:
2714+ link(TCP4)(ADDRESS_TCP4_CONNECT),
2715+ link(TCP6)(ADDRESS_TCP6_CONNECT),
2716+ link(TCP-LISTEN)(ADDRESS_TCP_LISTEN),
2717+ link(UDP)(ADDRESS_UDP_CONNECT),
2718+ link(SCTP-CONNECT)(ADDRESS_SCTP_CONNECT),
2719+ link(UNIX-CONNECT)(ADDRESS_UNIX_CONNECT)
2720+label(ADDRESS_TCP4_CONNECT)dit(bf(tt(TCP4:<host>:<port>)))
2721+ Like link(TCP)(ADDRESS_TCP_CONNECT), but only supports IPv4 protocol (link(example)(EXAMPLE_ADDRESS_TCP4_CONNECT)).nl()
2722+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(TCP)(GROUP_TCP),link(RETRY)(GROUP_RETRY) nl()
2723+label(ADDRESS_TCP6_CONNECT)dit(bf(tt(TCP6:<host>:<port>)))
2724+ Like link(TCP)(ADDRESS_TCP_CONNECT), but only supports IPv6 protocol.nl()
2725+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(RETRY)(GROUP_RETRY) nl()
2726+label(ADDRESS_TCP_LISTEN)dit(bf(tt(TCP-LISTEN:<port>)))
2727+ Listens on <port> [link(TCP service)(TYPE_TCP_SERVICE)] and accepts a
2728+ TCP/IP connection. The IP version is 4 or the one specified with
2729+ address option link(pf)(OPTION_PROTOCOL_FAMILY), socat option
2730+ (link(-4)(option_4), link(-6)(option_6)), or environment variable link(SOCAT_DEFAULT_LISTEN_IP)(ENV_SOCAT_DEFAULT_LISTEN_IP).
2731+ Note that opening
2732+ this address usually blocks until a client connects.nl()
2733+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(RETRY)(GROUP_RETRY) nl()
2734+ Useful options:
2735+ link(crnl)(OPTION_CRNL),
2736+ link(fork)(OPTION_FORK),
2737+ link(bind)(OPTION_BIND),
2738+ link(range)(OPTION_RANGE),
2739+ link(tcpwrap)(OPTION_TCPWRAPPERS),
2740+ link(pf)(OPTION_PROTOCOL_FAMILY),
2741+ link(backlog)(OPTION_BACKLOG),
2742+ link(mss)(OPTION_MSS),
2743+ link(su)(OPTION_SUBSTUSER),
2744+ link(reuseaddr)(OPTION_REUSEADDR),
2745+ link(retry)(OPTION_RETRY),
2746+ link(cool-write)(OPTION_COOL_WRITE)nl()
2747+ See also:
2748+ link(TCP4-LISTEN)(ADDRESS_TCP4_LISTEN),
2749+ link(TCP6-LISTEN)(ADDRESS_TCP6_LISTEN),
2750+ link(UDP-LISTEN)(ADDRESS_UDP_LISTEN),
2751+ link(SCTP-LISTEN)(ADDRESS_SCTP_LISTEN),
2752+ link(UNIX-LISTEN)(ADDRESS_UNIX_LISTEN),
2753+ link(OPENSSL-LISTEN)(ADDRESS_OPENSSL_LISTEN),
2754+ link(TCP-CONNECT)(ADDRESS_TCP_CONNECT)
2755+label(ADDRESS_TCP4_LISTEN)dit(bf(tt(TCP4-LISTEN:<port>)))
2756+ Like link(TCP-LISTEN)(ADDRESS_TCP_LISTEN), but only supports IPv4
2757+ protocol (link(example)(EXAMPLE_ADDRESS_TCP4_LISTEN)).nl()
2758+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP4)(GROUP_IP4),link(TCP)(GROUP_TCP),link(RETRY)(GROUP_RETRY) nl()
2759+label(ADDRESS_TCP6_LISTEN)dit(bf(tt(TCP6-LISTEN:<port>)))
2760+ Like link(TCP-LISTEN)(ADDRESS_TCP_LISTEN), but only supports IPv6
2761+ protocol.nl()
2762+ Additional useful option:
2763+ link(ipv6only)(OPTION_IPV6_V6ONLY)nl()
2764+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(RETRY)(GROUP_RETRY) nl()
2765+label(ADDRESS_TUN)dit(bf(tt(TUN:<if-addr>/<bits>)))
2766+ Creates a Linux TUN/TAP device and assignes to it the address and netmask
2767+ defined by the parameters. The resulting network interface is ready for use
2768+ by other processes; socat serves its "wire side". This address requires read
2769+ and write access to the tunnel cloning device, usually code(/dev/net/tun).
2770+ nl()
2771+ Option groups: link(FD)(GROUP_FD),link(NAMED)(GROUP_NAMED),link(OPEN)(GROUP_OPEN),link(TUN)(GROUP_TUN) nl()
2772+ Useful options:
2773+ link(iff-up)(OPTION_IFF_UP),
2774+ link(tun-device)(OPTION_TUN_DEVICE),
2775+ link(tun-name)(OPTION_TUN_NAME),
2776+ link(tun-type)(OPTION_TUN_TYPE),
2777+ link(iff-no-pi)(OPTION_IFF_NO_PI) nl()
2778+ See also:
2779+ link(ip-recv)(ADDRESS_IP_RECV)
2780+label(ADDRESS_UDP_CONNECT)dit(bf(tt(UDP:<host>:<port>)))
2781+ Connects to <port> [link(UDP service)(TYPE_UDP_SERVICE)] on
2782+ <host> [link(IP address)(TYPE_IP_ADDRESS)] using UDP/IP version 4 or 6
2783+ depending on address specification, name resolution, or option
2784+ link(pf)(OPTION_PROTOCOL_FAMILY).nl()
2785+ Please note that,
2786+ due to UDP protocol properties, no real connection is established; data has
2787+ to be sent for `connecting' to the server, and no end-of-file condition can
2788+ be transported.nl()
2789+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6) nl()
2790+ Useful options:
2791+ link(ttl)(OPTION_TTL),
2792+ link(tos)(OPTION_TOS),
2793+ link(bind)(OPTION_BIND),
2794+ link(sourceport)(OPTION_SOURCEPORT),
2795+ link(pf)(OPTION_PROTOCOL_FAMILY)nl()
2796+ See also:
2797+ link(UDP4)(ADDRESS_UDP4_CONNECT),
2798+ link(UDP6)(ADDRESS_UDP6_CONNECT),
2799+ link(UDP-LISTEN)(ADDRESS_UDP_LISTEN),
2800+ link(TCP)(ADDRESS_TCP_CONNECT),
2801+ link(IP)(ADDRESS_IP_SENDTO)
2802+label(ADDRESS_UDP4_CONNECT)dit(bf(tt(UDP4:<host>:<port>)))
2803+ Like link(UDP)(ADDRESS_UDP_CONNECT), but only supports IPv4 protocol.nl()
2804+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4) nl()
2805+label(ADDRESS_UDP6_CONNECT)dit(bf(tt(UDP6:<host>:<port>)))
2806+ Like link(UDP)(ADDRESS_UDP_CONNECT), but only supports IPv6 protocol.nl()
2807+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6) nl()
2808+label(ADDRESS_UDP_DATAGRAM)dit(bf(tt(UDP-DATAGRAM:<address>:<port>)))
2809+ Sends outgoing data to the specified address which may in particular be a
2810+ broadcast or multicast address. Packets arriving on the local socket are
2811+ checked for the correct remote port and if their source addresses match
2812+ link(RANGE)(OPTION_RANGE) or link(TCPWRAP)(OPTION_TCPWRAPPERS)
2813+ options. This address type can for example be used for implementing
2814+ symmetric or asymmetric broadcast or multicast communications.nl()
2815+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(RANGE)(GROUP_RANGE) nl()
2816+ Useful options:
2817+ link(bind)(OPTION_BIND),
2818+ link(range)(OPTION_RANGE),
2819+ link(tcpwrap)(OPTION_TCPWRAPPERS),
2820+ link(broadcast)(OPTION_SO_BROADCAST),
2821+ link(ip-multicast-loop)(OPTION_IP_MULTICAST_LOOP),
2822+ link(ip-multicast-ttl)(OPTION_IP_MULTICAST_TTL),
2823+ link(ip-multicast-if)(OPTION_IP_MULTICAST_IF),
2824+ link(ip-add-membership)(OPTION_IP_ADD_MEMBERSHIP),
2825+ link(ttl)(OPTION_TTL),
2826+ link(tos)(OPTION_TOS),
2827+ link(sourceport)(OPTION_SOURCEPORT),
2828+ link(pf)(OPTION_PROTOCOL_FAMILY)nl()
2829+ See also:
2830+ link(UDP4-DATAGRAM)(ADDRESS_UDP4_DATAGRAM),
2831+ link(UDP6-DATAGRAM)(ADDRESS_UDP6_DATAGRAM),
2832+ link(UDP-SENDTO)(ADDRESS_UDP_SENDTO),
2833+ link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM),
2834+ link(UDP-RECV)(ADDRESS_UDP_RECV),
2835+ link(UDP-CONNECT)(ADDRESS_UDP_CONNECT),
2836+ link(UDP-LISTEN)(ADDRESS_UDP_LISTEN),
2837+ link(IP-DATAGRAM)(ADDRESS_IP_DATAGRAM)
2838+label(ADDRESS_UDP4_DATAGRAM)dit(bf(tt(UDP4-DATAGRAM:<address>:<port>)))
2839+ Like link(UDP-DATAGRAM)(ADDRESS_UDP_DATAGRAM), but only supports IPv4
2840+ protocol (link(example1)(EXAMPLE_ADDRESS_UDP4_BROADCAST_CLIENT),
2841+ link(example2)(EXAMPLE_ADDRESS_UDP4_MULTICAST)).nl()
2842+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4), link(RANGE)(GROUP_RANGE)
2843+label(ADDRESS_UDP6_DATAGRAM)dit(bf(tt(UDP6-DATAGRAM:<address>:<port>)))
2844+ Like link(UDP-DATAGRAM)(ADDRESS_UDP_DATAGRAM), but only supports IPv6
2845+ protocol.nl()
2846+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(RANGE)(GROUP_RANGE)
2847+label(ADDRESS_UDP_LISTEN)dit(bf(tt(UDP-LISTEN:<port>)))
2848+ Waits for a UDP/IP packet arriving on <port>
2849+ [link(UDP service)(TYPE_UDP_SERVICE)] and `connects' back to sender.
2850+ The accepted IP version is 4 or the one specified with option
2851+ link(pf)(OPTION_PROTOCOL_FAMILY).
2852+ Please note that,
2853+ due to UDP protocol properties, no real connection is established; data has
2854+ to arrive from the peer first, and no end-of-file condition can be
2855+ transported. Note that opening
2856+ this address usually blocks until a client connects.nl()
2857+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6) nl()
2858+ Useful options:
2859+ link(fork)(OPTION_FORK),
2860+ link(bind)(OPTION_BIND),
2861+ link(range)(OPTION_RANGE),
2862+ link(pf)(OPTION_PROTOCOL_FAMILY) nl()
2863+ See also:
2864+ link(UDP)(ADDRESS_UDP_CONNECT),
2865+ link(UDP4-LISTEN)(ADDRESS_UDP4_LISTEN),
2866+ link(UDP6-LISTEN)(ADDRESS_UDP6_LISTEN),
2867+ link(TCP-LISTEN)(ADDRESS_TCP_LISTEN)
2868+label(ADDRESS_UDP4_LISTEN)dit(bf(tt(UDP4-LISTEN:<port>)))
2869+ Like link(UDP-LISTEN)(ADDRESS_UDP_LISTEN), but only support IPv4
2870+ protocol.nl()
2871+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP4)(GROUP_IP4) nl()
2872+label(ADDRESS_UDP6_LISTEN)dit(bf(tt(UDP6-LISTEN:<port>)))
2873+ Like link(UDP-LISTEN)(ADDRESS_UDP_LISTEN), but only support IPv6
2874+ protocol.nl()
2875+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE),link(IP6)(GROUP_IP6) nl()
2876+label(ADDRESS_UDP_SENDTO)dit(bf(tt(UDP-SENDTO:<host>:<port>)))
2877+ Communicates with the specified peer socket, defined by <port> [link(UDP
2878+ service)(TYPE_UDP_SERVICE)] on
2879+ <host> [link(IP address)(TYPE_IP_ADDRESS)], using UDP/IP version 4 or 6
2880+ depending on address specification, name resolution, or option
2881+ link(pf)(OPTION_PROTOCOL_FAMILY). It sends packets to and receives packets
2882+ from that peer socket only.
2883+ This address effectively implements a datagram client.
2884+ It works well with socat UDP-RECVFROM and UDP-RECV address peers.nl()
2885+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6) nl()
2886+ Useful options:
2887+ link(ttl)(OPTION_TTL),
2888+ link(tos)(OPTION_TOS),
2889+ link(bind)(OPTION_BIND),
2890+ link(sourceport)(OPTION_SOURCEPORT),
2891+ link(pf)(OPTION_PROTOCOL_FAMILY)nl()
2892+ See also:
2893+ link(UDP4-SENDTO)(ADDRESS_UDP4_SENDTO),
2894+ link(UDP6-SENDTO)(ADDRESS_UDP6_SENDTO),
2895+ link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM),
2896+ link(UDP-RECV)(ADDRESS_UDP_RECV),
2897+ link(UDP-CONNECT)(ADDRESS_UDP_CONNECT),
2898+ link(UDP-LISTEN)(ADDRESS_UDP_LISTEN),
2899+ link(IP-SENDTO)(ADDRESS_IP_SENDTO)
2900+label(ADDRESS_UDP4_SENDTO)dit(bf(tt(UDP4-SENDTO:<host>:<port>)))
2901+ Like link(UDP-SENDTO)(ADDRESS_UDP_SENDTO), but only supports IPv4
2902+ protocol.nl()
2903+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4)
2904+label(ADDRESS_UDP6_SENDTO)dit(bf(tt(UDP6-SENDTO:<host>:<port>)))
2905+ Like link(UDP-SENDTO)(ADDRESS_UDP_SENDTO), but only supports IPv6
2906+ protocol.nl()
2907+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6)
2908+
2909+label(ADDRESS_UDP_RECVFROM)dit(bf(tt(UDP-RECVFROM:<port>)))
2910+ Creates a UDP socket on <port> [link(UDP service)(TYPE_UDP_SERVICE)] using
2911+ UDP/IP version 4 or 6
2912+ depending on option link(pf)(OPTION_PROTOCOL_FAMILY).
2913+ It receives one packet from an unspecified peer and may send one or more
2914+ answer packets to that peer. This mode is particularly useful with fork
2915+ option
2916+ where each arriving packet - from arbitrary peers - is handled by its own sub
2917+ process. This allows a behaviour similar to typical UDP based servers like ntpd
2918+ or named. This address works well with socat UDP-SENDTO address peers.nl()
2919+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE) nl()
2920+ Useful options:
2921+ link(fork)(OPTION_FORK),
2922+ link(ttl)(OPTION_TTL),
2923+ link(tos)(OPTION_TOS),
2924+ link(bind)(OPTION_BIND),
2925+ link(sourceport)(OPTION_SOURCEPORT),
2926+ link(pf)(OPTION_PROTOCOL_FAMILY)nl()
2927+ See also:
2928+ link(UDP4-RECVFROM)(ADDRESS_UDP4_RECVFROM),
2929+ link(UDP6-RECVFROM)(ADDRESS_UDP6_RECVFROM),
2930+ link(UDP-SENDTO)(ADDRESS_UDP_SENDTO),
2931+ link(UDP-RECV)(ADDRESS_UDP_RECV),
2932+ link(UDP-CONNECT)(ADDRESS_UDP_CONNECT),
2933+ link(UDP-LISTEN)(ADDRESS_UDP_LISTEN),
2934+ link(IP-RECVFROM)(ADDRESS_IP_RECVFROM),
2935+ link(UNIX-RECVFROM)(ADDRESS_UNIX_RECVFROM)
2936+label(ADDRESS_UDP4_RECVFROM)dit(bf(tt(UDP4-RECVFROM:<port>)))
2937+ Like link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM), but only supports IPv4 protocol.nl()
2938+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE)
2939+label(ADDRESS_UDP6_RECVFROM)dit(bf(tt(UDP6-RECVFROM:<port>)))
2940+ Like link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM), but only supports IPv6 protocol.nl()
2941+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(CHILD)(GROUP_CHILD),link(RANGE)(GROUP_RANGE)
2942+
2943+label(ADDRESS_UDP_RECV)dit(bf(tt(UDP-RECV:<port>)))
2944+ Creates a UDP socket on <port> [link(UDP service)(TYPE_UDP_SERVICE)] using UDP/IP version 4 or 6
2945+ depending on option link(pf)(OPTION_PROTOCOL_FAMILY).
2946+ It receives packets from multiple unspecified peers and merges the data.
2947+ No replies are possible. It works well with, e.g., socat UDP-SENDTO address peers; it behaves similar to a syslog server.nl()
2948+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(RANGE)(GROUP_RANGE) nl()
2949+ Useful options:
2950+ link(fork)(OPTION_FORK),
2951+ link(pf)(OPTION_PROTOCOL_FAMILY),
2952+ link(bind)(OPTION_BIND),
2953+ link(sourceport)(OPTION_SOURCEPORT),
2954+ link(ttl)(OPTION_TTL),
2955+ link(tos)(OPTION_TOS)nl()
2956+ See also:
2957+ link(UDP4-RECV)(ADDRESS_UDP4_RECV),
2958+ link(UDP6-RECV)(ADDRESS_UDP6_RECV),
2959+ link(UDP-SENDTO)(ADDRESS_UDP_SENDTO),
2960+ link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM),
2961+ link(UDP-CONNECT)(ADDRESS_UDP_CONNECT),
2962+ link(UDP-LISTEN)(ADDRESS_UDP_LISTEN),
2963+ link(IP-RECV)(ADDRESS_IP_RECV),
2964+ link(UNIX-RECV)(ADDRESS_UNIX_RECV)
2965+label(ADDRESS_UDP4_RECV)dit(bf(tt(UDP4-RECV:<port>)))
2966+ Like link(UDP-RECV)(ADDRESS_UDP_RECV), but only supports IPv4 protocol.nl()
2967+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(RANGE)(GROUP_RANGE)
2968+label(ADDRESS_UDP6_RECV)dit(bf(tt(UDP6-RECV:<port>)))
2969+ Like link(UDP-RECV)(ADDRESS_UDP_RECV), but only supports IPv6 protocol.nl()
2970+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP6)(GROUP_IP6),link(RANGE)(GROUP_RANGE)
2971+
2972+label(ADDRESS_UNIX_CONNECT)dit(bf(tt(UNIX-CONNECT:<filename>)))
2973+ Connects to link(<filename>)(TYPE_FILENAME) assuming it is a unixdomain()
2974+ socket.
