Remzona54/3proxy
1
0
Fork 0
mirror of https://github.com/3proxy/3proxy.git synced 2026-05-13 05:51:38 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Allow to set internal / external namespace on linux

Browse source
This commit is contained in:
Vladimir Dubrovin 2026-05-02 14:49:35 +03:00
parent b87e998e4d
commit 51a82613a6
21 changed files with 623 additions and 205 deletions
Download patch file Download diff file Expand all files Collapse all files

124
doc/html/man5/3proxy.cfg.5.html
View file

@ -121,34 +121,57 @@ udppm</b> UDP portmapper</p>
<p style="margin-left:6%; margin-top: 1em">Options: <b><br>
-p</b><i>NUMBER</i> change default server port to NUMBER
<b><br>
-g(</b><i>GRACE_TRAFF</i><b>,</b><i>GRACE_NUM</i><b>,</b><i>GRACE_DELAY</i>)
delay GRACE_DELAY milliseconds before polling if average
polling size is below GRACE_TRAFF bytes and GRACE_NUM read
operations in a single direction are detected within 1
second. Useful to minimize polling <b>-s</b> <br>
(for admin) secure, allow only secure operations, currently
only traffic counters view without ability to reset. <br>
(for dnspr) simple, do not use resolver and 3proxy cache,
always use external DNS server. <br>
(for udppm) singlepacket, expect only one packet from both
client and server <b><br>
-u</b> Never ask for username/password <b><br>
-u2</b> (for socks) require username/password in
authentication methods <b><br>
-a</b> (for proxy) anonymous proxy (no information about
client reported) <b><br>
-a1</b> (for proxy) anonymous proxy (random client
information reported) <b><br>
-a2</b> (for proxy) generate Via: and X-Forwarded-For:
instead of Forwarded: <b><br>
-6</b> Only resolve IPv6 addresses. IPv4 addresses are
packed in IPv6 in IPV6_V6ONLY compatible way. <b><br>
-4</b> Only resolve IPv4 addresses <b><br>
-46</b> Resolve IPv6 addresses if IPv4 address is not
resolvable <b><br>
-64</b> Resolve IPv4 addresses if IPv6 address is not
resolvable <b><br>
-46</b> Prefer IPv4. Resolve IPv6 addresses if IPv4 address
is not resolvable <b><br>
-64</b> Prefer IPv6. Resolve IPv4 addresses if IPv6 address
is not resolvable <b><br>
-e</b> External address. IP address of the interface the
proxy should initiate connections from. External IP must be
specified if you need incoming connections. By default the
system will decide which address to use in accordance with
the routing table. <b><br>
-i</b> Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. Unix domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax. On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax. <b><br>
-Di</b><i>INTERFACE</i><b>, -De</b><i>INTERFACE</i> bind
internal (<b>-Di</b>) / external (<b>-De</b>) interface to
given INTERFACE (e.g. eth0) if <b>SO_BINDTODEVICE</b> is
supported by the system. You may need to run as root or have
<b>CAP_NET_RAW</b> capability in order to bind to an
interface, depending on the system, so this option may
require root privileges and can be incompatible with some
configuration commands like <b>chroot</b> and <b>setuid</b>
(and <b>daemon</b> if setcap is used). <b><br>
-ni</b><i>PATH</i><b>, -ne</b><i>PATH</i> (Linux only)
Switch to the network namespace identified by the filesystem
path <i>PATH</i> (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) for the listening socket
(<b>-ni</b>) or for outgoing connections (<b>-ne</b>). With
<b>-ni</b> the current namespace is saved before opening the
listening socket and restored immediately after binding, so
that the rest of the process (outgoing connections, child
threads) runs in the original namespace unless <b>-ne</b> is
also given. With <b>-ne</b> the process switches to the
specified namespace after the listening socket is bound (and
after restoring from <b>-ni</b> if applicable). Requires
<b>CAP_SYS_ADMIN</b> (or <b>CAP_NET_ADMIN</b> on recent
kernels) and is incompatible with
