mirror of
https://repo.or.cz/socat.git
synced 2025-01-08 22:12:33 +00:00
With TCP6-LISTEN etc. the range option failed
This commit is contained in:
parent
a2f8e99371
commit
479d9cbbda
4 changed files with 27 additions and 21 deletions
6
CHANGES
6
CHANGES
|
@ -43,6 +43,12 @@ corrections:
|
||||||
|
|
||||||
Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
|
Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
|
||||||
|
|
||||||
|
With TCP6-LISTEN and the other passive IPv6 addresses the range option
|
||||||
|
just failed: due to a bug in the syntax parser and two more bugs in
|
||||||
|
the xiocheckrange_ip6() function.
|
||||||
|
The syntax has now been changed from "[::1/128]" to "[::1]/128"!
|
||||||
|
Thanks Leah Neukirchen for sending an initial fix.
|
||||||
|
|
||||||
testing:
|
testing:
|
||||||
test.sh: Show a warning when phase-1 (insecure phase) of a security
|
test.sh: Show a warning when phase-1 (insecure phase) of a security
|
||||||
test fails
|
test fails
|
||||||
|
|
|
@ -2266,8 +2266,8 @@ startdit()
|
||||||
label(OPTION_RANGE)dit(bf(tt(range=<address-range>)))
|
label(OPTION_RANGE)dit(bf(tt(range=<address-range>)))
|
||||||
After accepting a connection, tests if the peer is within em(range). For
|
After accepting a connection, tests if the peer is within em(range). For
|
||||||
IPv4 addresses, address-range takes the form address/bits, e.g.
|
IPv4 addresses, address-range takes the form address/bits, e.g.
|
||||||
10.0.0.0/8, or address:mask, e.g. 10.0.0.0:255.0.0.0 (link(example)(EXAMPLE_OPTION_RANGE)); for IPv6, it is [ip6-address/bits], e.g. [::1/128].
|
10.0.0.0/8, or address:mask, e.g. 10.0.0.0:255.0.0.0 (link(example)(EXAMPLE_OPTION_RANGE)); for IPv6, it is [ip6-address]/bits, e.g. [::1]/128.
|
||||||
If the client address does not match, socat() issues a warning and keeps
|
If the client address does not match, socat() refuses the connection attempt, issues a warning, and keeps
|
||||||
listening/receiving.
|
listening/receiving.
|
||||||
label(OPTION_TCPWRAPPERS)dit(bf(tt(tcpwrap[=<name>])))
|
label(OPTION_TCPWRAPPERS)dit(bf(tt(tcpwrap[=<name>])))
|
||||||
Uses Wietse Venema's libwrap (tcpd) library to determine
|
Uses Wietse Venema's libwrap (tcpd) library to determine
|
||||||
|
|
20
test.sh
20
test.sh
|
@ -5576,7 +5576,7 @@ elif ! feat=$(testaddrs tcp ip6) || ! runsip6 >/dev/null; then
|
||||||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
||||||
numCANT=$((numCANT+1))
|
numCANT=$((numCANT+1))
|
||||||
else
|
else
|
||||||
testserversec "$N" "$TEST" "$opts" "tcp6-l:$PORT,reuseaddr,fork,retry=1" "" "range=[::2/128]" "tcp6:[::1]:$PORT" 6 tcp $PORT 0
|
testserversec "$N" "$TEST" "$opts" "tcp6-l:$PORT,reuseaddr,fork,retry=1" "" "range=[::2]/128" "tcp6:[::1]:$PORT" 6 tcp $PORT 0
|
||||||
fi ;; # NUMCOND, feats
|
fi ;; # NUMCOND, feats
|
||||||
esac
|
esac
|
||||||
PORT=$((PORT+1))
|
PORT=$((PORT+1))
|
||||||
|
@ -5695,8 +5695,8 @@ elif ! feat=$(testaddrs tcp ip6) || ! runsip6 >/dev/null; then
|
||||||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