2975+ If <filename> does not exist, this is an error;
2976+ if <filename> is not a unixdomain() socket, this is an error;
2977+ if <filename> is a unixdomain() socket, but no process is listening, this is
2978+ an error.nl()
2979+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(NAMED)(GROUP_NAMED),link(RETRY)(GROUP_RETRY),link(UNIX)(GROUP_SOCK_UNIX) nl())
2980+ Useful options:
2981+ link(bind)(OPTION_BIND)nl()
2982+ See also:
2983+ link(UNIX-LISTEN)(ADDRESS_UNIX_LISTEN),
2984+ link(UNIX-SENDTO)(ADDRESS_UNIX_SENDTO),
2985+ link(TCP)(ADDRESS_TCP_CONNECT)
2986+
2987+label(ADDRESS_UNIX_LISTEN)dit(bf(tt(UNIX-LISTEN:<filename>)))
2988+ Listens on link(<filename>)(TYPE_FILENAME) using a unixdomain() stream
2989+ socket and accepts a connection.
2990+ If <filename> exists and is not a socket, this is an error.
2991+ If <filename> exists and is a unixdomain() socket, binding to the address
2992+ fails (use option link(unlink-early)(OPTION_UNLINK_EARLY)!).
2993+ Note that opening this address usually blocks until a client connects.
2994+ Beginning with socat version 1.4.3, the file system entry is removed when
2995+ this address is closed (but see option link(unlink-close)(OPTION_UNLINK_CLOSE)) (link(example)(EXAMPLE_ADDRESS_UNIX_LISTEN)).nl()
2996+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(NAMED)(GROUP_NAMED),link(LISTEN)(GROUP_LISTEN),link(CHILD)(GROUP_CHILD),link(RETRY)(GROUP_RETRY),link(UNIX)(GROUP_SOCK_UNIX) nl()
2997+ Useful options:
2998+ link(fork)(OPTION_FORK),
2999+ link(umask)(OPTION_UMASK),
3000+ link(mode)(OPTION_MODE),
3001+ link(user)(OPTION_USER),
3002+ link(group)(OPTION_GROUP),
3003+ link(unlink-early)(OPTION_UNLINK_EARLY)nl()
3004+ See also:
3005+ link(UNIX-CONNECT)(ADDRESS_UNIX_CONNECT),
3006+ link(UNIX-RECVFROM)(ADDRESS_UNIX_RECVFROM),
3007+ link(UNIX-RECV)(ADDRESS_UNIX_RECV),
3008+ link(TCP-LISTEN)(ADDRESS_TCP4_LISTEN)
3009+
3010+label(ADDRESS_UNIX_SENDTO)dit(bf(tt(UNIX-SENDTO:<filename>)))
3011+ Communicates with the specified peer socket, defined by [link(<filename>)(TYPE_FILENAME)] assuming it is a unixdomain() datagram socket.
3012+ It sends packets to and receives packets from that peer socket only.
3013+ Please note that it might be neccessary to link(bind)(OPTION_BIND) the
3014+ local socket to an address (e.g. tt(/tmp/sock1), which must not exist
3015+ before).
3016+ This address type works well with socat UNIX-RECVFROM and UNIX-RECV address
3017+ peers.nl()
3018+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(NAMED)(GROUP_NAMED),link(UNIX)(GROUP_SOCK_UNIX)nl()
3019+ Useful options:
3020+ link(bind)(OPTION_BIND)nl()
3021+ See also:
3022+ link(UNIX-RECVFROM)(ADDRESS_UNIX_RECVFROM),
3023+ link(UNIX-RECV)(ADDRESS_UNIX_RECV),
3024+ link(UNIX-CONNECT)(ADDRESS_UNIX_CONNECT),
3025+ link(UDP-SENDTO)(ADDRESS_UDP_SENDTO),
3026+ link(IP-SENDTO)(ADDRESS_IP_SENDTO)
3027+
3028+label(ADDRESS_UNIX_RECVFROM)dit(bf(tt(UNIX-RECVFROM:<filename>)))
3029+ Creates a unixdomain() datagram socket [link(<filename>)(TYPE_FILENAME)].
3030+ Receives one packet and may send one or more answer packets to that peer.
3031+ This mode is particularly useful with fork option where each arriving packet - from arbitrary peers - is handled by its own sub process.
3032+ This address works well with socat UNIX-SENDTO address peers.nl()
3033+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(NAMED)(GROUP_NAMED),link(CHILD)(GROUP_CHILD),link(UNIX)(GROUP_SOCK_UNIX) nl()
3034+ Useful options:
3035+ link(fork)(OPTION_FORK)nl()
3036+ See also:
3037+ link(UNIX-SENDTO)(ADDRESS_UNIX_SENDTO),
3038+ link(UNIX-RECV)(ADDRESS_UNIX_RECV),
3039+ link(UNIX-LISTEN)(ADDRESS_UNIX_LISTEN),
3040+ link(UDP-RECVFROM)(ADDRESS_UDP_RECVFROM),
3041+ link(IP-RECVFROM)(ADDRESS_IP_RECVFROM)
3042+
3043+label(ADDRESS_UNIX_RECV)dit(bf(tt(UNIX-RECV:<filename>)))
3044+ Creates a unixdomain() datagram socket [link(<filename>)(TYPE_FILENAME)].
3045+ Receives packets from multiple unspecified peers and merges the data.
3046+ No replies are possible. It can be, e.g., addressed by socat UNIX-SENDTO address peers.
3047+ It behaves similar to a syslog server.
3048+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(NAMED)(GROUP_NAMED),link(UNIX)(GROUP_SOCK_UNIX) nl()
3049+ See also:
3050+ link(UNIX-SENDTO)(ADDRESS_UNIX_SENDTO),
3051+ link(UNIX-RECVFROM)(ADDRESS_UNIX_RECVFROM),
3052+ link(UNIX-LISTEN)(ADDRESS_UNIX_LISTEN),
3053+ link(UDP-RECV)(ADDRESS_UDP_RECV),
3054+ link(IP-RECV)(ADDRESS_IP_RECV)
3055+
3056+label(ADDRESS_UNIX_CLIENT)dit(bf(tt(UNIX-CLIENT:<filename>)))
3057+ Communicates with the specified peer socket, defined by
3058+ [link(<filename>)(TYPE_FILENAME)] assuming it is a unixdomain() socket.
3059+ It first tries to connect and, if that fails, assumes it is a datagram
3060+ socket, thus supporting both types.nl()
3061+ Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(NAMED)(GROUP_NAMED),link(UNIX)(GROUP_SOCK_UNIX) nl()
3062+ Useful options:
3063+ link(bind)(OPTION_BIND)nl()
3064+ See also:
3065+ link(UNIX-CONNECT)(ADDRESS_UNIX_CONNECT),
3066+ link(UNIX-SENDTO)(ADDRESS_UNIX_SENDTO),
3067+ link(GOPEN)(ADDRESS_GOPEN)
3068+
3069+dit(bf(tt(ABSTRACT-CONNECT:<string>)))
3070+dit(bf(tt(ABSTRACT-LISTEN:<string>)))
3071+dit(bf(tt(ABSTRACT-SENDTO:<string>)))
3072+dit(bf(tt(ABSTRACT-RECVFROM:<string>)))
3073+dit(bf(tt(ABSTRACT-RECV:<string>)))
3074+dit(bf(tt(ABSTRACT-CLIENT:<string>)))
3075+ The ABSTRACT addresses are almost identical to the related UNIX addresses
3076+ except that they do not address file system based sockets but an alternate
3077+ unixdomain() address space. To archieve this the socket address strings are
3078+ prefixed with "\0" internally. This feature is available (only?) on Linux.
3079+ Option groups are the same as with the related UNIX addresses, except that
3080+ the ABSTRACT addresses are not member of the NAMED group.
3081+enddit()
3082+
3083+
3084+label(ADDRESS_OPTIONS)
3085+manpagesection(ADDRESS OPTIONS)
3086+
3087+Address options can be applied to address specifications to influence the
3088+process of opening the addresses and the
3089+properties of the resulting data channels.
3090+
3091+For technical reasons not every option can be
3092+applied to every address type; e.g., applying a socket option to a regular file
3093+will fail. To catch most useless combinations as early as in the open phase,
3094+the concept of em(option groups) was introduced. Each option belongs to one
3095+or more option groups. Options can be used only with address types that support
3096+at least one of their option groups (but see link(option -g)(option_g)).
3097+
3098+Address options have data types that their values must conform to.
3099+Every address option consists of just a keyword or a keyword followed by
3100+"=value", where value must conform to the options type.
3101+COMMENT(Options that trigger a call with
3102+trivial parameters are described with type BOOL which might be misleading.)
3103+Some address options manipulate parameters of system calls;
3104+e.g., option sync sets the code(O_SYNC) flag with the code(open()) call.
3105+Other options cause a system or library call; e.g., with option `ttl=value'
3106+the code(setsockopt(fd, SOL_IP, IP_TTL, value, sizeof(int))) call is applied.
3107+Other
3108+options set internal socat() variables that are used during data transfer;
3109+e.g., `crnl' causes explicit character conversions.
3110+A few options have more complex implementations; e.g., su-d
3111+(substuser-delayed) inquires some user and group infos, stores them, and
3112+applies them later after a possible code(chroot()) call.
3113+
3114+If multiple options are given to an address, their sequence in the address specification has (almost) no
3115+effect on the sequence of their execution/application. Instead, socat() has
3116+built in an em(option phase) model that tries to bring the options in a useful
3117+order. Some options exist in different forms (e.g.,
3118+unlink, unlink-early, unlink-late) to control the time of their execution.
3119+
3120+If the same option is specified more than once within one address
3121+specification, with equal or different values, the effect depends on the kind of option. Options
3122+resulting in function calls like code(setsockopt()) cause multiple
3123+invocations. With options that set parameters for a required call like
3124+code(open())
3125+or set internal flags, the value of the last option occurrence is effective.
3126+
3127+The existence or semantics of many options are system dependent. Socat()
3128+usually does NOT try to emulate missing libc or kernel features, it just
3129+provides an
3130+interface to the underlying system. So, if an operating system lacks a feature,
3131+the related option is simply not available on this platform.
3132+
3133+The following paragraphs introduce just the more common address options. For
3134+a more comprehensive reference and to find information about canonical option
3135+names, alias names, option phases, and platforms see file file(xio.help).
3136+nl() nl()
3137+
3138+startdit()enddit()nl()
3139+
3140+
3141+label(GROUP_FD)em(bf(FD option group))
3142+
3143+This option group contains options that are applied to a unix()
3144+style file descriptor, no matter how it was generated.
3145+Because all current socat() address types are file descriptor based, these
3146+options may be applied to any address. nl()
3147+Note: Some of these options are also member of another option group, that
3148+provides an other, non-fd based mechanism.
3149+For these options, it depends on the actual address type and its option groups
3150+which mechanism is used. The second, non-fd based mechanism is prioritized.
3151+startdit()
3152+label(OPTION_CLOEXEC)dit(bf(tt(cloexec=<bool>)))
3153+ Sets the code(FD_CLOEXEC) flag with the code(fcntl()) system call to value
3154+ link(<bool>)(TYPE_BOOL). If set,
3155+ the file descriptor is closed on code(exec()) family function calls. Socat()
3156+ internally handles
3157+ this flag for the fds it controls, so in most cases there will be no need to
3158+ apply this option.
3159+label(OPTION_SETLK_WR)dit(bf(tt(setlk)))
3160+ Tries to set a discretionary write lock to the whole file using the code(fcntl(fd,
3161+ F_SETLK, ...)) system call. If the file is already locked, this call results
3162+ in an error.
3163+ On Linux, when the file permissions for group are "S" (g-x,g+s), and the
3164+ file system is locally mounted with the "mand" option, the lock is
3165+ mandatory, i.e. prevents other processes from opening the file.
3166+label(OPTION_SETLKW_WR)dit(bf(tt(setlkw)))
3167+ Tries to set a discretionary waiting write lock to the whole file using the
3168+ code(fcntl(fd, F_SETLKW, ...)) system call. If the file is already locked,
3169+ this call blocks.
3170+ See option link(setlk)(OPTION_SETLK_WR) for information about making this
3171+ lock mandatory.
3172+label(OPTION_SETLK_RD)dit(bf(tt(setlk-rd)))
3173+ Tries to set a discretionary read lock to the whole file using the code(fcntl(fd,
3174+ F_SETLK, ...)) system call. If the file is already write locked, this call
3175+ results in an error.
3176+ See option link(setlk)(OPTION_SETLK_WR) for information about making this
3177+ lock mandatory.
3178+label(OPTION_SETLKW_RD)dit(bf(tt(setlkw-rd)))
3179+ Tries to set a discretionary waiting read lock to the whole file using the
3180+ code(fcntl(fd, F_SETLKW, ...)) system call. If the file is already write
3181+ locked, this call blocks.
3182+ See option link(setlk)(OPTION_SETLK_WR) for information about making this
3183+ lock mandatory.
3184+label(OPTION_FLOCK_EX)dit(bf(tt(flock-ex)))
3185+ Tries to set a blocking exclusive advisory lock to the file using the
3186+ code(flock(fd, LOCK_EX)) system call. Socat() hangs in this call if the file
3187+ is locked by another process.
3188+label(OPTION_FLOCK_EX_NB)dit(bf(tt(flock-ex-nb)))
3189+ Tries to set a nonblocking exclusive advisory lock to the file using the
3190+ code(flock(fd, LOCK_EX|LOCK_NB)) system call. If the file is already locked,
3191+ this option results in an error.
3192+label(OPTION_FLOCK_SH)dit(bf(tt(flock-sh)))
3193+ Tries to set a blocking shared advisory lock to the file using the
3194+ code(flock(fd, LOCK_SH)) system call. Socat() hangs in this call if the file
3195+ is locked by another process.
3196+label(OPTION_FLOCK_SH_NB)dit(bf(tt(flock-sh-nb)))
3197+ Tries to set a nonblocking shared advisory lock to the file using the
3198+ code(flock(fd, LOCK_SH|LOCK_NB)) system call. If the file is already locked,
3199+ this option results in an error.
3200+label(OPTION_LOCK)dit(bf(tt(lock)))
3201+ Sets a blocking lock on the file. Uses the setlk or flock mechanism
3202+ depending on availability on the particular platform. If both are available,
3203+ the POSIX variant (setlkw) is used.
3204+label(OPTION_USER)dit(bf(tt(user=<user>)))
3205+ Sets the link(<user>)(TYPE_USER) (owner) of the stream.
3206+ If the address is member of the NAMED option group,
3207+ socat() uses the code(chown()) system call after opening the
3208+ file or binding to the unixdomain() socket (race condition!).
3209+ Without filesystem entry, socat() sets the user of the stream
3210+ using the code(fchown()) system call.
3211+ These calls might require root privilege.
3212+label(OPTION_USER_LATE)dit(bf(tt(user-late=<user>)))
3213+ Sets the owner of the fd to link(<user>)(TYPE_USER) with the code(fchown())
3214+ system call after opening
3215+ or connecting the channel.
3216+ This is useful only on file system entries.
3217+label(OPTION_GROUP)dit(bf(tt(group=<group>)))
3218+ Sets the link(<group>)(TYPE_GROUP) of the stream.
3219+ If the address is member of the NAMED option group,
3220+ socat() uses the code(chown()) system call after opening the
3221+ file or binding to the unixdomain() socket (race condition!).
3222+ Without filesystem entry, socat() sets the group of the stream
3223+ with the code(fchown()) system call.
3224+ These calls might require group membership or root privilege.
3225+label(OPTION_GROUP_LATE)dit(bf(tt(group-late=<group>)))
3226+ Sets the group of the fd to link(<group>)(TYPE_GROUP) with the
3227+ code(fchown()) system call after opening
3228+ or connecting the channel.
3229+ This is useful only on file system entries.
3230+label(OPTION_MODE)dit(bf(tt(mode=<mode>)))
3231+ Sets the <mode> [link(mode_t)(TYPE_MODE_T)] (permissions) of the stream.
3232+ If the address is member of the NAMED option group and
3233+ uses the code(open()) or code(creat()) call, the mode is applied with these.
3234+ If the address is member of the NAMED option group without using these
3235+ system calls, socat() uses the code(chmod()) system call after opening the
3236+ filesystem entry or binding to the unixdomain() socket (race condition!).
3237+ Otherwise, socat() sets the mode of the stream
3238+ using code(fchmod()).
3239+ These calls might require ownership or root privilege.
3240+label(OPTION_PERM_LATE)dit(bf(tt(perm-late=<mode>)))
3241+ Sets the permissions of the fd to value <mode>
3242+ [link(mode_t)(TYPE_MODE_T)] using the code(fchmod()) system call after
3243+ opening or connecting the channel.
3244+ This is useful only on file system entries.
3245+label(OPTION_APPEND)dit(bf(tt(append=<bool>)))
3246+ Always writes data to the actual end of file.
3247+ If the address is member of the OPEN option group,
3248+ socat() uses the code(O_APPEND) flag with the code(open()) system call
3249+ (link(example)(EXAMPLE_OPTION_APPEND)).
3250+ Otherwise, socat() applies the code(fcntl(fd, F_SETFL, O_APPEND)) call.
3251+label(OPTION_NONBLOCK)dit(bf(tt(nonblock=<bool>)))
3252+ Tries to open or use file in nonblocking mode. Its only effects are that the
3253+ code(connect()) call of TCP addresses does not block, and that opening a
3254+ named pipe for reading does not block.
3255+ If the address is member of the OPEN option group,
3256+ socat() uses the code(O_NONBLOCK) flag with the code(open()) system call.
