Bug 153568 - [patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY
[patch] security/stunnel: enables transparent configuration option through ap...
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: roam
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-30 23:30 UTC by jhelfman
Modified: 2011-01-04 16:43 UTC (History)
0 users

See Also:


Attachments
file.diff (1.60 KB, patch)
2010-12-30 23:30 UTC, jhelfman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jhelfman 2010-12-30 23:30:09 UTC
There is a transparency option for stunnel that doesn't work in FreeBSD, as it is using a kernel call that isn't supported in FreeBSD. FreeBSD 8 has the correct code for this to operate as designed, however it should be using IP_BINDANY.
http://www.stunnel.org/faq/stunnel.html (look for "transparent")

Fix: add/change 'transparency = yes' to stunnel.conf
add/change 'setuid = root' to stunnel.conf
add/change 'setgid = wheel' to stunnel.conf
start service
pf rules are believed to be required as an end-to-end solution, however this will allow for 'transparent' option to work.
How-To-Repeat: install security/stunnel
add/change 'transparency = yes' to stunnel.conf
start service

should fail with this error, when the network connection is used through stunnel:
local_bind (original port): Can't assign requested address (49)

With included patch, this error will come up if 'setuid' and 'setgid' are not configured as described below:
setsockopt IP_BINDANY: Operation not permitted (1)
Comment 1 Edwin Groothuis freebsd_committer 2010-12-30 23:30:17 UTC
Responsible Changed
From-To: freebsd-ports-bugs->roam

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter freebsd_committer 2011-01-04 16:37:29 UTC
roam        2011-01-04 16:37:24 UTC

  FreeBSD ports repository

  Modified files:
    security/stunnel     Makefile distinfo 
    security/stunnel/files patch-src::common.h 
  Added files:
    security/stunnel/files patch-src::client.c 
  Log:
  Implement transparent proxying using the IP_BINDANY option if available in
  a way a bit different (and a bit more generic) than the one in the PR.
  While I'm here, declare the GPL-2+ license and remove the MD5 checksum.
  
  PR:             153568
  Submitted by:   Jason Helfman <jhelfman@experts-exchange.com>
  
  Revision  Changes    Path
  1.101     +5 -1      ports/security/stunnel/Makefile
  1.56      +0 -1      ports/security/stunnel/distinfo
  1.4       +29 -0     ports/security/stunnel/files/patch-src::client.c (new)
  1.8       +22 -5     ports/security/stunnel/files/patch-src::common.h
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 roam freebsd_committer 2011-01-04 16:43:33 UTC
State Changed
From-To: open->closed

I've committed a similar patch in stunnel-4.34_2. 
Thanks for your work on FreeBSD!