Hi all,
Using socksify (from the security/dante port) in combination with
pledged programs doesn't go very well. For those who don't know,
socksify makes programs communicate through a SOCKS proxy by using
LD_PRELOAD.
Example:
# pkg_add dante # No configuration necessary for this example
$ socksify ftp -o /dev/null https://example.org/
Trying 93.184.216.34...
Abort trap (core dumped)
$ dmesg | tail -1
ftp[14267]: pledge "inet", syscall 118
Using gdb and reading the code, I found that a call to getsockopt()
related to multicast stuff in the dante code is to blame:
lib/socket.c, line 699:
683 int
684 socks_socketisforlan(s)
685 const int s;
686 {
...
693 /*
694 * make an educated guess as to whether the socket is intended for
695 * lan-only use or not.
696 */
697
698 len = sizeof(addr);
699 if (getsockopt(s, IPPROTO_IP, IP_MULTICAST_IF, &addr, &len) != 0) {
700 slog(LOG_DEBUG, "%s: getsockopt(IP_MULTICAST_IF) failed: %s",
701 function, strerror(errno));
702
703 errno = errno_s;
704 return 0;
705 }
(The socks_socketisforlan() function is called in Rconnect() located
in lib/Rconnect.c.)
What would be the best way forward here? Patch away the code that calls
getsockopt(IP_MULTICAST_IF)? Something else? I don't have any good
ideas, in part because I don't know enough about why dante cares about
this, and because I'm not a multicast expert.
Caspar
No comments:
Post a Comment