3257+ Otherwise, socat() applies the code(fcntl(fd, F_SETFL, O_NONBLOCK)) call.
3258+COMMENT(label(OPTION_NDELAY)dit(bf(tt(ndelay=<bool>)))
3259+ Tries to open or use file in nonblocking mode. Has no effect because socat()
3260+ works with code(select()).)
3261+COMMENT(label(OPTION_ASYNC)dit(bf(tt(async=<bool>)))
3262+ Enables SIGIO for this fd. Has no effect, because socat() ignores SIGIO.)
3263+label(OPTION_O_BINARY)dit(bf(tt(binary)))
3264+ Opens the file in binary mode to avoid implicit line terminator
3265+ conversions (Cygwin).
3266+label(OPTION_O_TEXT)dit(bf(tt(text)))
3267+ Opens the file in text mode to force implicit line terminator conversions
3268+ (Cygwin).
3269+label(OPTION_O_NOINHERIT)dit(bf(tt(noinherit)))
3270+ Does not keep this file open in a spawned process (Cygwin).
3271+label(OPTION_COOL_WRITE)dit(bf(tt(cool-write)))
3272+ Takes it easy when write fails with EPIPE or ECONNRESET and logs the message
3273+ with em(notice) level instead of em(error).
3274+ This prevents the log file from being filled with useless error messages
3275+ when socat is used as a high volume server or proxy where clients often
3276+ abort the connection.nl()
3277+ This option is experimental.
3278+label(OPTION_END_CLOSE)dit(bf(tt(end-close)))
3279+ Changes the (address dependent) method of ending a connection to just close
3280+ the file descriptors. This is useful when the connection is to be reused by
3281+ or shared with other processes (link(example)(EXAMPLE_END_CLOSE)).nl()
3282+ Normally, socket connections will be ended with tt(shutdown(2)) which
3283+ terminates the socket even if it is shared by multiple processes.
3284+ tt(close(2)) "unlinks" the socket from the process but keeps it active as
3285+ long as there are still links from other processes.nl()
3286+ Similarly, when an address of type EXEC or SYSTEM is ended, socat usually
3287+ will explicitely kill the sub process. With this option, it will just close
3288+ the file descriptors.
3289+label(OPTION_SHUT_NONE)dit(bf(tt(shut-none)))
3290+ Changes the (address dependent) method of shutting down the write part of a
3291+ connection to not do anything.
3292+label(OPTION_SHUT_DOWN)dit(bf(tt(shut-down)))
3293+ Changes the (address dependent) method of shutting down the write part of a
3294+ connection to tt(shutdown\(fd, SHUT_WR)). Is only useful with sockets.
3295+label(OPTION_SHUT_CLOSE)dit(bf(tt(shut-close)))
3296+ Changes the (address dependent) method of shutting down the write part of a
3297+ connection to tt(close\(fd)).
3298+label(OPTION_SHUT_NULL)dit(bf(tt(shut-null)))
3299+ When one address indicates EOF, socat() will send a zero sized packet to the
3300+ write channel of the other address to transfer the EOF condition. This is
3301+ useful with UDP and other datagram protocols. Has been tested against
3302+ netcat and socat with option link(null-eof)(OPTION_NULL_EOF).
3303+label(OPTION_NULL_EOF)dit(bf(tt(null-eof)))
3304+ Normally socat() will ignore empty (zero size payload) packets arriving on
3305+ datagram sockets, so it survives port scans. With this option socat()
3306+ interprets empty datagram packets as EOF indicator (see
3307+ link(shut-null)(OPTION_SHUT_NULL)).
3308+label(OPTION_IOCTL_VOID)dit(bf(tt(ioctl-void=<request>)))
3309+ Calls tt(ioctl()) with the request value as second argument and NULL as
3310+ third argument. This option allows to utilize ioctls that are not
3311+ explicitely implemented in socat.
3312+label(OPTION_IOCTL_INT)dit(bf(tt(ioctl-int=<request>:<value>)))
3313+ Calls tt(ioctl()) with the request value as second argument and the integer
3314+ value as third argument.
3315+label(OPTION_IOCTL_INTP)dit(bf(tt(ioctl-intp=<request>:<value>)))
3316+ Calls tt(ioctl()) with the request value as second argument and a pointer to
3317+ the integer value as third argument.
3318+label(OPTION_IOCTL_BIN)dit(bf(tt(ioctl-bin=<request>:<value>)))
3319+ Calls tt(ioctl()) with the request value as second argument and a pointer to
3320+ the given data value as third argument. This data must be specified in
3321+ link(<dalan>)(TYPE_DATA) form.
3322+label(OPTION_IOCTL_STRING)dit(bf(tt(ioctl-string=<request>:<value>)))
3323+ Calls tt(ioctl()) with the request value as second argument and a pointer to
3324+ the given string as third argument.
3325+ link(<dalan>)(TYPE_DATA) form.
3326+enddit()
3327+
3328+startdit()enddit()nl()
3329+
3330+
3331+label(GROUP_NAMED)em(bf(NAMED option group))
3332+
3333+These options work on file system entries.nl()
3334+See also options link(user)(OPTION_USER), link(group)(OPTION_GROUP), and
3335+link(mode)(OPTION_MODE).
3336+
3337+startdit()
3338+label(OPTION_USER_EARLY)dit(bf(tt(user-early=<user>)))
3339+ Changes the link(<user>)(TYPE_USER) (owner) of the file system entry before
3340+ accessing it, using the
3341+ code(chown()) system call. This call might require root privilege.
3342+label(OPTION_GROUP_EARLY)dit(bf(tt(group-early=<group>)))
3343+ Changes the link(<group>)(TYPE_GROUP) of the file system entry before
3344+ accessing it, using the
3345+ code(chown()) system call. This call might require group membership or root
3346+ privilege.
3347+label(OPTION_PERM_EARLY)dit(bf(tt(perm-early=<mode>)))
3348+ Changes the <mode> [link(mode_t)(TYPE_MODE_T)] of the file system entry
3349+ before accessing it, using the
3350+ code(chmod()) system call. This call might require ownership or root
3351+ privilege.
3352+label(OPTION_UMASK)dit(bf(tt(umask=<mode>)))
3353+ Sets the umask of the process to <mode> [link(mode_t)(TYPE_MODE_T)] before
3354+ accessing the file system entry (useful
3355+ with unixdomain() sockets!). This call might affect all further operations
3356+ of the socat() process!
3357+label(OPTION_UNLINK_EARLY)dit(bf(tt(unlink-early)))
3358+ Unlinks (removes) the file before opening it and even before applying
3359+ user-early etc.
3360+label(OPTION_UNLINK)dit(bf(tt(unlink)))
3361+ Unlinks (removes) the file before accessing it, but after user-early etc.
3362+label(OPTION_UNLINK_LATE)dit(bf(tt(unlink-late)))
3363+ Unlinks (removes) the file after opening it to make it inaccessible for
3364+ other processes after a short race condition.
3365+label(OPTION_UNLINK_CLOSE)dit(bf(tt(unlink-close)))
3366+ Removes the addresses file system entry when closing the address.
3367+ For link(named pipes)(ADDRESS_NAMED_PIPE),
3368+ link(listening unix domain sockets)(ADDRESS_UNIX_LISTEN),
3369+ and the link(symbolic links)(OPTION_SYMBOLIC_LINK) of link(pty addresses)(ADDRESS_PTY),
3370+ the default is 1; for link(created files)(ADDRESS_CREAT),
3371+ link(opened files)(ADDRESS_OPEN),
3372+ link(generic opened files)(ADDRESS_GOPEN), and
3373+ link(client unix domain sockets)(ADDRESS_UNIX_CONNECT) the default is 0.
3374+enddit()
3375+
3376+startdit()enddit()nl()
3377+
3378+
3379+label(GROUP_OPEN)em(bf(OPEN option group))
3380+
3381+The OPEN group options allow to set flags with the code(open()) system call.
3382+E.g., option `creat' sets the code(O_CREAT) flag.nl()
3383+See also options link(append)(OPTION_APPEND) and
3384+link(nonblock)(OPTION_NONBLOCK).
3385+startdit()
3386+label(OPTION_CREAT)dit(bf(tt(creat=<bool>)))
3387+ Creates the file if it does not exist (link(example)(EXAMPLE_OPTION_CREAT)).
3388+label(OPTION_DSYNC)dit(bf(tt(dsync=<bool>)))
3389+ Blocks code(write()) calls until metainfo is physically written to media.
3390+label(OPTION_EXCL)dit(bf(tt(excl=<bool>)))
3391+ With option creat, if file exists this is an error.
3392+label(OPTION_LARGEFILE)dit(bf(tt(largefile=<bool>)))
3393+ On 32 bit systems, allows a file larger than 2^31 bytes.
3394+label(OPTION_O_NOATIME)dit(bf(tt(noatime)))
3395+ Sets the O_NOATIME options, so reads do not change the access timestamp.
3396+label(OPTION_NOCTTY)dit(bf(tt(noctty=<bool>)))
3397+ Does not make this file the controlling terminal.
3398+label(OPTION_NOFOLLOW)dit(bf(tt(nofollow=<bool>)))
3399+ Does not follow symbolic links.
3400+label(OPTION_NSHARE)dit(bf(tt(nshare=<bool>)))
3401+ Does not allow to share this file with other processes.
3402+label(OPTION_RSHARE)dit(bf(tt(rshare=<bool>)))
3403+ Does not allow other processes to open this file for writing.
3404+label(OPTION_RSYNC)dit(bf(tt(rsync=<bool>)))
3405+ Blocks code(write()) until metainfo is physically written to media.
3406+label(OPTION_SYNC)dit(bf(tt(sync=<bool>)))
3407+ Blocks code(write()) until data is physically written to media.
3408+COMMENT(label(OPTION_DEFER)dit(bf(tt(defer=<bool>)))
3409+ Temporarily stores write data in paging space.)
3410+COMMENT(label(OPTION_DELAY)dit(bf(tt(delay=<bool>)))
3411+ Blocks code(open()) until share conditions are fulfilled.)
3412+COMMENT(label(OPTION_DIRECT)dit(bf(tt(direct=<bool>))))
3413+COMMENT(label(OPTION_DIRECTORY)dit(bf(tt(directory=<bool>)))
3414+ Fails if file is not a directory. Not useful with socat().)
3415+label(OPTION_RDONLY)dit(bf(tt(rdonly=<bool>)))
3416+ Opens the file for reading only.
3417+COMMENT(label(OPTION_RDWR)dit(bf(tt(rdwr=<bool>)))
3418+ Opens the file for reading and writing.)
3419+label(OPTION_WRONLY)dit(bf(tt(wronly=<bool>)))
3420+ Opens the file for writing only.
3421+label(OPTION_TRUNC)dit(bf(tt(trunc)))
3422+ Truncates the file to size 0 during opening it.
3423+enddit()
3424+
3425+
3426+startdit()enddit()nl()
3427+
3428+
3429+label(GROUP_REG)em(bf(REG and BLK option group))
3430+
3431+These options are usually applied to a unix() file descriptor, but their
3432+semantics make sense only on a file supporting random access.
3433+startdit()
3434+label(OPTION_SEEK)dit(bf(tt(seek=<offset>)))
3435+ Applies the code(lseek(fd, <offset>, SEEK_SET)) (or code(lseek64)) system
3436+ call, thus positioning the file pointer absolutely to <offset>
3437+ [link(off_t)(TYPE_OFF) or link(off64_t)(TYPE_OFF64)]. Please note that a
3438+ missing value defaults to 1, not 0.
3439+label(OPTION_SEEK_CUR)dit(bf(tt(seek-cur=<offset>)))
3440+ Applies the code(lseek(fd, <offset>, SEEK_CUR)) (or code(lseek64)) system
3441+ call, thus positioning the file pointer <offset> [link(off_t)(TYPE_OFF) or
3442+ link(off64_t)(TYPE_OFF64)] bytes relatively to its current position (which
3443+ is usually 0). Please note that a missing value defaults to 1, not 0.
3444+label(OPTION_SEEK_END)dit(bf(tt(seek-end=<offset>)))
3445+ Applies the code(lseek(fd, <offset>, SEEK_END)) (or code(lseek64)) system
3446+ call, thus positioning the file pointer <offset> [link(off_t)(TYPE_OFF) or
3447+ link(off64_t)(TYPE_OFF64)] bytes relatively to the files current end. Please
3448+ note that a missing value defaults to 1, not 0.
3449+label(OPTION_FTRUNCATE)dit(bf(tt(ftruncate=<offset>)))
3450+ Applies the code(ftruncate(fd, <offset>))
3451+ (or code(ftruncate64) if available) system call, thus
3452+ truncating the file at the position <offset> [link(off_t)(TYPE_OFF) or
3453+ link(off64_t)(TYPE_OFF64)]. Please note that a missing value defaults to 1,
3454+ not 0.
3455+
3456+label(OPTION_EXT2_SECRM_FL)dit(bf(tt(secrm=<bool>)))
3457+label(OPTION_EXT2_UNRM)dit(bf(tt(unrm=<bool>)))
3458+label(OPTION_EXT2_COMPR)dit(bf(tt(compr=<bool>)))
3459+label(OPTION_EXT2_SYNC)dit(bf(tt(ext2-sync=<bool>)))
3460+label(OPTION_EXT2_IMMUTABLE)dit(bf(tt(immutable=<bool>)))
3461+label(OPTION_EXT2_APPEND)dit(bf(tt(ext2-append=<bool>)))
3462+label(OPTION_EXT2_NODUMP)dit(bf(tt(nodump=<bool>)))
3463+label(OPTION_EXT2_NOATIME)dit(bf(tt(ext2-noatime=<bool>)))
3464+label(OPTION_EXT2_JOURNAL_DATA)dit(bf(tt(journal-data=<bool>)))
3465+label(OPTION_EXT2_NOTAIL)dit(bf(tt(notail=<bool>)))
3466+label(OPTION_EXT2_DIRSYNC)dit(bf(tt(dirsync=<bool>)))
3467+ These options change non standard file attributes on operating systems and
3468+ file systems that support these features, like Linux with ext2fs,
3469+ ext3fs, or reiserfs. See man 1 chattr for information on these options.
3470+ Please note that there might be a race condition between creating the file
3471+ and applying these options.
3472+enddit()
3473+
3474+startdit()enddit()nl()
3475+
3476+
3477+label(GROUP_PROCESS)em(bf(PROCESS option group))
3478+
3479+Options of this group change the process properties instead of just affecting
3480+one data channel.
3481+For EXEC and SYSTEM addresses and for LISTEN and CONNECT type addresses with
3482+option FORK,
3483+these options apply to the child processes instead of the main socat process.
3484+startdit()
3485+label(OPTION_CHROOT)dit(bf(tt(chroot=<directory>)))
3486+ Performs a code(chroot()) operation to link(<directory>)(TYPE_DIRECTORY)
3487+ after processing the address (link(example)(EXAMPLE_OPTION_CHROOT)). This call might require root privilege.
3488+label(OPTION_CHROOT_EARLY)dit(bf(tt(chroot-early=<directory>)))
3489+ Performs a code(chroot()) operation to link(<directory>)(TYPE_DIRECTORY)
3490+ before opening the address. This call might require root privilege.
3491+label(OPTION_SETGID)dit(bf(tt(setgid=<group>)))
3492+ Changes the primary link(<group>)(TYPE_GROUP) of the process after
3493+ processing the address. This call might require root privilege. Please note
3494+ that this option does not drop other group related privileges.
3495+label(OPTION_SETGID_EARLY)dit(bf(tt(setgid-early=<group>)))
3496+ Like link(setgit)(OPTION_SETGID) but is performed before opening the address.
3497+label(OPTION_SETUID)dit(bf(tt(setuid=<user>)))
3498+ Changes the link(<user>)(TYPE_USER) (owner) of the process after processing
3499+ the address. This call might require root privilege. Please note that this
3500+ option does not drop group related privileges. Check if option
3501+ link(su)(OPTION_SUBSTUSER) better fits your needs.
3502+label(OPTION_SETUID_EARLY)dit(bf(tt(setuid-early=<user>)))
3503+ Like link(setuid)(OPTION_SETUID) but is performed before opening the
3504+ address.
3505+label(OPTION_SUBSTUSER)dit(bf(tt(su=<user>)))
3506+ Changes the link(<user>)(TYPE_USER) (owner) and groups of the process after
3507+ processing the address (link(example)(EXAMPLE_OPTION_SUBSTUSER)). This call might require root privilege.
3508+label(OPTION_SUBSTUSER_DELAYED)dit(bf(tt(su-d=<user>)))
3509+ Short name for bf(tt(substuser-delayed)).
3510+ Changes the link(<user>)(TYPE_USER)
3511+ (owner) and groups of the process after processing the address (link(example)(EXAMPLE_OPTION_SUBSTUSER_DELAYED)).
3512+ The user and his groups are retrieved em(before) a possible
3513+ code(chroot()). This call might require root privilege.
3514+label(OPTION_SETPGID)dit(bf(tt(setpgid=<pid_t>)))
3515+ Makes the process a member of the specified process group
3516+ link(<pid_t>)(TYPE_PID_T). If no value
3517+ is given, or if the value is 0 or 1, the process becomes leader of a new
3518+ process group.
3519+label(OPTION_SETSID)dit(bf(tt(setsid)))
3520+ Makes the process the leader of a new session (link(example)(EXAMPLE_OPTION_SETSID)).
3521+enddit()
3522+
3523+startdit()enddit()nl()
3524+
3525+
3526+label(GROUP_READLINE)em(bf(READLINE option group))
3527+
3528+These options apply to the readline address type.
3529+startdit()
3530+label(OPTION_HISTORY)dit(bf(tt(history=<filename>)))
3531+ Reads and writes history from/to link(<filename>)(TYPE_FILENAME) (link(example)(EXAMPLE_OPTION_HISTORY)).
3532+label(OPTION_NOPROMPT)dit(bf(tt(noprompt)))
3533+ Since version 1.4.0, socat per default tries to determine a prompt -
3534+ that is then passed to the readline call - by remembering the last
3535+ incomplete line of the output. With this option, socat does not pass a
3536+ prompt to readline, so it begins line editing in the first column
3537+ of the terminal.
3538+label(OPTION_NOECHO)dit(bf(tt(noecho=<pattern>)))
3539+ Specifies a regular pattern for a prompt that prevents the following input
3540+ line from being displayed on the screen and from being added to the history.