<b>chroot</b>/<b>setuid</b>/<b>daemon</b> if privileges are
dropped before the switch takes effect. <b><br>
-Ne</b> (for socks) External NAT address (between 3proxy and
destination server) to report to client for CONNECT and
BIND. By default external address is reported. It&rsquo;s
only useful in the case of IP-IP NAT (will not work for
PAT). <b><br>
-Ni</b> (for socks) Internal NAT address (between client and
3proxy) to report to client for UDPASSOC. By default
internal address is reported. It&rsquo;s only useful in the
case of IP-IP NAT (will not work for PAT). <b><br>
-R</b><i>HOST</i><b>:</b><i>port</i> listen on given local
HOST:port for incoming connections instead of making remote
outgoing connection. Can be used with another 3proxy service
@ -171,39 +194,32 @@ TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS,
USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT,
SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE,
SO_DONTROUTE may be supported depending on OS. <b><br>
-Di</b><i>INTERFACE</i><b>, -De</b><i>INTERFACE</i> bind
internal (<b>-Di</b>) / external (<b>-De</b>) interface to
given INTERFACE (e.g. eth0) if <b>SO_BINDTODEVICE</b> is
supported by the system. You may need to run as root or have
<b>CAP_NET_RAW</b> capability in order to bind to an
interface, depending on the system, so this option may
require root privileges and can be incompatible with some
configuration commands like <b>chroot</b> and <b>setuid</b>
(and <b>daemon</b> if setcap is used). <b><br>
-e</b> External address. IP address of the interface the
proxy should initiate connections from. External IP must be
specified if you need incoming connections. By default the
system will decide which address to use in accordance with
the routing table. <b><br>
-i</b> Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. Unix domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax. On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax. <b><br>
-Ne</b> (for socks) External NAT address (between 3proxy and
destination server) to report to client for CONNECT and
BIND. By default external address is reported. It&rsquo;s
only useful in the case of IP-IP NAT (will not work for
PAT). <b><br>
-Ni</b> (for socks) Internal NAT address (between client and
3proxy) to report to client for UDPASSOC. By default
internal address is reported. It&rsquo;s only useful in the
case of IP-IP NAT (will not work for PAT). <b><br>
-H</b> (for all services) Expect HAProxy PROXY protocol v1
header on incoming connection. This allows the proxy to
receive real client IP address from HAProxy or other load
balancer that supports the PROXY protocol. The header must
be sent before any protocol-specific data. <br>
be sent before any protocol-specific data. <b><br>
-g(</b><i>GRACE_TRAFF</i><b>,</b><i>GRACE_NUM</i><b>,</b><i>GRACE_DELAY</i>)
delay GRACE_DELAY milliseconds before polling if average
polling size is below GRACE_TRAFF bytes and GRACE_NUM read
operations in a single direction are detected within 1
second. Useful to minimize polling <b>-s</b> <br>
(for admin) secure, allow only secure operations, currently
only traffic counters view without ability to reset. <br>
(for dnspr) simple, do not use resolver and 3proxy cache,
always use external DNS server. <br>
(for udppm) singlepacket, expect only one packet from both
client and server <b><br>
-u</b> Never ask for username/password <b><br>
-u2</b> (for socks) require username/password in
authentication methods <b><br>
-a</b> (for proxy) anonymous proxy (no information about
client reported) <b><br>
-a1</b> (for proxy) anonymous proxy (random client
information reported) <b><br>
-a2</b> (for proxy) generate Via: and X-Forwarded-For:
instead of Forwarded: <br>
Also, all options mentioned for <b>proxy</b>(8)
<b>socks</b>(8) <b>pop3p</b>(8) <b>tcppm</b>(8)
<b>udppm</b>(8) <b>ftppr</b>(8) <br>