||||||
numCANT=$((numCANT+1))
|
numCANT=$((numCANT+1))
|
||||||
else
|
else
|
||||||
#testserversec "$N" "$TEST" "$opts" "udp6-l:$PORT,reuseaddr,fork" "" "range=[::2/128]" "udp6:[::1]:$PORT" 6 udp $PORT 0
|
#testserversec "$N" "$TEST" "$opts" "udp6-l:$PORT,reuseaddr,fork" "" "range=[::2]/128" "udp6:[::1]:$PORT" 6 udp $PORT 0
|
||||||
testserversec "$N" "$TEST" "$opts" "udp6-l:$PORT,reuseaddr" "" "range=[::2/128]" "udp6:[::1]:$PORT" 6 udp $PORT 0
|
testserversec "$N" "$TEST" "$opts" "udp6-l:$PORT,reuseaddr" "" "range=[::2]/128" "udp6:[::1]:$PORT" 6 udp $PORT 0
|
||||||
fi ;; # NUMCOND, feats
|
fi ;; # NUMCOND, feats
|
||||||
esac
|
esac
|
||||||
PORT=$((PORT+1))
|
PORT=$((PORT+1))
|
||||||
|
@ -5868,7 +5868,7 @@ elif ! feat=$(testaddrs tcp ip6) || ! runsip6 >/dev/null; then
|
||||||
numCANT=$((numCANT+1))
|
numCANT=$((numCANT+1))
|
||||||
else
|
else
|
||||||
gentestcert6 testsrv6
|
gentestcert6 testsrv6
|
||||||
testserversec "$N" "$TEST" "$opts" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv6.crt,key=testsrv6.key" "" "range=[::2/128]" "ssl:[::1]:$PORT,cafile=testsrv6.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
testserversec "$N" "$TEST" "$opts" "ssl-l:$PORT,pf=ip6,reuseaddr,fork,retry=1,$SOCAT_EGD,verify=0,cert=testsrv6.crt,key=testsrv6.key" "" "range=[::2]/128" "ssl:[::1]:$PORT,cafile=testsrv6.crt,$SOCAT_EGD" 6 tcp $PORT -1
|
||||||
fi ;; # NUMCOND, feats
|
fi ;; # NUMCOND, feats
|
||||||
esac
|
esac
|
||||||
PORT=$((PORT+1))
|
PORT=$((PORT+1))
|
||||||
|
@ -7483,8 +7483,8 @@ elif ! feat=$(testaddrs tcp ip6) || ! runsip6 >/dev/null; then
|
||||||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
$PRINTF "test $F_n $TEST... ${YELLOW}TCP6 not available${NORMAL}\n" $N
|
||||||
numCANT=$((numCANT+1))
|
numCANT=$((numCANT+1))
|
||||||
else
|
else
|
||||||
#testserversec "$N" "$TEST" "$opts" "udp6-recvfrom:$PORT,reuseaddr,fork" "" "range=[::2/128]" "udp6-sendto:[::1]:$PORT" 6 udp $PORT 0
|
#testserversec "$N" "$TEST" "$opts" "udp6-recvfrom:$PORT,reuseaddr,fork" "" "range=[::2]/128" "udp6-sendto:[::1]:$PORT" 6 udp $PORT 0
|
||||||
testserversec "$N" "$TEST" "$opts" "udp6-recvfrom:$PORT,reuseaddr" "" "range=[::2/128]" "udp6-sendto:[::1]:$PORT" 6 udp $PORT 0
|
testserversec "$N" "$TEST" "$opts" "udp6-recvfrom:$PORT,reuseaddr" "" "range=[::2]/128" "udp6-sendto:[::1]:$PORT" 6 udp $PORT 0
|
||||||
fi ;; # NUMCOND, feats
|
fi ;; # NUMCOND, feats
|
||||||
esac
|
esac
|
||||||
PORT=$((PORT+1))
|
PORT=$((PORT+1))
|
||||||
|
@ -7562,7 +7562,7 @@ PORT1=$PORT; PORT=$((PORT+1))
|
||||||
PORT2=$PORT
|
PORT2=$PORT
|
||||||
# we use the forward channel (PORT1) for testing, and have a backward channel
|
# we use the forward channel (PORT1) for testing, and have a backward channel
|
||||||
# (PORT2) to get the data back, so we get the classical echo behaviour
|
# (PORT2) to get the data back, so we get the classical echo behaviour
|
||||||
testserversec "$N" "$TEST" "$opts" "udp6-recv:$PORT1,reuseaddr!!udp6-sendto:[::1]:$PORT2" "" "range=[::2/128]" "udp6-recv:$PORT2!!udp6-sendto:[::1]:$PORT1" 6 udp $PORT1 0