3541+ The prompt is defined as the text that was output to the readline address
3542+ after the lastest newline character and before an input character was
3543+ typed. The pattern is a regular expression, e.g.
3544+ "^[Pp]assword:.*$" or "([Uu]ser:|[Pp]assword:)". See regex\(7) for details.
3545+ (link(example)(EXAMPLE_OPTION_NOECHO))
3546+label(OPTION_PROMPT)dit(bf(tt(prompt=<string>)))
3547+ Passes the string as prompt to the readline function. readline prints this
3548+ prompt when stepping through the history. If this string matches a constant
3549+ prompt issued by an interactive program on the other socat address,
3550+ consistent look and feel can be archieved.
3551+enddit()
3552+
3553+startdit()enddit()nl()
3554+
3555+
3556+label(GROUP_APPLICATION)em(bf(APPLICATION option group))
3557+
3558+This group contains options that work at data level.
3559+Note that these options only apply to the "raw" data transferred by socat,
3560+but not to protocol data used by addresses like
3561+link(PROXY)(ADDRESS_PROXY_CONNECT).
3562+startdit()
3563+label(OPTION_CR)dit(bf(tt(cr)))
3564+ Converts the default line termination character NL ('\n', 0x0a) to/from CR
3565+ ('\r', 0x0d) when writing/reading on this channel.
3566+label(OPTION_CRNL)dit(bf(tt(crnl)))
3567+ Converts the default line termination character NL ('\n', 0x0a) to/from CRNL
3568+ ("\r\n", 0x0d0a) when writing/reading on this channel (link(example)(EXAMPLE_OPTION_CRNL)).
3569+ Note: socat simply strips all CR characters.
3570+label(OPTION_IGNOREEOF)dit(bf(tt(ignoreeof)))
3571+ When EOF occurs on this channel, socat() ignores it and tries to read more
3572+ data (like "tail -f") (link(example)(EXAMPLE_OPTION_IGNOREEOF)).
3573+label(OPTION_READBYTES)dit(bf(tt(readbytes=<bytes>)))
3574+ socat() reads only so many bytes from this address (the address provides
3575+ only so many bytes for transfer and pretends to be at EOF afterwards).
3576+ Must be greater than 0.
3577+label(OPTION_LOCKFILE)dit(bf(tt(lockfile=<filename>)))
3578+ If lockfile exists, exits with error. If lockfile does not exist, creates it
3579+ and continues, unlinks lockfile on exit.
3580+label(OPTION_WAITLOCK)dit(bf(tt(waitlock=<filename>)))
3581+ If lockfile exists, waits until it disappears. When lockfile does not exist,
3582+ creates it and continues, unlinks lockfile on exit.
3583+label(OPTION_ESCAPE)dit(bf(tt(escape=<int>)))
3584+ Specifies the numeric code of a character that triggers EOF on the input
3585+ stream. It is useful with a terminal in raw mode
3586+ (link(example)(EXAMPLE_OPTION_ESCAPE)).
3587+enddit()
3588+
3589+startdit()enddit()nl()
3590+
3591+
3592+label(GROUP_SOCKET)em(bf(SOCKET option group))
3593+
3594+These options are intended for all kinds of sockets, e.g. IP or unixdomain(). Most are applied with a code(setsockopt()) call.
3595+startdit()
3596+label(OPTION_BIND)dit(bf(tt(bind=<sockname>)))
3597+ Binds the socket to the given socket address using the code(bind()) system
3598+ call. The form of <sockname> is socket domain dependent:
3599+ IP4 and IP6 allow the form [hostname|hostaddress][:(service|port)] (link(example)(EXAMPLE_OPTION_BIND_TCP4)),
3600+ unixdomain() sockets require link(<filename>)(TYPE_FILENAME).
3601+label(OPTION_CONNECT_TIMEOUT)dit(bf(tt(connect-timeout=<seconds>)))
3602+ Abort the connection attempt after <seconds> [link(timeval)(TYPE_TIMEVAL)]
3603+ with error status.
3604+label(OPTION_SO_BINDTODEVICE)dit(bf(tt(so-bindtodevice=<interface>)))
3605+ Binds the socket to the given link(<interface>)(TYPE_INTERFACE).
3606+ This option might require root privilege.
3607+label(OPTION_SO_BROADCAST)dit(bf(tt(broadcast)))
3608+ For datagram sockets, allows sending to broadcast addresses and receiving
3609+ packets addressed to broadcast addresses.
3610+COMMENT(label(OPTION_BSDCOMPAT)dit(bf(tt(bsdcompat)))
3611+ Emulates some (old?) bugs of the BSD socket implementation.)
3612+label(OPTION_DEBUG)dit(bf(tt(debug)))
3613+ Enables socket debugging.
3614+label(OPTION_DONTROUTE)dit(bf(tt(dontroute)))
3615+ Only communicates with directly connected peers, does not use routers.
3616+label(OPTION_KEEPALIVE)dit(bf(tt(keepalive)))
3617+ Enables sending keepalives on the socket.
3618+label(OPTION_LINGER)dit(bf(tt(linger=<seconds>)))
3619+ Blocks code(shutdown()) or code(close()) until data transfers have finished
3620+ or the given timeout [link(int)(TYPE_INT)] expired.
3621+COMMENT(label(OPTION_NOREUSEADDR)dit(bf(tt(noreuseaddr)))
3622+ Set the code(SO_NOREUSEADDR) socket option.)
3623+label(OPTION_OOBINLINE)dit(bf(tt(oobinline)))
3624+ Places out-of-band data in the input data stream.
3625+label(OPTION_PRIORITY)dit(bf(tt(priority=<priority>)))
3626+ Sets the protocol defined <priority> [link(<int>)(TYPE_INT)] for outgoing
3627+ packets.
3628+label(OPTION_RCVBUF)dit(bf(tt(rcvbuf=<bytes>)))
3629+ Sets the size of the receive buffer after the code(socket()) call to
3630+ <bytes> [link(int)(TYPE_INT)]. With TCP
3631+ sockets, this value corresponds to the socket's maximal window size.
3632+label(OPTION_RCVBUF_LATE)dit(bf(tt(rcvbuf-late=<bytes>)))
3633+ Sets the size of the receive buffer when the socket is already
3634+ connected to <bytes> [link(int)(TYPE_INT)].
3635+ With TCP sockets, this value corresponds to the socket's
3636+ maximal window size.
3637+label(OPTION_RCVLOWAT)dit(bf(tt(rcvlowat=<bytes>)))
3638+ Specifies the minimum number of received bytes [link(int)(TYPE_INT)] until
3639+ the socket layer will pass the buffered data to socat().
3640+label(OPTION_RCVTIMEO)dit(bf(tt(rcvtimeo=<seconds>)))
3641+ Sets the receive timeout [link(timeval)(TYPE_TIMEVAL)].
3642+label(OPTION_REUSEADDR)dit(bf(tt(reuseaddr)))
3643+ Allows other sockets to bind to an address even if parts of it (e.g. the
3644+ local port) are already in use by socat() (link(example)(EXAMPLE_OPTION_REUSEADDR)).
3645+label(OPTION_SNDBUF)dit(bf(tt(sndbuf=<bytes>)))
3646+ Sets the size of the send buffer after the code(socket()) call to
3647+ <bytes> [link(int)(TYPE_INT)].
3648+label(OPTION_SNDBUF_LATE)dit(bf(tt(sndbuf-late=<bytes>)))
3649+ Sets the size of the send buffer when the socket is connected to
3650+ <bytes> [link(int)(TYPE_INT)].
3651+label(OPTION_SNDLOWAT)dit(bf(tt(sndlowat=<bytes>)))
3652+ Specifies the minimum number of bytes in the send buffer until the socket
3653+ layer will send the data to <bytes> [link(int)(TYPE_INT)].
3654+label(OPTION_SNDTIMEO)dit(bf(tt(sndtimeo=<seconds>)))
3655+ Sets the send timeout to seconds [link(timeval)(TYPE_TIMEVAL)].
3656+label(OPTION_PROTOCOL_FAMILY)dit(bf(tt(pf=<string>)))
3657+ Forces the use of the specified IP version or protocol. <string> can be
3658+ something like "ip4" or "ip6". The resulting value is
3659+ used as first argument to the code(socket()) or code(socketpair()) calls.
3660+ This option affects address resolution and the required syntax of bind and
3661+ range options.
3662+label(OPTION_SO_TYPE)dit(bf(tt(type=<type>)))
3663+ Sets the type of the socket, specified as second argument to the
3664+ code(socket()) or code(socketpair()) calls, to <type>
3665+ [link(int)(TYPE_INT)]. Address resolution is not affected by this option.
3666+ Under Linux, 1 means stream oriented socket, 2 means datagram socket, and 3
3667+ means raw socket.
3668+label(OPTION_SO_PROTOTYPE)dit(bf(tt(prototype)))
3669+ Sets the protocol of the socket, specified as third argument to the
3670+ code(socket()) or code(socketpair()) calls, to <prototype>
3671+ [link(int)(TYPE_INT)]. Address resolution is not affected by this option.
3672+ 6 means TCP, 17 means UDP.
3673+COMMENT(label(OPTION_USELOOPBACK)dit(bf(tt(useloopback)))
3674+ Sets the code(SO_USELOOPBACK) socket option.)
3675+COMMENT(label(OPTION_ACCEPTCONN)dit(bf(tt(acceptconn)))
3676+ Tries to set the code(SO_ACCEPTCONN) socket option.)
3677+COMMENT(label(OPTION_ATTACHFILTER)dit(bf(tt(attachfilter)))
3678+ Tries to set the code(SO_ATTACH_FILTER) socket option.)
3679+COMMENT(label(OPTION_AUDIT)dit(bf(tt(audit)))
3680+ Sets the code(SO_AUDIT) socket option.)
3681+COMMENT(label(OPTION_CHSUMRECV)dit(bf(tt(cksumrecv)))
3682+ Sets the code(SO_CKSUMRECV) socket option.)
3683+COMMENT(label(OPTION_DETACHFILTER)dit(bf(tt(detachfilter)))
3684+ Tries to set the code(SO_DETACH_FILTER) socket option.)
3685+COMMENT(label(OPTION_DGRAMERRIND)dit(bf(tt(dgramerrind)))
3686+ Sets the code(SO_DGRAM_ERRIND) socket option.)
3687+COMMENT(label(OPTION_DONTLINGER)dit(bf(tt(dontlinger)))
3688+ Sets the code(SO_DONTLINGER) socket option.)
3689+COMMENT(label(OPTION_ERROR)dit(bf(tt(error)))
3690+ Tries to set this read only socket option.)
3691+COMMENT(label(OPTION_FIOSETOWN)dit(bf(tt(fiosetown=<pid_t>)))
3692+ Sets the receiver of SIGIO.)
3693+COMMENT(label(OPTION_KERNACCEPT)dit(bf(tt(kernaccept)))
3694+ Sets the code(SO_KERNACCEPT) socket option.)
3695+COMMENT(label(OPTION_NOCHECK)dit(bf(tt(nocheck)))
3696+ Sets the code(SO_NO_CHECK) socket option. Undocumented...)
3697+COMMENT(label(OPTION_PASSCRED)dit(bf(tt(passcred)))
3698+ Set the code(SO_PASSCRED) socket option.)
3699+COMMENT(label(OPTION_PEERCRED)dit(bf(tt(peercred)))
3700+ This is a read-only socket option.)
3701+COMMENT(label(OPTION_REUSEPORT)dit(bf(tt(reuseport)))
3702+ Set the code(SO_REUSEPORT) socket option.)
3703+COMMENT(label(OPTION_SECUTIYAUTHENTICATION)dit(bf(tt(securityauthentication)))
3704+ Set the code(SO_SECURITY_AUTHENTICATION) socket option.)
3705+COMMENT(label(OPTION_SECURITYENCRYPTIONNETWORK)dit(bf(tt(securityencryptionnetwork)))
3706+ Set the code(SO_SECURITY_ENCRYPTION_NETWORK) socket option.)
3707+COMMENT(label(OPTION_SECURITYENCRYPTIONTRANSPORT)dit(bf(tt(securityencryptiontransport)))
3708+ Set the code(SO_SECURITY_ENCRYPTION_TRANSPORT) socket option.)
3709+COMMENT(label(OPTION_SIOCSPGRP)dit(bf(tt(siocspgrp=<pid_t>)))
3710+ Set the SIOCSPGRP with code(ioclt()) to enable SIGIO.)
3711+COMMENT(label(OPTION_USEIFBUFS)dit(bf(tt(useifbufs)))
3712+ Set the code(SO_USE_IFBUFS) socket option.)
3713+label(OPTION_SO_TIMESTAMP)dit(bf(tt(so-timestamp)))
3714+ Sets the SO_TIMESTAMP socket option. This enables receiving and logging of
3715+ timestamp ancillary messages.
3716+label(OPTION_SETSOCKOPT_INT)dit(bf(tt(setsockopt-int=<level>:<optname>:<optval>)))
3717+ Invokes tt(setsockopt()) for the socket with the given parameters. tt(level)
3718+ [link(int)(TYPE_INT)] is used as second argument to tt(setsockopt()) and
3719+ specifies the layer, e.g. SOL_TCP for TCP (6 on Linux), or SOL_SOCKET for
3720+ the socket layer (1 on Linux). tt(optname) [link(int)(TYPE_INT)] is the
3721+ third argument to tt(setsockopt()) and tells which socket option is to be
3722+ set. For the actual numbers you might have to look up the appropriate include
3723+ files of your system. The 4th tt(setsockopt()) parameter, tt(value)
3724+ [link(int)(TYPE_INT)], is passed to the function per pointer, and for the
3725+ length parameter sizeof\(int) is taken implicitely.
3726+label(OPTION_SETSOCKOPT_BIN)dit(bf(tt(setsockopt-bin=<level>:<optname>:<optval>)))
3727+ Like tt(setsockopt-int), but <optval> must be provided in
3728+ link(dalan)(TYPE_DATA) format and specifies an arbitrary sequence of bytes;
3729+ the length parameter is automatically derived from the data.
3730+label(OPTION_SETSOCKOPT_STRING)dit(bf(tt(setsockopt-string=<level>:<optname>:<optval>)))
3731+ Like tt(setsockopt-int), but <optval> must be a link(string)(TYPE_STRING).
3732+ This string is passed to the function with trailing null character, and the
3733+ length parameter is automatically derived from the data.
3734+enddit()
3735+
3736+startdit()enddit()nl()
3737+
3738+
3739+label(GROUP_SOCK_UNIX)em(bf(UNIX option group))
3740+
3741+These options apply to UNIX domain based addresses.
3742+startdit()
3743+label(OPTION_UNIX_TIGHTSOCKLEN)dit(bf(tt(unix-tightsocklen=[0|1])))
3744+ On socket operations, pass a socket address length that does not include the
3745+ whole code(struct sockaddr_un) record but (besides other components) only
3746+ the relevant part of the filename or abstract string. Default is 1.
3747+enddit()
3748+
3749+label(GROUP_IP4)
3750+label(GROUP_IP)em(bf(IP4 and IP6 option groups))
3751+
3752+These options can be used with IPv4 and IPv6 based sockets.
3753+startdit()
3754+label(OPTION_TOS)dit(bf(tt(tos=<tos>)))
3755+ Sets the TOS (type of service) field of outgoing packets to <tos>
3756+ [link(byte)(TYPE_BYTE)] (see RFC 791).
3757+label(OPTION_TTL)dit(bf(tt(ttl=<ttl>)))
3758+ Sets the TTL (time to live) field of outgoing packets to <ttl>
3759+ [link(byte)(TYPE_BYTE)].
3760+label(OPTION_IPOPTIONS)dit(bf(tt(ip-options=<data>)))
3761+ Sets IP options like source routing. Must be given in binary form,
3762+ recommended format is a leading "x" followed by an even number of hex
3763+ digits. This option may be used multiple times, data are appended.
3764+ E.g., to connect to host 10.0.0.1 via some gateway using a loose source
3765+ route, use the gateway as address parameter and set a loose source route
3766+ using the option code(ip-options=x8307040a000001).nl()
3767+ IP options are defined in RFC 791. COMMENT(, RFC 2113)nl()
3768+COMMENT( x00 end of option list
3769+ x01 no operation (nop)
3770+ x0211 security
3771+ x03 loose source route
3772+ x09 strict source route
3773+ x07 record route
3774+ x0804 stream ID
3775+ x44 internet timestamp)
3776+label(OPTION_MTUDISCOVER)dit(bf(tt(mtudiscover=<0|1|2>)))
3777+ Takes 0, 1, 2 to never, want, or always use path MTU discover on this
3778+ socket.
3779+COMMENT(label(OPTION_HRDINCL)dit(bf(tt(ip-hdrincl)))
3780+ Tell the raw socket that the application data includes the IP header.)
3781+COMMENT(label(OPTION_IP_MULTICAST_LOOP)dit(bf(tt(ip-multicastloop)))
3782+ Allow looping back outgoing multicast to the local interface.)
3783+COMMENT(label(OPTION_IP_MULTICAST_TTL)dit(bf(tt(ip-multicastttl)))
3784+ Set the TTL for outgoing multicast packets.)
3785+label(OPTION_IP_PKTINFO)dit(bf(tt(ip-pktinfo)))
3786+ Sets the IP_PKTINFO socket option. This enables receiving and logging of
3787+ ancillary messages containing destination address and interface (Linux)
3788+ (link(example)(EXAMPLE_ANCILLARY)).
3789+COMMENT(label(OPTION_PKTOPTS)dit(bf(tt(ip-pktopts)))
3790+ Set the IP_PKTOPTIONS socket option.)
3791+label(OPTION_IP_RECVERR)dit(bf(tt(ip-recverr)))
3792+ Sets the IP_RECVERR socket option. This enables receiving and logging of
3793+ ancillary messages containing detailled error information.
3794+label(OPTION_IP_RECVOPTS)dit(bf(tt(ip-recvopts)))
3795+ Sets the IP_RECVOPTS socket option. This enables receiving and logging of IP
3796+ options ancillary messages (Linux, *BSD).
3797+label(OPTION_IP_RECVTOS)dit(bf(tt(ip-recvtos)))
3798+ Sets the IP_RECVTOS socket option. This enables receiving and logging of TOS
3799+ (type of service) ancillary messages (Linux).