38
doc/html/man8/ftppr.8.html
View file

@ -116,23 +116,45 @@ authentication.</p> </td></tr>
the interface the proxy should initiate connections from. By
default, the system will decide which address to use in
accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
<p style="margin-top: 1em"><b>-i</b></p></td>
<p><b>-i</b></p></td>
<td width="6%"></td>
<td width="85%">
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/ftppr.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<p>Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. It&acute;s usually unsafe. Unix domain sockets can
be specified with <i>-iunix:/path/to/socket</i> syntax
(e.g., -iunix:/var/run/ftppr.sock). On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">

38
doc/html/man8/pop3p.8.html
View file

@ -116,23 +116,45 @@ authentication.</p> </td></tr>
the interface the proxy should initiate connections from. By
default, the system will decide which address to use in
accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
<p style="margin-top: 1em"><b>-i</b></p></td>
<p><b>-i</b></p></td>
<td width="6%"></td>
<td width="85%">
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/pop3p.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<p>Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. It&acute;s usually unsafe. Unix domain sockets can
be specified with <i>-iunix:/path/to/socket</i> syntax
(e.g., -iunix:/var/run/pop3p.sock). On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">

58
doc/html/man8/proxy.8.html
View file

@ -55,11 +55,11 @@ support.</p>
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-I</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -67,11 +67,11 @@ support.</p>
only.</p> </td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-d</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -79,11 +79,11 @@ only.</p> </td></tr>
console and run in the background.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-t</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -91,11 +91,11 @@ console and run in the background.</p></td></tr>
start/stop/accept error records.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-u</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -103,11 +103,11 @@ start/stop/accept error records.</p></td></tr>
authentication</p> </td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-e</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -115,23 +115,45 @@ authentication</p> </td></tr>
the interface the proxy should initiate connections from. By
default, the system will decide which address to use in
accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<p style="margin-top: 1em"><b>-i</b></p></td>
<p><b>-i</b></p></td>
<td width="5%"></td>
<td width="85%">
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/proxy.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<p>Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. It&acute;s usually unsafe. Unix domain sockets can
be specified with <i>-iunix:/path/to/socket</i> syntax
(e.g., -iunix:/var/run/proxy.sock). On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">

38
doc/html/man8/smtpp.8.html
View file

@ -116,23 +116,45 @@ authentication.</p> </td></tr>
the interface the proxy should initiate connections from. By
default, the system will decide which address to use in
accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
<p style="margin-top: 1em"><b>-i</b></p></td>
<p><b>-i</b></p></td>
<td width="6%"></td>
<td width="85%">
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/smtpp.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<p>Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. It&acute;s usually unsafe. Unix domain sockets can
be specified with <i>-iunix:/path/to/socket</i> syntax
(e.g., -iunix:/var/run/smtpp.sock). On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">

56
doc/html/man8/socks.8.html
View file

@ -57,11 +57,11 @@ connections and UDP portmapping.</p>
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-I</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -69,11 +69,11 @@ connections and UDP portmapping.</p>
only.</p> </td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-d</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -81,11 +81,11 @@ only.</p> </td></tr>
console and run in the background.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-t</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -93,11 +93,11 @@ console and run in the background.</p></td></tr>
start/stop/accept error records.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-u</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -105,11 +105,11 @@ start/stop/accept error records.</p></td></tr>
authentication</p> </td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-e</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -118,22 +118,44 @@ the interface the proxy should initiate connections from.
External IP must be specified if you need incoming
connections. By default, the system will decide which
address to use in accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<p style="margin-top: 1em"><b>-Ne</b></p></td>
<p><b>-Ne</b></p></td>
<td width="5%"></td>
<td width="85%">
<p style="margin-top: 1em">External NAT address 3proxy
reports to client for CONNECT/BIND. This is external address
of NAT between 3proxy and destination server. By default,
the external address is reported. It&rsquo;s only useful in
the case of IP-IP NAT and does not work with port
translation.</p> </td></tr>
<p>External NAT address 3proxy reports to client for
CONNECT/BIND. This is external address of NAT between 3proxy
and destination server. By default, the external address is
reported. It&rsquo;s only useful in the case of IP-IP NAT
and does not work with port translation.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">

38
doc/html/man8/tcppm.8.html
View file

@ -104,23 +104,45 @@ start/stop/accept error records.</p></td></tr>
the interface the proxy should initiate connections from. By
default, the system will decide which address to use in
accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
<p style="margin-top: 1em"><b>-i</b></p></td>
<p><b>-i</b></p></td>
<td width="6%"></td>
<td width="85%">
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/tcppm.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<p>Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. It&acute;s usually unsafe. Unix domain sockets can
be specified with <i>-iunix:/path/to/socket</i> syntax
(e.g., -iunix:/var/run/tcppm.sock). On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">