|
testserversec "$N" "$TEST" "$opts" "udp6-recv:$PORT1,reuseaddr!!udp6-sendto:[::1]:$PORT2" "" "range=[::2]/128" "udp6-recv:$PORT2!!udp6-sendto:[::1]:$PORT1" 6 udp $PORT1 0
|
||||||
fi ;; # NUMCOND, feats
|
fi ;; # NUMCOND, feats
|
||||||
esac
|
esac
|
||||||
PORT=$((PORT+1))
|
PORT=$((PORT+1))
|
||||||
|
@ -7701,8 +7701,8 @@ elif [ $(id -u) -ne 0 -a "$withroot" -eq 0 ]; then
|
||||||
$PRINTF "test $F_n $TEST... ${YELLOW}must be root${NORMAL}\n" $N
|
$PRINTF "test $F_n $TEST... ${YELLOW}must be root${NORMAL}\n" $N
|
||||||
numCANT=$((numCANT+1))
|
numCANT=$((numCANT+1))
|
||||||
else
|
else
|
||||||
#testserversec "$N" "$TEST" "$opts" "ip6-recvfrom:$PROTO,reuseaddr,fork" "" "range=[::2/128]" "ip6-sendto:[::1]:$PROTO" 6 ip $PROTO 0
|
#testserversec "$N" "$TEST" "$opts" "ip6-recvfrom:$PROTO,reuseaddr,fork" "" "range=[::2]/128" "ip6-sendto:[::1]:$PROTO" 6 ip $PROTO 0
|
||||||
testserversec "$N" "$TEST" "$opts" "ip6-recvfrom:$PROTO,reuseaddr!!udp6-sendto:[::1]:$PORT" "" "range=[::2/128]" "udp6-recv:$PORT!!ip6-sendto:[::1]:$PROTO" 6 ip $PROTO 0
|
testserversec "$N" "$TEST" "$opts" "ip6-recvfrom:$PROTO,reuseaddr!!udp6-sendto:[::1]:$PORT" "" "range=[::2]/128" "udp6-recv:$PORT!!ip6-sendto:[::1]:$PROTO" 6 ip $PROTO 0
|
||||||
fi ;; # NUMCOND, feats
|
fi ;; # NUMCOND, feats
|
||||||
esac
|
esac
|
||||||
PROTO=$((PROTO+1))
|
PROTO=$((PROTO+1))
|
||||||
|
@ -7750,7 +7750,7 @@ PROTO1=$PROTO; PROTO=$((PROTO+1))
|
||||||
PROTO2=$PROTO
|
PROTO2=$PROTO
|
||||||
# we use the forward channel (PROTO1) for testing, and have a backward channel
|
# we use the forward channel (PROTO1) for testing, and have a backward channel
|
||||||
# (PROTO2) to get the data back, so we get the classical echo behaviour
|
# (PROTO2) to get the data back, so we get the classical echo behaviour
|
||||||
testserversec "$N" "$TEST" "$opts" "ip6-recv:$PROTO1,reuseaddr!!ip6-sendto:[::1]:$PROTO2" "" "range=[::2/128]" "ip6-recv:$PROTO2!!ip6-sendto:[::1]:$PROTO1" 6 ip $PROTO1 0
|
testserversec "$N" "$TEST" "$opts" "ip6-recv:$PROTO1,reuseaddr!!ip6-sendto:[::1]:$PROTO2" "" "range=[::2]/128" "ip6-recv:$PROTO2!!ip6-sendto:[::1]:$PROTO1" 6 ip $PROTO1 0
|
||||||
fi ;; # NUMCOND, feats
|
fi ;; # NUMCOND, feats
|
||||||
esac
|
esac
|
||||||
PROTO=$((PROTO+1))
|
PROTO=$((PROTO+1))
|
||||||
|
|
18
xio-ip6.c
18
xio-ip6.c
|
@ -87,23 +87,23 @@ int xioparsenetwork_ip6(const char *rangename, struct xiorange *range) {
|
||||||
union xioin6_u *rangemask = (union xioin6_u *)&range->netmask.ip6.sin6_addr;
|
union xioin6_u *rangemask = (union xioin6_u *)&range->netmask.ip6.sin6_addr;
|
||||||
union xioin6_u *nameaddr = (union xioin6_u *)&sockaddr.ip6.sin6_addr;
|
union xioin6_u *nameaddr = (union xioin6_u *)&sockaddr.ip6.sin6_addr;
|
||||||
|
|
||||||
if (rangename[0] != '[' || rangename[strlen(rangename)-1] != ']') {
|
|
||||||
Error1("missing brackets for IPv6 range definition \"%s\"",
|
|
||||||
rangename);
|
|
||||||
return STAT_NORETRY;
|
|
||||||
}
|
|
||||||