3800+label(OPTION_IP_RECVTTL)dit(bf(tt(ip-recvttl)))
3801+ Sets the IP_RECVTTL socket option. This enables receiving and logging of TTL
3802+ (time to live) ancillary messages (Linux, *BSD).
3803+COMMENT(label(OPTION_RETOPTS)dit(bf(tt(ip-retopts)))
3804+ Set the IP_RETOPTS socket option.)
3805+label(OPTION_IP_RECVDSTADDR)dit(bf(tt(ip-recvdstaddr)))
3806+ Sets the IP_RECVDSTADDR socket option. This enables receiving and logging of
3807+ ancillary messages containing destination address (*BSD)
3808+ (link(example)(EXAMPLE_ANCILLARY)).
3809+label(OPTION_IP_RECVIF)dit(bf(tt(ip-recvif)))
3810+ Sets the IP_RECVIF socket option. This enables receiving and logging of
3811+ interface ancillary messages (*BSD) (link(example)(EXAMPLE_ANCILLARY)).
3812+COMMENT(label(OPTION_ROUTERALERT)dit(bf(tt(routeralert)))
3813+ Set the IP_ROUTER_ALERT socket option.)
3814+label(OPTION_IP_ADD_MEMBERSHIP)
3815+dit(bf(tt(ip-add-membership=<multicast-address:interface-address>)))
3816+dit(bf(tt(ip-add-membership=<multicast-address:interface-name>)))
3817+dit(bf(tt(ip-add-membership=<multicast-address:interface-index>)))
3818+dit(bf(tt(ip-add-membership=<multicast-address:interface-address:interface-name>)))
3819+dit(bf(tt(ip-add-membership=<multicast-address:interface-address:interface-index>)))
3820+ Makes the socket member of the specified multicast group. This is currently
3821+ only implemented for IPv4. The option takes the IP address of the multicast
3822+ group and info about the desired network interface. The most common syntax
3823+ is the first one, while the others are only available on systems that
3824+ provide tt(struct mreqn) (Linux).nl()
3825+ The indices of active network interfaces can be shown using the utility
3826+ procan().
3827+label(OPTION_IP_MULTICAST_IF)
3828+dit(bf(tt(ip-multicast-if=<hostname>)))
3829+ Specifies hostname or address of the network interface to be used for
3830+ multicast traffic.
3831+label(OPTION_IP_MULTICAST_LOOP)
3832+dit(bf(tt(ip-multicast-loop=<bool>)))
3833+ Specifies if outgoing multicast traffic should loop back to the interface.
3834+label(OPTION_IP_MULTICAST_TTL)
3835+dit(bf(tt(ip-multicast-ttl=<byte>)))
3836+ Sets the TTL used for outgoing multicast traffic. Default is 1.
3837+label(OPTION_RES_DEBUG)dit(bf(tt(res-debug)))
3838+label(OPTION_RES_AAONLY)dit(bf(tt(res-aaonly)))
3839+label(OPTION_RES_USEVC)dit(bf(tt(res-usevc)))
3840+label(OPTION_RES_PRIMARY)dit(bf(tt(res-primary)))
3841+label(OPTION_RES_IGNTC)dit(bf(tt(res-igntc)))
3842+label(OPTION_RES_RECURSE)dit(bf(tt(res-recurse)))
3843+label(OPTION_RES_DEFNAMES)dit(bf(tt(res-defnames)))
3844+label(OPTION_RES_STAYOPEN)dit(bf(tt(res-stayopen)))
3845+label(OPTION_RES_DNSRCH)dit(bf(tt(res-dnsrch)))
3846+ These options set the corresponding resolver (name resolution) option flags.
3847+ Append "=0" to clear a default option. See man resolver\(5) for more
3848+ information on these options. Note: these options are valid only for the
3849+ address they are applied to.
3850+
3851+enddit()
3852+
3853+startdit()enddit()nl()
3854+
3855+
3856+label(GROUP_IP6)em(bf(IP6 option group))
3857+
3858+These options can only be used on IPv6 based sockets. See link(IP
3859+options)(GROUP_IP) for options that can be applied to both IPv4 and IPv6
3860+sockets.
3861+startdit()
3862+label(OPTION_IPV6_V6ONLY)dit(bf(tt(ipv6only=<bool>)))
3863+ Sets the IPV6_V6ONLY socket option. If 0, the TCP stack will also accept
3864+ connections using IPv4 protocol on the same port. The default is system
3865+ dependent.
3866+label(OPTION_IPV6_RECVDSTOPTS)dit(bf(tt(ipv6-recvdstopts)))
3867+ Sets the IPV6_RECVDSTOPTS socket option. This enables receiving and logging
3868+ of ancillary messages containing the destination options.
3869+label(OPTION_IPV6_RECVHOPLIMIT)dit(bf(tt(ipv6-recvhoplimit)))
3870+ Sets the IPV6_RECVHOPLIMIT socket option. This enables receiving and logging
3871+ of ancillary messages containing the hoplimit.
3872+label(OPTION_IPV6_RECVHOPOPTS)dit(bf(tt(ipv6-recvhopopts)))
3873+ Sets the IPV6_RECVHOPOPTS socket option. This enables receiving and logging
3874+ of ancillary messages containing the hop options.
3875+label(OPTION_IPV6_RECVPKTINFO)dit(bf(tt(ipv6-recvpktinfo)))
3876+ Sets the IPV6_RECVPKTINFO socket option. This enables receiving and logging
3877+ of ancillary messages containing destination address and interface.
3878+label(OPTION_IPV6_UNICAST_HOPS)dit(bf(tt(ipv6-unicast-hops=link(TYPE_INT)(<int>))))
3879+ Sets the IPV6_UNICAST_HOPS socket option. This sets the hop count limit
3880+ (TTL) for outgoing unicast packets.
3881+label(OPTION_IPV6_RECVRTHDR)dit(bf(tt(ipv6-recvrthdr)))
3882+ Sets the IPV6_RECVRTHDR socket option. This enables receiving and logging
3883+ of ancillary messages containing routing information.
3884+label(OPTION_IPV6_TCLASS)dit(bf(tt(ipv6-tclass)))
3885+ Sets the IPV6_TCLASS socket option. This sets the transfer class of outgoing
3886+ packets.
3887+label(OPTION_IPV6_RECVTCLASS)dit(bf(tt(ipv6-recvtclass)))
3888+ Sets the IPV6_RECVTCLASS socket option. This enables receiving and logging
3889+ of ancillary messages containing the transfer class.
3890+enddit()
3891+
3892+startdit()enddit()nl()
3893+
3894+
3895+label(GROUP_TCP)em(bf(TCP option group))
3896+
3897+These options may be applied to TCP sockets. They work by invoking code(setsockopt()) with the appropriate parameters.
3898+startdit()
3899+label(OPTION_CORK)dit(bf(tt(cork)))
3900+ Doesn't send packets smaller than MSS (maximal segment size).
3901+label(OPTION_DEFER-ACCEPT)dit(bf(tt(defer-accept)))
3902+ While listening, accepts connections only when data from the peer arrived.
3903+label(OPTION_KEEPCNT)dit(bf(tt(keepcnt=<count>)))
3904+ Sets the number of keepalives before shutting down the socket to
3905+ <count> [link(int)(TYPE_INT)].
3906+label(OPTION_KEEPIDLE)dit(bf(tt(keepidle=<seconds>)))
3907+ Sets the idle time before sending the first keepalive to <seconds>
3908+ [link(int)(TYPE_INT)].
3909+label(OPTION_KEEPINTVL)dit(bf(tt(keepintvl=<seconds>)))
3910+ Sets the interval between two keepalives to <seconds>
3911+ [link(int)(TYPE_INT)].
3912+label(OPTION_LINGER2)dit(bf(tt(linger2=<seconds>)))
3913+ Sets the time to keep the socket in FIN-WAIT-2 state to <seconds>
3914+ [link(int)(TYPE_INT)].
3915+label(OPTION_MSS)dit(bf(tt(mss=<bytes>)))
3916+ Sets the MSS (maximum segment size) after the code(socket()) call to <bytes>
3917+ [link(int)(TYPE_INT)]. This
3918+ value is then proposed to the peer with the SYN or SYN/ACK packet
3919+ (link(example)(EXAMPLE_OPTION_MSS)).
3920+label(OPTION_MSS_LATE)dit(bf(tt(mss-late=<bytes>)))
3921+ Sets the MSS of the socket after connection has been established to <bytes>
3922+ [link(int)(TYPE_INT)].
3923+label(OPTION_NODELAY)dit(bf(tt(nodelay)))
3924+ Turns off the Nagle algorithm for measuring the RTT (round trip time).
3925+label(OPTION_RFC1323)dit(bf(tt(rfc1323)))
3926+ Enables RFC1323 TCP options: TCP window scale, round-trip time measurement
3927+ (RTTM), and protect against wrapped sequence numbers (PAWS) (AIX).
3928+label(OPTION_STDURG)dit(bf(tt(stdurg)))
3929+ Enables RFC1122 compliant urgent pointer handling (AIX).
3930+label(OPTION_SYNCNT)dit(bf(tt(syncnt=<count>)))
3931+ Sets the maximal number of SYN retransmits during connect to <count>
3932+ [link(int)(TYPE_INT)].
3933+COMMENT(label(OPTION_INFO)dit(bf(tt(info)))
3934+ Tries to set the read-only TCP_INFO socket option.)
3935+COMMENT(label(OPTION_WINDOW_CLAMP)dit(bf(tt(window-clamp)))
3936+ Sets the TCP_WINDOW_CLAMP socket option.)
3937+label(OPTION_TCP_MD5SIG)dit(bf(tt(md5sig)))
3938+ Enables generation of MD5 digests on the packets (FreeBSD).
3939+label(OPTION_TCP_NOOPT)dit(bf(tt(noopt)))
3940+ Disables use of TCP options (FreeBSD, MacOSX).
3941+label(OPTION_TCP_NOPUSH)dit(bf(tt(nopush)))
3942+ sets the TCP_NOPUSH socket option (FreeBSD, MacOSX).
3943+label(OPTION_TCP_SACK_DISABLE)dit(bf(tt(sack-disable)))
3944+ Disables use the selective acknowledge feature (OpenBSD).
3945+label(OPTION_TCP_SIGNATURE_ENABLE)dit(bf(tt(signature-enable)))
3946+ Enables generation of MD5 digests on the packets (OpenBSD).
3947+label(OPTION_TCP_ABORT_THRESHOLD)dit(bf(tt(abort-threshold=<milliseconds>)))
3948+ Sets the time to wait for an answer of the peer on an established connection
3949+ (HP-UX).
3950+label(OPTION_TCP_CONN_ABORT_THRESHOLD)dit(bf(tt(conn-abort-threshold=<milliseconds>)))
3951+ Sets the time to wait for an answer of the server during the initial connect
3952+ (HP-UX).
3953+label(OPTION_TCP_KEEPINIT)dit(bf(tt(keepinit)))
3954+ Sets the time to wait for an answer of the server during connect\() before
3955+ giving up. Value in half seconds, default is 150 (75s) (Tru64).
3956+label(OPTION_TCP_PAWS)dit(bf(tt(paws)))
3957+ Enables the "protect against wrapped sequence numbers" feature (Tru64).
3958+label(OPTION_TCP_SACKENA)dit(bf(tt(sackena)))
3959+ Enables selective acknowledge (Tru64).
3960+label(OPTION_TCP_TSOPTENA)dit(bf(tt(tsoptena)))
3961+ Enables the time stamp option that allows RTT recalculation on existing
3962+ connections (Tru64).
3963+enddit()
3964+
3965+startdit()enddit()nl()
3966+
3967+
3968+label(GROUP_SCTP)em(bf(SCTP option group))
3969+
3970+These options may be applied to SCTP stream sockets.
3971+startdit()
3972+label(OPTION_SCTP_NODELAY)dit(bf(tt(sctp-nodelay)))
3973+ Sets the SCTP_NODELAY socket option that disables the Nagle algorithm.
3974+label(OPTION_SCTP_MAXSEG)dit(bf(tt(sctp-maxseg=<bytes>)))
3975+ Sets the SCTP_MAXSEG socket option to <bytes> [link(int)(TYPE_INT)]. This
3976+ value is then proposed to the peer with the SYN or SYN/ACK packet.
3977+enddit()
3978+
3979+startdit()enddit()nl()
3980+
3981+
3982+em(bf(UDP, TCP, and SCTP option groups))
3983+
3984+Here we find options that are related to the network port mechanism and thus
3985+can be used with UDP, TCP, and SCTP client and server addresses.
3986+startdit()
3987+label(OPTION_SOURCEPORT)dit(bf(tt(sourceport=<port>)))
3988+ For outgoing (client) TCP and UDP connections, it sets the source
3989+ link(<port>)(TYPE_PORT) using an extra code(bind()) call.
3990+ With TCP or UDP listen addresses, socat immediately shuts down the
3991+ connection if the client does not use this sourceport (link(example)(EXAMPLE_OPTION_SOURCEPORT)).
3992+label(OPTION_LOWPORT)dit(bf(tt(lowport)))
3993+ Outgoing (client) TCP and UDP connections with this option use
3994+ an unused random source port between 640 and 1023 incl. On UNIX class operating
3995+ systems, this requires root privilege, and thus indicates that the
3996+ client process is authorized by local root.
3997+ TCP and UDP listen addresses with this option immediately shut down the
3998+ connection if the client does not use a sourceport <= 1023.
3999+ This mechanism can provide limited authorization under some circumstances.
4000+enddit()
4001+
4002+startdit()enddit()nl()
4003+
4004+
4005+label(GROUP_SOCKS)em(bf(SOCKS option group))
4006+
4007+When using SOCKS type addresses, some socks specific options can be set.
4008+startdit()
4009+label(OPTION_SOCKSPORT)dit(bf(tt(socksport=<tcp service>)))
4010+ Overrides the default "socks" service or port 1080 for the socks server
4011+ port with link(<TCP service>)(TYPE_TCP_SERVICE).
4012+label(OPTION_SOCKSUSER)dit(bf(tt(socksuser=<user>)))
4013+ Sends the <user> [link(string)(TYPE_STRING)] in the username field to the
4014+ socks server. Default is the actual user name ($LOGNAME or $USER) (link(example)(EXAMPLE_OPTION_SOCKSUSER)).
4015+enddit()
4016+
4017+startdit()enddit()nl()
4018+
4019+
4020+label(GROUP_HTTP)em(bf(HTTP option group))
4021+
4022+Options that can be provided with HTTP type addresses. The only HTTP address
4023+currently implemented is link(proxy-connect)(ADDRESS_PROXY_CONNECT).
4024+
4025+startdit()
4026+label(OPTION_PROXYPORT)dit(bf(tt(proxyport=<TCP service>)))
4027+ Overrides the default HTTP proxy port 8080 with
4028+ link(<TCP service>)(TYPE_TCP_SERVICE).
4029+label(OPTION_IGNORECR)dit(bf(tt(ignorecr)))
4030+ The HTTP protocol requires the use of CR+NL as line terminator. When a proxy
4031+ server violates this standard, socat might not understand its answer.
4032+ This option directs socat to interprete NL as line terminator and
4033+ to ignore CR in the answer. Nevertheless, socat sends CR+NL to the proxy.
4034+label(OPTION_PROXY_AUTHORIZATION)dit(bf(tt(proxyauth=<username>:<password>)))
4035+ Provide "basic" authentication to the proxy server. The argument to the
4036+ option is used with a "Proxy-Authorization: Base" header in base64 encoded
4037+ form.nl()
4038+ Note: username and password are visible for every user on the local machine
4039+ in the process list; username and password are transferred to the proxy
4040+ server unencrypted (base64 encoded) and might be sniffed.
4041+label(OPTION_PROXY_RESOLVE)dit(bf(tt(resolve)))
4042+ Per default, socat sends to the proxy a CONNECT request containing the
4043+ target hostname. With this option, socat resolves the hostname locally and
4044+ sends the IP address. Please note that, according to RFC 2396, only name
4045+ resolution to IPv4 addresses is implemented.
4046+enddit()
4047+
4048+startdit()enddit()nl()
4049+
4050+
4051+label(GROUP_RANGE)em(bf(RANGE option group))
4052+
4053+These options check if a connecting client should be granted access. They can
4054+be applied to listening and receiving network sockets. tcp-wrappers options
4055+fall into this group.
4056+startdit()
4057+label(OPTION_RANGE)dit(bf(tt(range=<address-range>)))
4058+ After accepting a connection, tests if the peer is within em(range). For
4059+ IPv4 addresses, address-range takes the form address/bits, e.g.
4060+ 10.0.0.0/8, or address:mask, e.g. 10.0.0.0:255.0.0.0 (link(example)(EXAMPLE_OPTION_RANGE)); for IPv6, it is [ip6-address/bits], e.g. [::1/128].
4061+ If the client address does not match, socat() issues a warning and keeps
4062+ listening/receiving.
4063+label(OPTION_TCPWRAPPERS)dit(bf(tt(tcpwrap[=<name>])))
4064+ Uses Wietse Venema's libwrap (tcpd) library to determine
4065+ if the client is allowed to connect. The configuration files are
4066+ /etc/hosts.allow and /etc/hosts.deny per default, see "man 5 hosts_access"
4067+ for more information. The optional <name> (type link(string)(TYPE_STRING))
4068+ is passed to the wrapper functions as daemon process name (link(example)(EXAMPLE_OPTION_TCPWRAPPERS)).
4069+ If omitted, the basename of socats invocation (argv[0]) is passed.
4070+ If both tcpwrap and range options are applied to an address, both
4071+ conditions must be fulfilled to allow the connection.
4072+label(OPTION_TCPWRAP_HOSTS_ALLOW_TABLE)dit(bf(tt(allow-table=<filename>)))
4073+ Takes the specified file instead of /etc/hosts.allow.
4074+label(OPTION_TCPWRAP_HOSTS_DENY_TABLE)dit(bf(tt(deny-table=<filename>)))
4075+ Takes the specified file instead of /etc/hosts.deny.