58
doc/html/man8/tlspr.8.html
View file

@ -60,11 +60,11 @@ plugin).</p>
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-I</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -72,11 +72,11 @@ plugin).</p>
only.</p> </td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-d</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -84,11 +84,11 @@ only.</p> </td></tr>
console and run in the background.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-t</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -96,11 +96,11 @@ console and run in the background.</p></td></tr>
start/stop/accept error records.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-u</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -108,11 +108,11 @@ start/stop/accept error records.</p></td></tr>
authentication</p> </td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<td width="3%">
<p style="margin-top: 1em"><b>-e</b></p></td>
<td width="5%"></td>
<td width="6%"></td>
<td width="85%">
@ -120,23 +120,45 @@ authentication</p> </td></tr>
the interface the proxy should initiate connections from. By
default, the system will decide which address to use in
accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<p style="margin-top: 1em"><b>-i</b></p></td>
<p><b>-i</b></p></td>
<td width="5%"></td>
<td width="85%">
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/tlspr.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<p>Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. It&acute;s usually unsafe. Unix domain sockets can
be specified with <i>-iunix:/path/to/socket</i> syntax
(e.g., -iunix:/var/run/tlspr.sock). On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">

31
doc/html/man8/udppm.8.html
View file

@ -104,19 +104,42 @@ start/stop/accept error records.</p></td></tr>
the interface the proxy should initiate datagrams from. By
default, the system will decide which address to use in
accordance with the routing table.</p></td></tr>
</table>
<p style="margin-left:6%;"><b>-ni</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> before opening
the listening socket. The current namespace is saved and
restored immediately after binding, so outgoing connections
run in the original namespace unless <b>-ne</b> is also
given.</p>
<p style="margin-left:6%;"><b>-ne</b><i>PATH</i></p>
<p style="margin-left:15%;">(Linux only) Switch to the
network namespace identified by <i>PATH</i> after the
listening socket has been bound (and after restoring from
<b>-ni</b> if applicable). Both options accept any namespace
file path (e.g. <i>/var/run/netns/myns</i> or
<i>/proc/PID/ns/net</i>) and require
<b>CAP_SYS_ADMIN</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
<p style="margin-top: 1em"><b>-i</b></p></td>
<p><b>-i</b></p></td>
<td width="6%"></td>
<td width="85%">
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts datagrams to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
<p>Internal address. IP address the proxy accepts datagrams
to. By default, connections to any interface are accepted.
It&acute;s usually unsafe.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">