if ((delimpos = strchr(rangename, '/')) == NULL) {
|
if ((delimpos = strchr(rangename, '/')) == NULL) {
|
||||||
Error1("xioparsenetwork_ip6(\"%s\",,): missing mask bits delimiter '/'",
|
Error1("xioparsenetwork_ip6(\"%s\",,): missing mask bits delimiter '/'",
|
||||||
rangename);
|
rangename);
|
||||||
return STAT_NORETRY;
|
return STAT_NORETRY;
|
||||||
}
|
}
|
||||||
delimind = delimpos - rangename;
|
delimind = delimpos - rangename;
|
||||||
|
if (rangename[0] != '[' || rangename[delimind-1] != ']') {
|
||||||
|
Error1("missing brackets for IPv6 range definition \"%s\"",
|
||||||
|
rangename);
|
||||||
|
return STAT_NORETRY;
|
||||||
|
}
|
||||||
|
|
||||||
if ((baseaddr = strdup(rangename+1)) == NULL) {
|
if ((baseaddr = strndup(rangename+1,delimind-2)) == NULL) {
|
||||||
Error1("strdup(\"%s\"): out of memory", rangename+1);
|
Error1("strdup(\"%s\"): out of memory", rangename+1);
|
||||||
return STAT_NORETRY;
|
return STAT_NORETRY;
|
||||||
}
|
}
|
||||||
baseaddr[delimind-1] = '\0';
|
baseaddr[delimind-2] = '\0';
|
||||||
if (xiogetaddrinfo(baseaddr, NULL, PF_INET6, 0, 0, &sockaddr, &sockaddrlen,
|
if (xiogetaddrinfo(baseaddr, NULL, PF_INET6, 0, 0, &sockaddr, &sockaddrlen,
|
||||||
0, 0)
|
0, 0)
|
||||||
!= STAT_OK) {
|
!= STAT_OK) {
|
||||||
|
@ -175,7 +175,7 @@ int xiocheckrange_ip6(struct sockaddr_in6 *pa, struct xiorange *range) {
|
||||||
int i;
|
int i;
|
||||||
char peername[256];
|
char peername[256];
|
||||||
union xioin6_u *rangeaddr = (union xioin6_u *)&range->netaddr.ip6.sin6_addr;
|
union xioin6_u *rangeaddr = (union xioin6_u *)&range->netaddr.ip6.sin6_addr;
|
||||||
union xioin6_u *rangemask = (union xioin6_u *)&range->netmask.ip6;
|
union xioin6_u *rangemask = (union xioin6_u *)&range->netmask.ip6.sin6_addr;
|
||||||
|
|
||||||
Debug16("permitted client subnet: [%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x]:[%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x]",
|
Debug16("permitted client subnet: [%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x]:[%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x]",
|
||||||
htons(rangeaddr->u6_addr16[0]), htons(rangeaddr->u6_addr16[1]),
|
htons(rangeaddr->u6_addr16[0]), htons(rangeaddr->u6_addr16[1]),
|
||||||
|
@ -190,7 +190,7 @@ int xiocheckrange_ip6(struct sockaddr_in6 *pa, struct xiorange *range) {
|
||||||
sockaddr_inet6_info(pa, peername, sizeof(peername)));
|
sockaddr_inet6_info(pa, peername, sizeof(peername)));
|
||||||
|
|
||||||
for (i = 0; i < 4; ++i) {
|
for (i = 0; i < 4; ++i) {
|
||||||
masked.u6_addr32[i] = pa->sin6_addr.s6_addr[i] & rangemask->u6_addr16[i];
|
masked.u6_addr32[i] = pa->sin6_addr.s6_addr32[i] & rangemask->u6_addr32[i];
|
||||||
}
|
}
|
||||||
Debug8("masked address is [%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x]",
|
Debug8("masked address is [%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x]",
|
||||||
htons(masked.u6_addr16[0]), htons(masked.u6_addr16[1]),
|
htons(masked.u6_addr16[0]), htons(masked.u6_addr16[1]),
|
||||||
|
|
Loading…
Reference in a new issue