4076+label(OPTION_TCPWRAP_ETC)dit(bf(tt(tcpwrap-etc=<directoryname>)))
4077+ Looks for hosts.allow and hosts.deny in the specified directory. Is
4078+ overridden by options link(hosts-allow)(OPTION_TCPWRAP_HOSTS_ALLOW_TABLE)
4079+ and link(hosts-deny)(OPTION_TCPWRAP_HOSTS_DENY_TABLE).
4080+enddit()
4081+
4082+startdit()enddit()nl()
4083+
4084+
4085+label(GROUP_LISTEN)em(bf(LISTEN option group))
4086+
4087+Options specific to listening sockets.
4088+startdit()
4089+label(OPTION_BACKLOG)dit(bf(tt(backlog=<count>)))
4090+ Sets the backlog value passed with the code(listen()) system call to <count>
4091+ [link(int)(TYPE_INT)]. Default is 5.
4092+enddit()
4093+startdit()enddit()nl()
4094+
4095+
4096+label(GROUP_CHILD)em(bf(CHILD option group))
4097+
4098+Options for addresses with multiple connections via child processes.
4099+startdit()
4100+label(OPTION_FORK)dit(bf(tt(fork)))
4101+ After establishing a connection, handles its channel in a child process and
4102+ keeps the parent process attempting to produce more connections, either by
4103+ listening or by connecting in a loop (link(example)(EXAMPLE_OPTION_FORK)).nl()
4104+ SSL-CONNECT and SSL-LISTEN differ in when they actually fork off the child:
4105+SSL-LISTEN forks em(before) the SSL handshake, while SSL-CONNECT forks
4106+em(afterwards).
4107+ RETRY and FOREVER options are not inherited by the child process.nl()
4108+enddit()
4109+
4110+startdit()enddit()nl()
4111+
4112+
4113+label(GROUP_EXEC)em(bf(EXEC option group))
4114+
4115+Options for addresses that invoke a program.
4116+startdit()
4117+label(OPTION_PATH)dit(bf(tt(path=<string>)))
4118+ Overrides the PATH environment variable for searching the program with
4119+ link(<string>)(TYPE_STRING). This
4120+ code($PATH) value is effective in the child process too.
4121+label(OPTION_LOGIN)dit(bf(tt(login)))
4122+ Prefixes code(argv[0]) for the code(execvp()) call with '-', thus making a
4123+ shell behave as login shell.
4124+enddit()
4125+
4126+startdit()enddit()nl()
4127+
4128+
4129+label(GROUP_FORK)em(bf(FORK option group))
4130+
4131+EXEC or SYSTEM addresses invoke a program using a child process and transfer data between socat() and the program. The interprocess communication mechanism can be influenced with the following options. Per
4132+default, a code(socketpair()) is created and assigned to stdin and stdout of
4133+the child process, while stderr is inherited from the socat() process, and the
4134+child process uses file descriptors 0 and 1 for communicating with the main
4135+socat process.
4136+startdit()
4137+label(OPTION_NOFORK)dit(bf(tt(nofork)))
4138+ Does not fork a subprocess for executing the program, instead calls execvp\()
4139+ or system\() directly from the actual socat instance. This avoids the
4140+ overhead of another process between the program and its peer,
4141+ but introduces a lot of restrictions:
4142+ startit()
4143+ it() this option can only be applied to the second socat() address.
4144+ it() it cannot be applied to a part of a link(dual)(ADDRESS_DUAL) address.
4145+ it() the first socat address cannot be OPENSSL or READLINE
4146+ it() socat options -b, -t, -D, -l, -v, -x become useless
4147+ it() for both addresses, options ignoreeof, cr, and crnl become useless
4148+ it() for the second address (the one with option nofork), options
4149+ append, metaCOMMENT(async,) cloexec, flock, user, group, mode, nonblock,
4150+ perm-late, setlk, and setpgid cannot be applied. Some of these could be
4151+ used on the first address though.
4152+ endit()
4153+label(OPTION_PIPES)dit(bf(tt(pipes)))
4154+ Creates a pair of unnamed pipes for interprocess communication instead of a
4155+ socket pair.
4156+label(OPTION_OPENPTY)dit(bf(tt(openpty)))
4157+ Establishes communication with the sub process using a pseudo terminal
4158+ created with code(openpty()) instead of the default (socketpair or ptmx).
4159+label(OPTION_PTMX)dit(bf(tt(ptmx)))
4160+ Establishes communication with the sub process using a pseudo terminal
4161+ created by opening file(/dev/ptmx) or file(/dev/ptc) instead of the default
4162+ (socketpair).
4163+label(OPTION_PTY)dit(bf(tt(pty)))
4164+ Establishes communication with the sub process using a pseudo terminal
4165+ instead of a socket pair. Creates the pty with an available mechanism. If
4166+ openpty and ptmx are both available, it uses ptmx because this is POSIX
4167+ compliant (link(example)(EXAMPLE_OPTION_PTY)).
4168+label(OPTION_CTTY)dit(bf(tt(ctty)))
4169+ Makes the pty the controlling tty of the sub process (link(example)(EXAMPLE_OPTION_CTTY)).
4170+label(OPTION_STDERR)dit(bf(tt(stderr)))
4171+ Directs stderr of the sub process to its output channel by making stderr a
4172+ code(dup()) of stdout (link(example)(EXAMPLE_OPTION_STDERR)).
4173+label(OPTION_FDIN)dit(bf(tt(fdin=<fdnum>)))
4174+ Assigns the sub processes input channel to its file descriptor
4175+ link(<fdnum>)(TYPE_FDNUM)
4176+ instead of stdin (0). The program started from the subprocess has to use
4177+ this fd for reading data from socat() (link(example)(EXAMPLE_OPTION_FDIN)).
4178+label(OPTION_FDOUT)dit(bf(tt(fdout=<fdnum>)))
4179+ Assigns the sub processes output channel to its file descriptor
4180+ link(<fdnum>)(TYPE_FDNUM)
4181+ instead of stdout (1). The program started from the subprocess has to use
4182+ this fd for writing data to socat() (link(example)(EXAMPLE_OPTION_FDOUT)).
4183+label(OPTION_SIGHUP)label(OPTION_SIGINT)label(OPTION_SIGQUIT)dit(bf(tt(sighup)), bf(tt(sigint)), bf(tt(sigquit)))
4184+ Has socat() pass signals of this type to the sub process.
4185+ If no address has this option, socat terminates on these signals.
4186+enddit()
4187+
4188+startdit()enddit()nl()
4189+
4190+
4191+label(GROUP_TERMIOS)em(bf(TERMIOS option group))
4192+
4193+For addresses that work on a tty (e.g., stdio, file:/dev/tty, exec:...,pty), the terminal parameters defined in the unix() termios mechanism are made available as address option parameters.
4194+Please note that changes of the parameters of your interactive terminal
4195+remain effective after socat()'s termination, so you might have to enter "reset"
4196+or "stty sane" in your shell afterwards.
4197+For EXEC and SYSTEM addresses with option PTY,
4198+these options apply to the pty by the child processes.
4199+
4200+startdit()
4201+label(OPTION_B0)dit(bf(tt(b0)))
4202+ Disconnects the terminal.
4203+label(OPTION_B19200)dit(bf(tt(b19200)))
4204+ Sets the serial line speed to 19200 baud. Some other rates are possible; use
4205+something like tt(socat -hh |grep ' b[1-9]') to find all speeds supported by
4206+your implementation.nl()
4207+Note: On some operating systems, these options may not be
4208+available. Use link(ispeed)(OPTION_ISPEED) or link(ospeed)(OPTION_OSPEED)
4209+instead.
4210+label(OPTION_ECHO)dit(bf(tt(echo=<bool>)))
4211+ Enables or disables local echo (link(example)(EXAMPLE_OPTION_ECHO)).
4212+label(OPTION_ICANON)dit(bf(tt(icanon=<bool>)))
4213+ Sets or clears canonical mode, enabling line buffering and some special
4214+ characters.
4215+label(OPTION_RAW)dit(bf(tt(raw)))
4216+ Sets raw mode, thus passing input and output almost unprocessed (link(example)(EXAMPLE_OPTION_RAW)).
4217+label(OPTION_IGNBRK)dit(bf(tt(ignbrk=<bool>)))
4218+ Ignores or interpretes the BREAK character (e.g., ^C)
4219+label(OPTION_BRKINT)dit(bf(tt(brkint=<bool>)))
4220+label(OPTION_BS0)dit(bf(tt(bs0)))
4221+label(OPTION_BS1)dit(bf(tt(bs1)))
4222+label(OPTION_BSDLY)dit(bf(tt(bsdly=<0|1>)))
4223+label(OPTION_CLOCAL)dit(bf(tt(clocal=<bool>)))
4224+
4225+label(OPTION_CR0)label(OPTION_CR1)label(OPTION_CR2)label(OPTION_CR3)
4226+mancommand(\.LP)
4227+mancommand(\.nf)
4228+mancommand(\fBcr0
4229+cr1
4230+cr2
4231+cr3\fP)
4232+mancommand(\.fi)
4233+mancommand(\.IP)
4234+htmlcommand(<dt><code><strong>cr0</strong><br>
4235+<strong>cr1</strong><br>
4236+<strong>cr2</strong><br>
4237+<strong>cr3</strong></code><dd>)
4238+ Sets the carriage return delay to 0, 1, 2, or 3, respectively.
4239+ 0 means no delay, the other values are terminal dependent.
4240+
4241+label(OPTION_CRDLY)dit(bf(tt(crdly=<0|1|2|3>)))
4242+label(OPTION_CREAD)dit(bf(tt(cread=<bool>)))
4243+label(OPTION_CRTSCTS)dit(bf(tt(crtscts=<bool>)))
4244+
4245+label(OPTION_CS5)label(OPTION_CS6)label(OPTION_CS7)label(OPTION_CS8)
4246+mancommand(\.LP)
4247+mancommand(\.nf)
4248+mancommand(\fBcs5
4249+cs6
4250+cs7
4251+cs8\fP)
4252+mancommand(\.fi)
4253+mancommand(\.IP)
4254+htmlcommand(<dt><code><strong>cs5</strong><br>
4255+<strong>cs6</strong><br>
4256+<strong>cs7</strong><br>
4257+<strong>cs8</strong></code><dd>)
4258+ Sets the character size to 5, 6, 7, or 8 bits, respectively.
4259+
4260+label(OPTION_CSIZE)dit(bf(tt(csize=<0|1|2|3>)))
4261+label(OPTION_CSTOPB)dit(bf(tt(cstopb=<bool>)))
4262+ Sets two stop bits, rather than one.
4263+label(OPTION_VDSUSP)dit(bf(tt(dsusp=<byte>)))
4264+ Sets the value for the VDSUSP character that suspends the current foreground
4265+ process and reactivates the shell (all except Linux).
4266+label(OPTION_ECHOCTL)dit(bf(tt(echoctl=<bool>)))
4267+ Echos control characters in hat notation (e.g. ^A)
4268+label(OPTION_ECHOE)dit(bf(tt(echoe=<bool>)))
4269+label(OPTION_ECHOK)dit(bf(tt(echok=<bool>)))
4270+label(OPTION_ECHOKE)dit(bf(tt(echoke=<bool>)))
4271+label(OPTION_ECHONL)dit(bf(tt(echonl=<bool>)))
4272+label(OPTION_ECHOPRT)dit(bf(tt(echoprt=<bool>)))
4273+label(OPTION_EOF)dit(bf(tt(eof=<byte>)))
4274+label(OPTION_EOL)dit(bf(tt(eol=<byte>)))
4275+label(OPTION_EOL2)dit(bf(tt(eol2=<byte>)))
4276+label(OPTION_ERASE)dit(bf(tt(erase=<byte>)))
4277+label(OPTION_DISCARD)dit(bf(tt(discard=<byte>)))
4278+label(OPTION_FF0)dit(bf(tt(ff0)))
4279+label(OPTION_FF1)dit(bf(tt(ff1)))
4280+label(OPTION_FFDLY)dit(bf(tt(ffdly=<bool>)))
4281+label(OPTION_FLUSHO)dit(bf(tt(flusho=<bool>)))
4282+label(OPTION_HUPCL)dit(bf(tt(hupcl=<bool>)))
4283+label(OPTION_ICRNL)dit(bf(tt(icrnl=<bool>)))
4284+label(OPTION_IEXTEN)dit(bf(tt(iexten=<bool>)))
4285+label(OPTION_IGNCR)dit(bf(tt(igncr=<bool>)))
4286+label(OPTION_IGNPAR)dit(bf(tt(ignpar=<bool>)))
4287+label(OPTION_IMAXBEL)dit(bf(tt(imaxbel=<bool>)))
4288+label(OPTION_INLCR)dit(bf(tt(inlcr=<bool>)))
4289+label(OPTION_INPCK)dit(bf(tt(inpck=<bool>)))
4290+label(OPTION_INTR)dit(bf(tt(intr=<byte>)))
4291+label(OPTION_ISIG)dit(bf(tt(isig=<bool>)))
4292+label(OPTION_ISPEED)dit(bf(tt(ispeed=<unsigned-int>)))
4293+ Set the baud rate for incoming data on this line.nl()
4294+ See also: link(ospeed)(OPTION_OSPEED), link(b19200)(OPTION_B19200)
4295+label(OPTION_ISTRIP)dit(bf(tt(istrip=<bool>)))
4296+label(OPTION_IUCLC)dit(bf(tt(iuclc=<bool>)))
4297+label(OPTION_IXANY)dit(bf(tt(ixany=<bool>)))
4298+label(OPTION_IXOFF)dit(bf(tt(ixoff=<bool>)))
4299+label(OPTION_IXON)dit(bf(tt(ixon=<bool>)))
4300+label(OPTION_KILL)dit(bf(tt(kill=<byte>)))
4301+label(OPTION_LNEXT)dit(bf(tt(lnext=<byte>)))
4302+label(OPTION_MIN)dit(bf(tt(min=<byte>)))
4303+label(OPTION_NL0)dit(bf(tt(nl0)))
4304+ Sets the newline delay to 0.
4305+label(OPTION_NL1)dit(bf(tt(nl1)))
4306+label(OPTION_NLDLY)dit(bf(tt(nldly=<bool>)))
4307+label(OPTION_NOFLSH)dit(bf(tt(noflsh=<bool>)))
4308+label(OPTION_OCRNL)dit(bf(tt(ocrnl=<bool>)))
4309+label(OPTION_OFDEL)dit(bf(tt(ofdel=<bool>)))
4310+label(OPTION_OFILL)dit(bf(tt(ofill=<bool>)))
4311+label(OPTION_OLCUC)dit(bf(tt(olcuc=<bool>)))
4312+label(OPTION_ONLCR)dit(bf(tt(onlcr=<bool>)))
4313+label(OPTION_ONLRET)dit(bf(tt(onlret=<bool>)))
4314+label(OPTION_ONOCR)dit(bf(tt(onocr=<bool>)))
4315+label(OPTION_OPOST)dit(bf(tt(opost=<bool>)))
4316+ Enables or disables output processing; e.g., converts NL to CR-NL.
4317+label(OPTION_OSPEED)dit(bf(tt(ospeed=<unsigned-int>)))
4318+ Set the baud rate for outgoing data on this line.nl()
4319+ See also: link(ispeed)(OPTION_ISPEED), link(b19200)(OPTION_B19200)
4320+label(OPTION_PARENB)dit(bf(tt(parenb=<bool>)))
4321+ Enable parity generation on output and parity checking for input.
4322+label(OPTION_PARMRK)dit(bf(tt(parmrk=<bool>)))
4323+label(OPTION_PARODD)dit(bf(tt(parodd=<bool>)))
4324+label(OPTION_PENDIN)dit(bf(tt(pendin=<bool>)))
4325+label(OPTION_QUIT)dit(bf(tt(quit=<byte>)))
4326+label(OPTION_REPRINT)dit(bf(tt(reprint=<byte>)))
4327+label(OPTION_SANE)dit(bf(tt(sane)))
4328+ Brings the terminal to something like a useful default state.
4329+label(OPTION_START)dit(bf(tt(start=<byte>)))
4330+label(OPTION_STOP)dit(bf(tt(stop=<byte>)))
4331+label(OPTION_SUSP)dit(bf(tt(susp=<byte>)))
4332+label(OPTION_SWTC)dit(bf(tt(swtc=<byte>)))
4333+label(OPTION_TAB0)dit(bf(tt(tab0)))
4334+label(OPTION_TAB1)dit(bf(tt(tab1)))
4335+label(OPTION_TAB2)dit(bf(tt(tab2)))
4336+label(OPTION_TAB3)dit(bf(tt(tab3)))
4337+label(OPTION_TABDLY)dit(bf(tt(tabdly=<unsigned-int>)))
4338+label(OPTION_TIME)dit(bf(tt(time=<byte>)))
4339+label(OPTION_TOSTOP)dit(bf(tt(tostop=<bool>)))
4340+label(OPTION_VT0)dit(bf(tt(vt0)))
4341+label(OPTION_VT1)dit(bf(tt(vt1)))
4342+label(OPTION_VTDLY)dit(bf(tt(vtdly=<bool>)))
4343+label(OPTION_WERASE)dit(bf(tt(werase=<byte>)))
4344+label(OPTION_XCASE)dit(bf(tt(xcase=<bool>)))
4345+label(OPTION_XTABS)dit(bf(tt(xtabs)))
4346+label(OPTION_I_POP_ALL)dit(bf(tt(i-pop-all)))
4347+ With UNIX System V STREAMS, removes all drivers from the stack.
4348+label(OPTION_I_PUSH)dit(bf(tt(i-push=<string>)))
4349+ With UNIX System V STREAMS, pushes the driver (module) with the given name
4350+ (link(string)(TYPE_STRING)) onto the stack. For example, to make sure that a
4351+ character device on Solaris supports termios etc, use the following options:
4352+ tt(i-pop-all,i-push=ptem,i-push=ldterm,i-push=ttcompat)
4353+enddit()
4354+
4355+startdit()enddit()nl()
4356+
4357+
4358+label(GROUP_PTY)em(bf(PTY option group))
4359+
4360+These options are intended for use with the link(pty)(ADDRESS_PTY) address
4361+type.
4362+
4363+startdit()
4364+label(OPTION_SYMBOLIC_LINK)dit(bf(tt(link=<filename>)))
4365+ Generates a symbolic link that points to the actual pseudo terminal
4366+ (pty). This might help
4367+ to solve the problem that ptys are generated with more or less
4368+ unpredictable names, making it difficult to directly access the socat
4369+ generated pty automatically. With this option, the user can specify a "fix"
4370+ point in the file hierarchy that helps him to access the actual pty
4371+ (link(example)(EXAMPLE_OPTION_SYMBOLIC_LINK)).