110
man/3proxy.cfg.5
View file

@ -122,6 +122,64 @@ UDP portmapper
.B -p\fINUMBER\fR
change default server port to NUMBER
.br
.B -6
Only resolve IPv6 addresses. IPv4 addresses are packed in IPv6 in IPV6_V6ONLY compatible way.
.br
.B -4
Only resolve IPv4 addresses
.br
.B -46
Prefer IPv4. Resolve IPv6 addresses if IPv4 address is not resolvable
.br
.B -64
Prefer IPv6. Resolve IPv4 addresses if IPv6 address is not resolvable
.br
.B -e
External address. IP address of the interface the proxy should initiate connections
from. External IP must be specified if you need incoming connections.
By default the system will decide which address to use in accordance
with the routing table.
.br
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax. On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.br
.B -Di\fIINTERFACE\fB, -De\fIINTERFACE\fR
bind internal (\fB-Di\fR) / external (\fB-De\fR) interface to given INTERFACE (e.g. eth0) if \fBSO_BINDTODEVICE\fR is supported by the system. You may need to run as root or have \fBCAP_NET_RAW\fR capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like \fBchroot\fR and \fBsetuid\fR (and \fBdaemon\fR if setcap is used).
.br
.B -ni\fIPATH\fB, -ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by the filesystem path \fIPATH\fR (e.g. \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR) for the listening socket (\fB-ni\fR) or for outgoing connections (\fB-ne\fR).
With \fB-ni\fR the current namespace is saved before opening the listening socket and restored immediately after binding, so that the rest of the process (outgoing connections, child threads) runs in the original namespace unless \fB-ne\fR is also given.
With \fB-ne\fR the process switches to the specified namespace after the listening socket is bound (and after restoring from \fB-ni\fR if applicable).
Requires \fBCAP_SYS_ADMIN\fR (or \fBCAP_NET_ADMIN\fR on recent kernels) and is incompatible with \fBchroot\fR/\fBsetuid\fR/\fBdaemon\fR if privileges are dropped before the switch takes effect.
.br
.B -Ne
(for socks) External NAT address (between 3proxy and destination server) to report to client for CONNECT and BIND. By default external address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
.br
.B -Ni
(for socks) Internal NAT address (between client and 3proxy) to report to client for UDPASSOC. By default internal address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
.br
.B -R\fIHOST\fB:\fIport\fR
listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS.
.br
.B -r\fIHOST\fB:\fIport\fR
connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS.
.br
.B -oc\fIOPTIONS\fB, -os\fIOPTIONS\fB, -ol\fIOPTIONS\fB, -or\fIOPTIONS\fB, -oR\fIOPTIONS\fR
options for proxy-to-client (\fB-oc\fR), proxy-to-server (\fB-os\fR), proxy listening (\fB-ol\fR), connect back client (\fB-or\fR), connect back listening (\fB-oR\fR) sockets.
Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
.br
.B -H
(for all services) Expect HAProxy PROXY protocol v1 header on incoming connection.
This allows the proxy to receive real client IP address from HAProxy or other
load balancer that supports the PROXY protocol. The header must be sent before
any protocol-specific data.
.br
.B -g(\fIGRACE_TRAFF\fB,\fIGRACE_NUM\fB,\fIGRACE_DELAY\fR)
delay GRACE_DELAY milliseconds before polling if average polling size is below GRACE_TRAFF bytes and GRACE_NUM read operations in a single direction are detected within 1 second. Useful to minimize polling
.B -s
@ -146,58 +204,6 @@ Never ask for username/password
.br
.B -a2
(for proxy) generate Via: and X-Forwarded-For: instead of Forwarded:
.br
.B -6
Only resolve IPv6 addresses. IPv4 addresses are packed in IPv6 in IPV6_V6ONLY compatible way.
.br
.B -4
Only resolve IPv4 addresses
.br
.B -46
Resolve IPv6 addresses if IPv4 address is not resolvable
.br
.B -64
Resolve IPv4 addresses if IPv6 address is not resolvable
.br
.B -R\fIHOST\fB:\fIport\fR
listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS.
.br
.B -r\fIHOST\fB:\fIport\fR
connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS.
.br
.B -oc\fIOPTIONS\fB, -os\fIOPTIONS\fB, -ol\fIOPTIONS\fB, -or\fIOPTIONS\fB, -oR\fIOPTIONS\fR
options for proxy-to-client (\fB-oc\fR), proxy-to-server (\fB-os\fR), proxy listening (\fB-ol\fR), connect back client (\fB-or\fR), connect back listening (\fB-oR\fR) sockets.
Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
.br
.B -Di\fIINTERFACE\fB, -De\fIINTERFACE\fR
bind internal (\fB-Di\fR) / external (\fB-De\fR) interface to given INTERFACE (e.g. eth0) if \fBSO_BINDTODEVICE\fR is supported by the system. You may need to run as root or have \fBCAP_NET_RAW\fR capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like \fBchroot\fR and \fBsetuid\fR (and \fBdaemon\fR if setcap is used).
.br
.B -e
External address. IP address of the interface the proxy should initiate connections
from. External IP must be specified if you need incoming connections.
By default the system will decide which address to use in accordance
with the routing table.
.br
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax. On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.br
.B -Ne
(for socks) External NAT address (between 3proxy and destination server) to report to client for CONNECT and BIND. By default external address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
.br
.B -Ni
(for socks) Internal NAT address (between client and 3proxy) to report to client for UDPASSOC. By default internal address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
.br
.B -H
(for all services) Expect HAProxy PROXY protocol v1 header on incoming connection.
This allows the proxy to receive real client IP address from HAProxy or other
load balancer that supports the PROXY protocol. The header must be sent before
any protocol-specific data.
.br
Also, all options mentioned for
.BR proxy (8)

18
man/ftppr.8
View file

@ -33,6 +33,24 @@ from.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.

18
man/pop3p.8
View file

@ -33,6 +33,24 @@ from.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.

18
man/proxy.8
View file

@ -31,6 +31,24 @@ from.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.

18
man/smtpp.8
View file

@ -33,6 +33,24 @@ from.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.

18
man/socks.8
View file

@ -33,6 +33,24 @@ from. External IP must be specified if you need incoming connections.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -Ne
External NAT address 3proxy reports to client for CONNECT/BIND.
This is external address of NAT between 3proxy and destination server.

18
man/tcppm.8
View file

@ -28,6 +28,24 @@ from.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.

18
man/tlspr.8
View file

@ -33,6 +33,24 @@ from.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.

