FreeBSD Bugzilla – Bug 153568
[patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY
Last modified: 2011-01-04 16:43:55 UTC
There is a transparency option for stunnel that doesn't work in FreeBSD, as it is using a kernel call that isn't supported in FreeBSD. FreeBSD 8 has the correct code for this to operate as designed, however it should be using IP_BINDANY.
http://www.stunnel.org/faq/stunnel.html (look for "transparent")
Fix: add/change 'transparency = yes' to stunnel.conf
add/change 'setuid = root' to stunnel.conf
add/change 'setgid = wheel' to stunnel.conf
pf rules are believed to be required as an end-to-end solution, however this will allow for 'transparent' option to work.
How-To-Repeat: install security/stunnel
add/change 'transparency = yes' to stunnel.conf
should fail with this error, when the network connection is used through stunnel:
local_bind (original port): Can't assign requested address (49)
With included patch, this error will come up if 'setuid' and 'setgid' are not configured as described below:
setsockopt IP_BINDANY: Operation not permitted (1)
Over to maintainer (via the GNATS Auto Assign Tool)
roam 2011-01-04 16:37:24 UTC
FreeBSD ports repository
security/stunnel Makefile distinfo
Implement transparent proxying using the IP_BINDANY option if available in
a way a bit different (and a bit more generic) than the one in the PR.
While I'm here, declare the GPL-2+ license and remove the MD5 checksum.
Submitted by: Jason Helfman <email@example.com>
Revision Changes Path
1.101 +5 -1 ports/security/stunnel/Makefile
1.56 +0 -1 ports/security/stunnel/distinfo
1.4 +29 -0 ports/security/stunnel/files/patch-src::client.c (new)
1.8 +22 -5 ports/security/stunnel/files/patch-src::common.h
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"
I've committed a similar patch in stunnel-4.34_2.
Thanks for your work on FreeBSD!