4372+ Beginning with socat() version 1.4.3, the symbolic link is removed when
4373+ the address is closed (but see option link(unlink-close)(OPTION_UNLINK_CLOSE)).
4374+label(OPTION_PTY_WAIT_SLAVE)dit(bf(tt(wait-slave)))
4375+ Blocks the open phase until a process opens the slave side of the pty.
4376+ Usually, socat continues after generating the pty with opening the next
4377+ address or with entering the transfer loop. With the wait-slave option,
4378+ socat waits until some process opens the slave side of the pty before
4379+ continuing.
4380+ This option only works if the operating system provides the tt(poll())
4381+ system call. And it depends on an undocumented behaviour of pty's, so it
4382+ does not work on all operating systems. It has successfully been tested on
4383+ Linux, FreeBSD, NetBSD, and on Tru64 with openpty.
4384+label(OPTION_PTY_INTERVAL)dit(bf(tt(pty-interval=<seconds>)))
4385+ When the link(wait-slave)(OPTION_PTY_WAIT_SLAVE) option is set, socat
4386+ periodically checks the HUP condition using tt(poll()) to find if the pty's
4387+ slave side has been opened. The default polling interval is 1s. Use the
4388+ pty-interval option [link(timeval)(TYPE_TIMEVAL)] to change this value.
4389+enddit()
4390+
4391+
4392+startdit()enddit()nl()
4393+
4394+
4395+label(GROUP_OPENSSL)em(bf(OPENSSL option group))
4396+
4397+These options apply to the link(openssl)(ADDRESS_OPENSSL_CONNECT) and
4398+link(openssl-listen)(ADDRESS_OPENSSL_LISTEN) address types.
4399+
4400+startdit()
4401+label(OPTION_OPENSSL_CIPHERLIST)dit(bf(tt(cipher=<cipherlist>)))
4402+ Selects the list of ciphers that may be used for the connection.
4403+ See the man page of code(ciphers), section bf(CIPHER LIST FORMAT), for
4404+ detailed information about syntax, values, and default of <cipherlist>.nl()
4405+ Several cipher strings may be given, separated by ':'.
4406+ Some simple cipher strings:
4407+ startdit()
4408+ dit(3DES) Uses a cipher suite with triple DES.
4409+ dit(MD5) Uses a cipher suite with MD5.
4410+ dit(aNULL) Uses a cipher suite without authentication.
4411+ dit(NULL) Does not use encryption.
4412+ dit(HIGH) Uses a cipher suite with "high" encryption.
4413+ enddit()
4414+ Note that the peer must support the selected property, or the negotiation
4415+ will fail.
4416+label(OPTION_OPENSSL_METHOD)dit(bf(tt(method=<ssl-method>)))
4417+ Sets the protocol version to be used. Valid strings (not case sensitive)
4418+ are:
4419+ startdit()
4420+ dit(tt(SSLv2)) Select SSL protocol version 2.
4421+ dit(tt(SSLv3)) Select SSL protocol version 3.
4422+ dit(tt(SSLv23)) Select SSL protocol version 2 or 3. This is the default when
4423+ this option is not provided.
4424+ dit(tt(TLSv1)) Select TLS protocol version 1.
4425+ enddit()
4426+label(OPTION_OPENSSL_VERIFY)dit(bf(tt(verify=<bool>)))
4427+ Controls check of the peer's certificate. Default is 1 (true). Disabling
4428+ verify might open your socket for everyone, making the encryption useless!
4429+label(OPTION_OPENSSL_CERTIFICATE)dit(bf(tt(cert=<filename>)))
4430+ Specifies the file with the certificate and private key for authentication.
4431+ The certificate must be in OpenSSL format (*.pem).
4432+ With openssl-listen, use of this option is strongly
4433+ recommended. Except with cipher aNULL, "no shared ciphers" error will
4434+ occur when no certificate is given.
4435+label(OPTION_OPENSSL_KEY)dit(bf(tt(key=<filename>)))
4436+ Specifies the file with the private key. The private key may be in this
4437+ file or in the file given with the link(cert)(OPTION_OPENSSL_CERTIFICATE) option. The party that has
4438+ to proof that it is the owner of a certificate needs the private key.
4439+label(OPTION_OPENSSL_DHPARAMS)dit(bf(tt(dhparams=<filename>)))
4440+ Specifies the file with the Diffie Hellman parameters. These parameters may
4441+ also be in the file given with the link(cert)(OPTION_OPENSSL_CERTIFICATE)
4442+ option in which case the dhparams option is not needed.
4443+label(OPTION_OPENSSL_CAFILE)dit(bf(tt(cafile=<filename>)))
4444+ Specifies the file with the trusted (root) authority certificates. The file
4445+ must be in PEM format and should contain one or more certificates. The party
4446+ that checks the authentication of its peer trusts only certificates that are
4447+ in this file.
4448+label(OPTION_OPENSSL_CAPATH)dit(bf(tt(capath=<dirname>)))
4449+ Specifies the directory with the trusted (root) certificates. The directory
4450+ must contain certificates in PEM format and their hashes (see OpenSSL
4451+ documentation)
4452+label(OPTION_OPENSSL_EGD)dit(bf(tt(egd=<filename>)))
4453+ On some systems, openssl requires an explicit source of random data. Specify
4454+ the socket name where an entropy gathering daemon like egd provides random
4455+ data, e.g. /dev/egd-pool.
4456+label(OPTION_OPENSSL_PSEUDO)dit(bf(tt(pseudo)))
4457+ On systems where openssl cannot find an entropy source and where no entropy
4458+ gathering daemon can be utilized, this option activates a mechanism for
4459+ providing pseudo entropy. This is archieved by taking the current time in
4460+ microseconds for feeding the libc pseudo random number generator with an
4461+ initial value. openssl is then feeded with output from random\() calls.nl()
4462+ NOTE:This mechanism is not sufficient for generation of secure keys!
4463+label(OPTION_OPENSSL_FIPS)dit(bf(tt(fips)))
4464+ Enables FIPS mode if compiled in. For info about the FIPS encryption
4465+ implementation standard see lurl(http://oss-institute.org/fips-faq.html).
4466+ This mode might require that the involved certificates are generated with a
4467+ FIPS enabled version of openssl. Setting or clearing this option on one
4468+ socat address affects all OpenSSL addresses of this process.
4469+enddit()
4470+
4471+startdit()enddit()nl()
4472+
4473+
4474+label(GROUP_RETRY)em(bf(RETRY option group))
4475+
4476+Options that control retry of some system calls, especially connection
4477+attempts.
4478+
4479+startdit()
4480+label(OPTION_RETRY)dit(bf(tt(retry=<num>)))
4481+ Number of retries before the connection or listen attempt is aborted.
4482+ Default is 0, which means just one attempt.
4483+label(OPTION_INTERVAL)dit(bf(tt(interval=<timespec>)))
4484+ Time between consecutive attempts (seconds,
4485+ [link(timespec)(TYPE_TIMESPEC)]). Default is 1 second.
4486+label(OPTION_FOREVER)dit(bf(tt(forever)))
4487+ Performs an unlimited number of retry attempts.
4488+enddit()
4489+
4490+startdit()enddit()nl()
4491+
4492+
4493+label(GROUP_TUN)em(bf(TUN option group))
4494+
4495+Options that control Linux TUN/TAP interface device addresses.
4496+
4497+startdit()
4498+label(OPTION_TUN_DEVICE)dit(bf(tt(tun-device=<device-file>)))
4499+ Instructs socat to take another path for the TUN clone device. Default is
4500+ tt(/dev/net/tun).
4501+label(OPTION_TUN_NAME)dit(bf(tt(tun-name=<if-name>)))
4502+ Gives the resulting network interface a specific name instead of the system
4503+ generated (tun0, tun1, etc.)
4504+label(OPTION_TUN_TYPE)dit(bf(tt(tun-type=[tun|tap])))
4505+ Sets the type of the TUN device; use this option to generate a TAP
4506+ device. See the Linux docu for the difference between these types.
4507+ When you try to establish a tunnel between two TUN devices, their types
4508+ should be the same.
4509+label(OPTION_IFF_NO_PI)dit(bf(tt(iff-no-pi)))
4510+ Sets the IFF_NO_PI flag which controls if the device includes additional
4511+ packet information in the tunnel.
4512+ When you try to establish a tunnel between two TUN devices, these flags
4513+ should have the same values.
4514+label(OPTION_IFF_UP)dit(bf(tt(iff-up)))
4515+ Sets the TUN network interface status UP. Strongly recommended.
4516+label(OPTION_IFF_BROADCAST)dit(bf(tt(iff-broadcast)))
4517+ Sets the BROADCAST flag of the TUN network interface.
4518+label(OPTION_IFF_DEBUG)dit(bf(tt(iff-debug)))
4519+ Sets the DEBUG flag of the TUN network interface.
4520+label(OPTION_IFF_LOOPBACK)dit(bf(tt(iff-loopback)))
4521+ Sets the LOOPBACK flag of the TUN network interface.
4522+label(OPTION_IFF_POINTOPOINT)dit(bf(tt(iff-pointopoint)))
4523+ Sets the POINTOPOINT flag of the TUN device.
4524+label(OPTION_IFF_NOTRAILERS)dit(bf(tt(iff-notrailers)))
4525+ Sets the NOTRAILERS flag of the TUN device.
4526+label(OPTION_IFF_RUNNING)dit(bf(tt(iff-running)))
4527+ Sets the RUNNING flag of the TUN device.
4528+label(OPTION_IFF_NOARP)dit(bf(tt(iff-noarp)))
4529+ Sets the NOARP flag of the TUN device.
4530+label(OPTION_IFF_PROMISC)dit(bf(tt(iff-promisc)))
4531+ Sets the PROMISC flag of the TUN device.
4532+label(OPTION_IFF_ALLMULTI)dit(bf(tt(iff-allmulti)))
4533+ Sets the ALLMULTI flag of the TUN device.
4534+label(OPTION_IFF_MASTER)dit(bf(tt(iff-master)))
4535+ Sets the MASTER flag of the TUN device.
4536+label(OPTION_IFF_SLAVE)dit(bf(tt(iff-slave)))
4537+ Sets the SLAVE flag of the TUN device.
4538+label(OPTION_IFF_MULTICAST)dit(bf(tt(iff-multicast)))
4539+ Sets the MULTICAST flag of the TUN device.
4540+label(OPTION_IFFPORTSEL_)dit(bf(tt(iff-portsel)))
4541+ Sets the PORTSEL flag of the TUN device.
4542+label(OPTION_IFF_AUTOMEDIA)dit(bf(tt(iff-automedia)))
4543+ Sets the AUTOMEDIA flag of the TUN device.
4544+label(OPTION_IFF_DYNAMIC)dit(bf(tt(iff-dynamic)))
4545+ Sets the DYNAMIC flag of the TUN device.
4546+enddit()
4547+
4548+startdit()enddit()nl()
4549+
4550+
4551+label(VALUES)
4552+manpagesection(DATA VALUES)
4553+
4554+This section explains the different data types that address parameters and
4555+address options can take.
4556+
4557+startdit()
4558+label(TYPE_ADDRESS_RANGE)dit(address-range)
4559+ Is currently only implemented for IPv4 and IPv6. See address-option
4560+ link(`range')(OPTION_RANGE)
4561+label(TYPE_BOOL)dit(bool)
4562+ "0" or "1"; if value is omitted, "1" is taken.
4563+label(TYPE_BYTE)dit(byte)
4564+ An unsigned int number, read with code(strtoul()), lower or equal to
4565+ code(UCHAR_MAX).
4566+label(TYPE_COMMAND_LINE)dit(command-line)
4567+ A string specifying a program name and its arguments, separated by single
4568+ spaces.
4569+label(TYPE_DATA)dit(data)
4570+ A raw data specification following em(dalan) syntax. Currently the only
4571+ valid form is a string starting with 'x' followed by an even number of hex
4572+ digits, specifying a sequence of bytes.
4573+label(TYPE_DIRECTORY)dit(directory)
4574+ A string with usual unix() directory name semantics.
4575+label(TYPE_FACILITY)dit(facility)
4576+ The name of a syslog facility in lower case characters.
4577+label(TYPE_FDNUM)dit(fdnum)
4578+ An unsigned int type, read with code(strtoul()), specifying a unix() file
4579+ descriptor.
4580+label(TYPE_FILENAME)dit(filename)
4581+ A string with usual unix() filename semantics.
4582+label(TYPE_GROUP)dit(group)
4583+ If the first character is a decimal digit, the value is read with
4584+ code(strtoul()) as unsigned integer specifying a group id. Otherwise, it
4585+ must be an existing group name.
4586+label(TYPE_INT)dit(int)
4587+ A number following the rules of the code(strtol()) function with base
4588+ "0", i.e. decimal number, octal number with leading "0", or hexadecimal
4589+ number with leading "0x". The value must fit into a C int.
4590+label(TYPE_INTERFACE)dit(interface)
4591+ A string specifying the device name of a network interface
4592+ as shown by ifconfig or procan, e.g. "eth0".
4593+label(TYPE_IP_ADDRESS)dit(IP address)
4594+ An IPv4 address in numbers-and-dots notation, an IPv6 address in hex
4595+ notation enclosed in brackets, or a hostname that resolves to an IPv4 or an
4596+ IPv6 address.nl()
4597+ Examples: 127.0.0.1, [::1], www.dest-unreach.org, dns1
4598+label(TYPE_IPV4_ADDRESS)dit(IPv4 address)
4599+ An IPv4 address in numbers-and-dots notation or a hostname that resolves to
4600+ an IPv4 address.nl()
4601+ Examples: 127.0.0.1, www.dest-unreach.org, dns2
4602+label(TYPE_IPV6_ADDRESS)dit(IPv6 address)
4603+ An iPv6 address in hexnumbers-and-colons notation enclosed in brackets, or a
4604+ hostname that resolves to an IPv6 address.nl()
4605+ Examples: [::1], [1234:5678:9abc:def0:1234:5678:9abc:def0],
4606+ ip6name.domain.org
4607+label(TYPE_LONG)dit(long)
4608+ A number read with code(strtol()). The value must fit into a C long.
4609+label(TYPE_LONGLONG)dit(long long)
4610+ A number read with code(strtoll()). The value must fit into a C long long.
4611+label(TYPE_OFF)dit(off_t)
4612+ An implementation dependend signed number, usually 32 bits, read with strtol
4613+ or strtoll.
4614+label(TYPE_OFF64)dit(off64_t)
4615+ An implementation dependend signed number, usually 64 bits, read with strtol
4616+ or strtoll.
4617+label(TYPE_MODE_T)dit(mode_t)
4618+ An unsigned integer, read with code(strtoul()), specifying mode (permission)
4619+ bits.
4620+label(TYPE_PID_T)dit(pid_t)
4621+ A number, read with code(strtol()), specifying a process id.
4622+label(TYPE_PORT)dit(port)
4623+ A uint16_t (16 bit unsigned number) specifying a TCP or UDP port, read
4624+ with code(strtoul()).
4625+label(TYPE_PROTOCOL)dit(protocol)
4626+ An unsigned 8 bit number, read with code(strtoul()).
4627+label(TYPE_SIZE_T)dit(size_t)
4628+ An unsigned number with size_t limitations, read with code(strtoul).
4629+label(TYPE_SOCKNAME)dit(sockname)
4630+ A socket address. See address-option link(`bind')(OPTION_BIND)
4631+label(TYPE_STRING)dit(string)
4632+ A sequence of characters, not containing '\0' and, depending on
4633+ the position within the command line, ':', ',', or "!!". Note
4634+ that you might have to escape shell meta characters in the command line.
4635+label(TYPE_TCP_SERVICE)dit(TCP service)
4636+ A service name, not starting with a digit, that is resolved by
4637+ code(getservbyname()), or an unsigned int 16 bit number read with
4638+ code(strtoul()).
4639+label(TYPE_TIMEVAL)dit(timeval)
4640+ A double float specifying seconds; the number is mapped into a
4641+ struct timeval, consisting of seconds and microseconds.
4642+label(TYPE_TIMESPEC)dit(timespec)
4643+ A double float specifying seconds; the number is mapped into a
4644+ struct timespec, consisting of seconds and nanoseconds.
4645+label(TYPE_UDP_SERVICE)dit(UDP service)
4646+ A service name, not starting with a digit, that is resolved by
4647+ code(getservbyname()), or an unsigned int 16 bit number read with
4648+ code(strtoul()).
4649+label(TYPE_UNSIGNED_INT)dit(unsigned int)
4650+ A number read with code(strtoul()). The value must fit into a C unsigned
4651+ int.
4652+label(TYPE_USER)dit(user)
4653+ If the first character is a decimal digit, the value is read with
4654+ code(strtoul()) as unsigned integer specifying a user id. Otherwise, it must
4655+ be an existing user name.
4656+enddit()
4657+
4658+
4659+label(EXAMPLES)
4660+manpagesection(EXAMPLES)
4661+
4662+
4663+startdit()
4664+
4665+label(EXAMPLE_ADDRESS_TCP4_CONNECT)
4666+dit(bf(tt(socat - TCP4:www.domain.org:80)))
4667+
4668+transfers data between link(STDIO)(ADDRESS_STDIO) (-) and a
4669+link(TCP4)(ADDRESS_TCP4_CONNECT) connection to port 80 of host
4670+www.domain.org. This example results in an interactive connection similar to
4671+telnet or netcat. The stdin terminal parameters are not changed, so you may
4672+close the relay with ^D or abort it with ^C.
4673+
4674+label(EXAMPLE_ADDRESS_READLINE)
4675+label(EXAMPLE_OPTION_HISTORY)
4676+mancommand(\.LP)
4677+mancommand(\.nf)
4678+mancommand(\fBsocat -d -d READLINE,history=$HOME/.http_history \\
4679+TCP4:www.domain.org:www,crnl\fP)
4680+mancommand(\.fi)
4681+
4682+htmlcommand(<dt><code><strong>socat -d -d READLINE,history=$HOME/.http_history \</strong><br>
4683+<strong>TCP4:www.domain.org:www,crnl</strong></code><dd>)
4684+
4685+this is similar to the previous example, but you can edit the current line in a
4686+bash like manner (link(READLINE)(ADDRESS_READLINE)) and use the
4687+link(history)(OPTION_HISTORY) file .http_history; socat() prints messages about
4688+progress (link(-d -d)(option_d_d)). The port is specified by service name
4689+(www), and correct network line termination characters
4690+(link(crnl)(OPTION_CRNL)) instead of NL are used.