18
man/udppm.8
View file

@ -28,6 +28,24 @@ from.
By default, the system will decide which address to use in accordance
with the routing table.
.TP
.B \-ni\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
before opening the listening socket. The current namespace is saved and restored
immediately after binding, so outgoing connections run in the original namespace
unless
.B \-ne
is also given.
.TP
.B \-ne\fIPATH\fR
(Linux only) Switch to the network namespace identified by
.I PATH
after the listening socket has been bound (and after restoring from
.B \-ni
if applicable). Both options accept any namespace file path
(e.g.\& \fI/var/run/netns/myns\fR or \fI/proc/PID/ns/net\fR)
and require \fBCAP_SYS_ADMIN\fR.
.TP
.B -i
Internal address. IP address the proxy accepts datagrams to.
By default, connections to any interface are accepted. It\'s usually unsafe.

17
src/Makefile.inc
View file

@ -22,9 +22,6 @@ base64$(OBJSUFFICS): base64.c
ftp$(OBJSUFFICS): ftp.c proxy.h structures.h
$(CC) $(CFLAGS) ftp.c
#$(COMPATLIBS):
# $(CC) $(CFLAGS) strncasecmp.c
sockgetchar$(OBJSUFFICS): sockgetchar.c proxy.h structures.h
$(CC) $(CFLAGS) sockgetchar.c
@ -131,7 +128,7 @@ redirect$(OBJSUFFICS): redirect.c proxy.h structures.h
hash$(OBJSUFFICS): hash.c proxy.h structures.h
$(CC) $(COUT)hash$(OBJSUFFICS) $(CFLAGS) hash.c
hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h
hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h blake2_compat.h
$(CC) $(COUT)hashtables$(OBJSUFFICS) $(CFLAGS) hashtables.c
resolve$(OBJSUFFICS): resolve.c proxy.h structures.h
@ -149,13 +146,13 @@ log$(OBJSUFFICS): log.c proxy.h structures.h
datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h
$(CC) $(COUT)datatypes$(OBJSUFFICS) $(CFLAGS) datatypes.c
3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c
3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c blake2_compat.h
$(CC) $(COUT)3proxy_crypt$(OBJSUFFICS) $(CFLAGS) 3proxy_crypt.c
3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c
3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c blake2_compat.h
$(CC) $(COUT)3proxy_cryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN 3proxy_crypt.c
blake2$(OBJSUFFICS): libs/blake2.h libs/blake2-impl.h libs/blake2b-ref.c
blake2$(OBJSUFFICS): libs/blake2b-ref.c
$(CC) $(COUT)blake2$(OBJSUFFICS) $(CFLAGS) libs/blake2b-ref.c
$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): blake2$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
@ -164,13 +161,13 @@ $(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): blake2$(OBJSUFFICS) 3proxy_cryptma
stringtable$(OBJSUFFICS): stringtable.c
$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
ssllib$(OBJSUFFICS): ssllib.c
ssllib$(OBJSUFFICS): ssllib.c structures.h proxy.h ssl.h
$(CC) $(COUT)ssllib$(OBJSUFFICS) $(CFLAGS) ssllib.c
ssl$(OBJSUFFICS): ssl.c
ssl$(OBJSUFFICS): ssl.c structures.h proxy.h ssl.h
$(CC) $(COUT)ssl$(OBJSUFFICS) $(CFLAGS) ssl.c
pcre$(OBJSUFFICS): pcre.c
pcre$(OBJSUFFICS): pcre.c structures.h
$(CC) $(COUT)pcre$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITH_PCRE pcre.c
$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) udpsockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(SSL_OBJS) $(PCRE_OBJS) $(COMPATLIBS) $(VERSIONDEP)

74
src/proxymain.c
View file

@ -7,6 +7,9 @@
*/
#include "proxy.h"
#ifdef __linux__
#include <sched.h>
#endif
#define param ((struct clientparam *) p)
#ifdef _WIN32
@ -209,6 +212,10 @@ static void freesrvstrings(struct srvparam *srv, unsigned char *cbc_string, unsi
if(srv->ibindtodevice) myfree(srv->ibindtodevice);
if(srv->obindtodevice) myfree(srv->obindtodevice);
#endif
#ifdef __linux__
if(srv->inetns) myfree(srv->inetns);
if(srv->onetns) myfree(srv->onetns);
#endif
}
#ifndef MODULEMAINFUNC
@ -256,6 +263,9 @@ int MODULEMAINFUNC (int argc, char** argv){
FILE *fp = NULL;
struct linger lg;
int nlog = 5000;
#ifdef __linux__
int saved_nsfd = -1;
#endif
char loghelp[] =
#ifdef STDMAIN
#ifndef _WIN32
@ -438,6 +448,12 @@ int MODULEMAINFUNC (int argc, char** argv){
else if(argv[i][3] == 'i') getip46(46, (unsigned char *)argv[i]+3, (struct sockaddr *)&srv.intNat);
else getip46(46, (unsigned char *)argv[i]+2, (struct sockaddr *)&srv.extNat);
break;
#ifdef __linux__
case 'n':
if(argv[i][2] == 'i') { if(srv.inetns) myfree(srv.inetns); srv.inetns = mystrdup(argv[i] + 3); }
else if(argv[i][2] == 'e') { if(srv.onetns) myfree(srv.onetns); srv.onetns = mystrdup(argv[i] + 3); }
break;
#endif
case 'p':
*SAPORT(&srv.intsa) = htons(atoi(argv[i]+2));
break;
@ -655,6 +671,33 @@ int MODULEMAINFUNC (int argc, char** argv){
#ifdef __linux__
if(srv.inetns) {
saved_nsfd = open("/proc/self/ns/net", O_RDONLY);
if(saved_nsfd == -1) {
dolog(&defparam, (unsigned char *)"failed to open /proc/self/ns/net");
freesrvstrings(&srv, cbc_string, cbl_string);
return -13;
}
{
int nsfd = open(srv.inetns, O_RDONLY);
if(nsfd == -1) {
dolog(&defparam, (unsigned char *)"failed to open inetns");
close(saved_nsfd);
freesrvstrings(&srv, cbc_string, cbl_string);
return -13;
}
if(setns(nsfd, CLONE_NEWNET)) {
dolog(&defparam, (unsigned char *)"failed to setns inetns");
close(nsfd);
close(saved_nsfd);
freesrvstrings(&srv, cbc_string, cbl_string);
return -13;
}
close(nsfd);
}
}
#endif
if (!iscbc) {
if(srv.srvsock == INVALID_SOCKET){
if(!isudp){
@ -750,6 +793,33 @@ int MODULEMAINFUNC (int argc, char** argv){
dolog(&defparam, buf);
}
}
#ifdef __linux__
if(saved_nsfd != -1) {
if(setns(saved_nsfd, CLONE_NEWNET)) {
dolog(&defparam, (unsigned char *)"failed to restore netns");
close(saved_nsfd);
freesrvstrings(&srv, cbc_string, cbl_string);
return -14;
}
close(saved_nsfd);
saved_nsfd = -1;
}
if(srv.onetns) {
int nsfd = open(srv.onetns, O_RDONLY);
if(nsfd == -1) {
dolog(&defparam, (unsigned char *)"failed to open onetns");
freesrvstrings(&srv, cbc_string, cbl_string);
return -14;
}
if(setns(nsfd, CLONE_NEWNET)) {
dolog(&defparam, (unsigned char *)"failed to setns onetns");
close(nsfd);
freesrvstrings(&srv, cbc_string, cbl_string);
return -14;
}
close(nsfd);
}
#endif
if(iscbl){
parsehost(srv.family, cbl_string, (struct sockaddr *)&cbsa);
if((srv.cbsock=srv.so._socket(srv.so.state, SASOCK(&cbsa), SOCK_STREAM, IPPROTO_TCP))==INVALID_SOCKET) {
@ -1165,6 +1235,10 @@ void srvfree(struct srvparam * srv){
#if defined SO_BINDTODEVICE || defined IP_BOUND_IF
if(srv->ibindtodevice) myfree(srv->ibindtodevice);
if(srv->obindtodevice) myfree(srv->obindtodevice);
#endif
#ifdef __linux__
if(srv->inetns) myfree(srv->inetns);
if(srv->onetns) myfree(srv->onetns);
#endif
if(srv->so.freefunc) srv->so.freefunc(srv->so.state);
}

4
src/structures.h
View file

@ -557,6 +557,10 @@ struct srvparam {
#if defined SO_BINDTODEVICE || defined IP_BOUND_IF
char * ibindtodevice;
char * obindtodevice;
#endif
#ifdef __linux__
char * inetns;
char * onetns;
#endif
struct auth *authenticate;
struct pollfd * srvfds;