4691+
4692+
4693+label(EXAMPLE_ADDRESS_TCP4_LISTEN)
4694+dit(bf(tt(socat TCP4-LISTEN:www TCP4:www.domain.org:www)))
4695+
4696+installs a simple TCP port forwarder. With
4697+link(TCP4-LISTEN)(ADDRESS_TCP4_LISTEN) it listens on local port "www" until a
4698+connection comes in, accepts it, then connects to the remote host
4699+(link(TCP4)(ADDRESS_TCP4_CONNECT)) and starts data transfer. It will not accept
4700+a econd connection.
4701+
4702+label(EXAMPLE_OPTION_BIND_TCP4)
4703+label(EXAMPLE_OPTION_REUSEADDR)
4704+label(EXAMPLE_OPTION_FORK)
4705+label(EXAMPLE_OPTION_SUBSTUSER)
4706+label(EXAMPLE_OPTION_RANGE)
4707+mancommand(\.LP)
4708+mancommand(\.nf)
4709+mancommand(\fBsocat -d -d -lmlocal2 \\
4710+TCP4-LISTEN:80,bind=myaddr1,reuseaddr,fork,su=nobody,range=10.0.0.0/8 \\
4711+TCP4:www.domain.org:80,bind=myaddr2\fP)
4712+mancommand(\.fi)
4713+
4714+htmlcommand(<dt><code><strong>socat -d -d -lmlocal2 \</strong><br>
4715+<strong>TCP4-LISTEN:80,bind=myaddr1,su=nobody,fork,range=10.0.0.0/8,reuseaddr \</strong><br>
4716+<strong>TCP4:www.domain.org:80,bind=myaddr2</strong></code><dd>)
4717+
4718+TCP port forwarder, each side bound to another local IP address
4719+(link(bind)(OPTION_BIND)). This example handles an almost
4720+arbitrary number of parallel or consecutive connections by
4721+link(fork)(OPTION_FORK)'ing a new
4722+process after each code(accept()). It provides a little security by
4723+link(su)(OPTION_SUBSTUSER)'ing to user
4724+nobody after forking; it only permits connections from the private 10 network
4725+(link(range)(OPTION_RANGE)); due to link(reuseaddr)(OPTION_REUSEADDR), it
4726+allows immediate restart after master process's termination, even if some child
4727+sockets are not completely shut down.
4728+With link(-lmlocal2)(option_lm), socat logs to stderr until successfully
4729+reaching the accept loop. Further logging is directed to syslog with facility
4730+local2.
4731+
4732+label(EXAMPLE_ADDRESS_EXEC)
4733+label(EXAMPLE_OPTION_TCPWRAPPERS)
4734+label(EXAMPLE_OPTION_CHROOT)
4735+label(EXAMPLE_OPTION_SUBSTUSER_DELAYED)
4736+label(EXAMPLE_OPTION_PTY)
4737+label(EXAMPLE_OPTION_STDERR)
4738+mancommand(\.LP)
4739+mancommand(\.nf)
4740+mancommand(\fBsocat TCP4-LISTEN:5555,fork,tcpwrap=script \\
4741+EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr\fP)
4742+mancommand(\.fi)
4743+
4744+htmlcommand(<dt><code><strong>socat TCP4-LISTEN:5555,fork,tcpwrap=script \</strong><br>
4745+<strong>EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr</strong></code><dd>)
4746+
4747+a simple server that accepts connections
4748+(link(TCP4-LISTEN)(ADDRESS_TCP4_LISTEN)) and link(fork)(OPTION_FORK)'s a new
4749+child process for each connection; every child acts as single relay.
4750+The client must match the rules for daemon process name "script" in
4751+/etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man
4752+5 hosts_access").
4753+For link(EXEC)(ADDRESS_EXEC)'uting the program, the child process
4754+link(chroot)(OPTION_CHROOT)'s
4755+to file(/home/sandbox), link(su)(OPTION_SUBSTUSER)'s to user sandbox, and then starts
4756+the program file(/home/sandbox/bin/myscript). Socat() and
4757+myscript communicate via a pseudo tty (link(pty)(OPTION_PTY)); myscript's
4758+link(stderr)(OPTION_STDERR) is redirected to stdout,
4759+so its error messages are transferred via socat() to the connected client.
4760+
4761+label(EXAMPLE_OPTION_FDIN)
4762+label(EXAMPLE_OPTION_FDOUT)
4763+label(EXAMPLE_OPTION_CRNL)
4764+label(EXAMPLE_OPTION_MSS)
4765+mancommand(\.LP)
4766+mancommand(\.nf)
4767+mancommand(\fBsocat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \\
4768+TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512\fP)
4769+mancommand(\.fi)
4770+
4771+htmlcommand(<dt><code><strong>socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \</strong><br>
4772+<strong>TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512</strong></code><dd>)
4773+
4774+file(mail.sh) is a shell script, distributed with socat(), that implements a
4775+simple
4776+SMTP client. It is programmed to "speak" SMTP on its FDs 3 (in) and 4 (out).
4777+The link(fdin)(OPTION_FDIN) and link(fdout)(OPTION_FDOUT) options tell socat()
4778+to use these FDs for communication with
4779+the program. Because mail.sh inherits stdin and stdout while socat() does not
4780+use them, the script can read a
4781+mail body from stdin. Socat() makes alias1 your local source address
4782+(link(bind)(OPTION_BIND)), cares for correct network line termination
4783+(link(crnl)(OPTION_CRNL)) and sends
4784+at most 512 data bytes per packet (link(mss)(OPTION_MSS)).
4785+
4786+
4787+label(EXAMPLE_ADDRESS_GOPEN)
4788+label(EXAMPLE_OPTION_RAW)
4789+label(EXAMPLE_OPTION_ECHO)
4790+label(EXAMPLE_OPTION_ESCAPE)
4791+dit(bf(tt(socat -,raw,echo=0,escape=0x0f /dev/ttyS0,raw,echo=0,crnl)))
4792+
4793+opens an interactive connection via the serial line, e.g. for talking with a
4794+modem. link(raw)(OPTION_RAW) and link(echo)(OPTION_ECHO) set the console's and
4795+ttyS0's terminal parameters to practicable values, link(crnl)(OPTION_CRNL)
4796+converts to correct newline characters. link(escape)(OPTION_ESCAPE) allows to
4797+terminate the socat process with character control-O.
4798+Consider using link(READLINE)(ADDRESS_READLINE) instead of the first address.
4799+
4800+
4801+label(EXAMPLE_ADDRESS_UNIX_LISTEN)
4802+label(EXAMPLE_ADDRESS_SOCKS4)
4803+label(EXAMPLE_OPTION_SOCKSUSER)
4804+label(EXAMPLE_OPTION_SOURCEPORT)
4805+mancommand(\.LP)
4806+mancommand(\.nf)
4807+mancommand(\fBsocat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \\
4808+SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20\fP)
4809+mancommand(\.fi)
4810+
4811+htmlcommand(<dt><code><strong>socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \</strong><br>
4812+<strong>SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20</strong></code><dd>)
4813+
4814+with link(UNIX-LISTEN)(ADDRESS_UNIX_LISTEN), socat() opens a listening
4815+unixdomain() socket file(/tmp/.X11-unix/X1). This path corresponds
4816+to local XWindow display :1 on your machine, so XWindow client connections to
4817+DISPLAY=:1 are accepted. Socat() then speaks with
4818+the link(SOCKS4)(ADDRESS_SOCKS4) server host.victim.org that might permit
4819+link(sourceport)(OPTION_SOURCEPORT) 20 based connections due to an FTP related
4820+weakness in its static IP filters. Socat()
4821+pretends to be invoked by link(socksuser)(OPTION_SOCKSUSER) nobody, and
4822+requests to be connected to
4823+loopback port 6000 (only weak sockd configurations will allow this). So we get
4824+a connection to the victims XWindow server and, if it does not require MIT
4825+cookies or Kerberos authentication, we can start work. Please note that there
4826+can only be one connection at a time, because TCP can establish only one
4827+session with a given set of addresses and ports.
4828+
4829+
4830+label(EXAMPLE_option_u)
4831+label(EXAMPLE_OPTION_IGNOREEOF)
4832+dit(bf(tt(socat -u /tmp/readdata,seek-end=0,ignoreeof -)))
4833+
4834+this is an example for unidirectional data transfer
4835+(link(-u)(option_u)). Socat() transfers data
4836+from file /tmp/readdata (implicit address link(GOPEN)(ADDRESS_GOPEN)), starting
4837+at its current end (link(seek-end)(OPTION_SEEK_END)=0 lets socat() start
4838+reading at current end of file; use link(seek)(OPTION_SEEK)=0 or no
4839+seek option to first read the existing data) in a "tail -f" like mode
4840+(link(ignoreeof)(OPTION_IGNOREEOF)). The "file"
4841+might also be a listening unixdomain() socket (do not use a seek option then).
4842+
4843+
4844+label(EXAMPLE_OPTION_SETSID)
4845+label(EXAMPLE_OPTION_CTTY)
4846+mancommand(\.LP)
4847+mancommand(\.nf)
4848+mancommand(\fB(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
4849+socat - EXEC:'ssh -l user server',pty,setsid,ctty\fP)
4850+mancommand(\.fi)
4851+
4852+htmlcommand(<dt><code><strong>(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |</strong><br>
4853+<strong>socat - EXEC:'ssh -l user server',pty,setsid,ctty</strong></code><dd>)
4854+
4855+link(EXEC)(ADDRESS_EXEC)'utes an ssh session to server. Uses a link(pty)(OPTION_PTY) for communication between socat() and
4856+ssh, makes it ssh's controlling tty (link(ctty)(OPTION_CTTY)),
4857+and makes this pty the owner of
4858+a new process group (link(setsid)(OPTION_SETSID)), so ssh accepts the password from socat().
4859+
4860+
4861+label(EXAMPLE_ADDRESS_OPEN)
4862+label(EXAMPLE_OPTION_CREAT)
4863+label(EXAMPLE_OPTION_APPEND)
4864+mancommand(\.LP)
4865+mancommand(\.nf)
4866+mancommand(\fBsocat -u TCP4-LISTEN:3334,reuseaddr,fork \\
4867+OPEN:/tmp/in.log,creat,append\fP)
4868+mancommand(\.fi)
4869+
4870+htmlcommand(<dt><code><strong>socat -u TCP4-LISTEN:3334,reuseaddr,fork \</strong><br>
4871+<strong>OPEN:/tmp/in.log,creat,append</strong></code><dd>)
4872+
4873+implements a simple network based message collector.
4874+For each client connecting to port 3334, a new child process is generated (option link(fork)(OPTION_FORK)).
4875+All data sent by the clients are link(append)(OPTION_APPEND)'ed to the file /tmp/in.log.
4876+If the file does not exist, socat link(creat)(OPTION_CREAT)'s it.
4877+Option link(reuseaddr)(OPTION_REUSEADDR) allows immediate restart of the server
4878+process.
4879+
4880+COMMENT(
4881+dit(bf(tt(socat TCP4-LISTEN:3335,reuseaddr,fork OPEN:/tmp/motd,rdonly)))
4882+
4883+implements a simple network based motd server.
4884+For each client connecting to port 3335, a new child process is generated
4885+(option link(fork)(OPTION_FORK)).
4886+The contents of the file /tmp/motd is sent to each client.
4887+Messages sent by clients result in an error due to option link(rdonly)(OPTION_RDONLY).
4888+Option link(reuseaddr)(OPTION_REUSEADDR) allows immediate restart of the server
4889+process.
4890+)
4891+COMMENT(
4892+dit(bf(tt(socat - TCP4-LISTEN:8080,mtudiscover=0,rcvbuf=2048)))
4893+
4894+changes some socket parameters to confuse active OS fingerprinting methods.
4895+link(mtudiscover)(OPTION_MTUDISCOVER)=0 sets the DF (don'ft fragment flag) in
4896+the IP packets to 0 and link(rcvbuf)(OPTION_RCVBUF) changes the initial TCP
4897+window size.
4898+)
4899+
4900+label(EXAMPLE_OPTION_NOECHO)
4901+dit(bf(tt(socat READLINE,noecho='[Pp]assword:' EXEC:'ftp ftp.server.com',pty,setsid,ctty)))
4902+
4903+wraps a command line history (link(READLINE)(ADDRESS_READLINE)) around the link(EXEC)(ADDRESS_EXEC)'uted ftp client utility.
4904+This allows editing and reuse of FTP commands for relatively comfortable
4905+browsing through the ftp directory hierarchy. The password is echoed!
4906+ link(pty)(OPTION_PTY) is required to have ftp issue a prompt.
4907+Nevertheless, there may occur some confusion with the password and FTP
4908+prompts.
4909+
4910+
4911+label(EXAMPLE_ADDRESS_PTY)
4912+label(EXAMPLE_OPTION_SYMBOLIC_LINK)
4913+label(EXAMPLE_OPTION_WAIT_SLAVE)
4914+label(EXAMPLE_OPTION_NONBLOCK)
4915+(bf(tt(socat PTY,link=$HOME/dev/vmodem0,raw,echo=0,wait-slave EXEC:'"ssh modemserver.us.org socat - /dev/ttyS0,nonblock,raw,echo=0"')))
4916+
4917+generates a pseudo terminal
4918+device (link(PTY)(ADDRESS_PTY)) on the client that can be reached under the
4919+symbolic link(link)(OPTION_SYMBOLIC_LINK) file($HOME/dev/vmodem0).
4920+An application that expects a serial line or modem
4921+can be configured to use file($HOME/dev/vmodem0); its traffic will be directed
4922+to a modemserver via ssh where another socat instance links it with
4923+file(/dev/ttyS0).
4924+
4925+
4926+mancommand(\.LP)
4927+mancommand(\.nf)
4928+mancommand(\fBsocat TCP4-LISTEN:2022,reuseaddr,fork \\
4929+PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass\fP)
4930+mancommand(\.fi)
4931+
4932+htmlcommand(<dt><code><strong>socat TCP4-LISTEN:2022,reuseaddr,fork \</strong><br>
4933+<strong>PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass</strong></code><dd>)
4934+
4935+starts a forwarder that accepts connections on port 2022, and directs them
4936+through the link(proxy)(ADDRESS_PROXY_CONNECT) daemon listening on port 3128
4937+(link(proxyport)(OPTION_PROXYPORT)) on host proxy, using the
4938+CONNECT method, where they are authenticated as "user" with "pass" (link(proxyauth)(OPTION_PROXY_AUTHORIZATION)). The proxy
4939+should establish connections to host www.domain.org on port 22 then.
4940+
4941+
4942+label(EXAMPLE_ADDRESS_OPENSSL_CONNECT)
4943+dit(bf(tt(socat - SSL:server:4443,cafile=server.crt,cert=client.pem)))
4944+
4945+is an OpenSSL client that tries to establish a secure connection to an SSL
4946+server. Option link(cafile)(OPTION_OPENSSL_CAFILE) specifies a file that
4947+contains trust certificates: we trust the server only when it presents one of
4948+these certificates and proofs that it owns the related private key.
4949+Otherwise the connection is terminated.
4950+With link(cert)(OPTION_OPENSSL_CERTIFICATE) a file containing the client certificate
4951+and the associated private key is specified. This is required in case the
4952+server wishes a client authentication; many Internet servers do not.nl()
4953+The first address ('-') can be replaced by almost any other socat address.
4954+
4955+
4956+label(EXAMPLE_ADDRESS_OPENSSL_LISTEN)
4957+dit(bf(tt(socat SSL-LISTEN:4443,reuseaddr,pf=ip4,fork,cert=server.pem,cafile=client.crt PIPE)))
4958+
4959+is an OpenSSL server that accepts TCP connections, presents the certificate
4960+from the file server.pem and forces the client to present a certificate that is
4961+verified against cafile.crt.nl()
4962+The second address ('PIPE') can be replaced by almost any other socat
4963+address.nl()
4964+For instructions on generating and distributing OpenSSL keys and certificates
4965+see the additional socat docu tt(socat-openssl.txt).
4966+
4967+
4968+dit(bf(tt(echo |socat -u - file:/tmp/bigfile,create,largefile,seek=100000000000)))
4969+
4970+creates a 100GB sparse file; this requires a file system type that
4971+supports this (ext2, ext3, reiserfs, jfs; not minix, vfat). The operation of
4972+writing 1 byte might take long (reiserfs: some minutes; ext2: "no" time), and
4973+the resulting file can consume some disk space with just its inodes (reiserfs:
4974+2MB; ext2: 16KB).
4975+
4976+
4977+dit(bf(tt(socat tcp-l:7777,reuseaddr,fork system:'filan -i 0 -s >&2',nofork)))
4978+
4979+listens for incoming TCP connections on port 7777. For each accepted
4980+connection, invokes a shell. This shell has its stdin and stdout directly
4981+connected to the TCP socket (link(nofork)(OPTION_NOFORK)). The shell starts filan and lets it print the socket addresses to
4982+stderr (your terminal window).
4983+
4984+
4985+dit(bf(tt(echo -e "\0\14\0\0\c" |socat -u - file:/usr/bin/squid.exe,seek=0x00074420)))
4986+
4987+functions as primitive binary editor: it writes the 4 bytes 000 014 000 000 to
4988+the executable /usr/bin/squid at offset 0x00074420 (this is a real world patch
4989+to make the squid executable from Cygwin run under Windows, actual per May 2004).
4990+
4991+
4992+dit(bf(tt(socat - tcp:www.blackhat.org:31337,readbytes=1000)))
4993+
4994+connects to an unknown service and prevents being flooded.
4995+
4996+
4997+label(EXAMPLE_END_CLOSE)
4998+dit(bf(tt(socat -U TCP:target:9999,end-close TCP-L:8888,reuseaddr,fork)))
4999+
5000+merges data arriving from different TCP streams on port 8888 to just one stream
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes: