From 875fa488c9e70879429c2965127956ce3c54b456 Mon Sep 17 00:00:00 2001 From: Paul Schroeder Date: Fri, 18 Mar 2022 17:59:29 +0100 Subject: [PATCH 1/4] add option and description Signed-off-by: Paul Schroeder --- example.cfg | 2 ++ sslhconf.cfg | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/example.cfg b/example.cfg index 2542420..76383ca 100644 --- a/example.cfg +++ b/example.cfg @@ -60,6 +60,8 @@ listen: # fork: Should a new process be forked for this protocol? # (only useful for sslh-select) # tfo_ok: Set to true if the server supports TCP FAST OPEN +# resolve_on_forward: Set to true if server address should be resolved on +# (every) incoming connection (again) # transparent: Set to true to proxy this protocol # transparently (server sees the remote client IP # address). Same as the global option, but per-protocol diff --git a/sslhconf.cfg b/sslhconf.cfg index a0ad4ec..776d98f 100644 --- a/sslhconf.cfg +++ b/sslhconf.cfg @@ -108,8 +108,10 @@ config: { { name: "fork"; type: "bool"; default: false }, { name: "tfo_ok"; type: "bool"; default: false; description: "Set to true if this protocol supports TCP FAST OPEN" }, - { name: "transparent"; type: "bool"; default: false; + { name: "transparent"; type: "bool"; default: false; description: "Set to proxy this protocol transparently" }, + { name: "resolve_on_forward"; type: "bool"; default: false; + description: "Set to true if server address should be resolved on (every) incoming connection (again)" }, { name: "log_level"; type: "int"; default: 1 }, { name: "keepalive"; type: "bool"; default: false }, { name: "sni_hostnames", From 87577ae5f694aaad8513fb268d100de3e15b6f98 Mon Sep 17 00:00:00 2001 From: Paul Schroeder Date: Fri, 18 Mar 2022 17:59:54 +0100 Subject: [PATCH 2/4] add functionality Signed-off-by: Paul Schroeder --- common.c | 5 +++++ sslh-main.c | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/common.c b/common.c index 1be58e9..b3251d8 100644 --- a/common.c +++ b/common.c @@ -319,6 +319,11 @@ int connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking) res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen); CHECK_RES_RETURN(res, "getpeername", res); + if (cfg.protocols.resolve_on_forward) { + resolve_split_name(&(cnx->proto->saddr), cnx->proto->host, + cnx->proto->port); + } + for (a = cnx->proto->saddr; a; a = a->ai_next) { /* When transparent, make sure both connections use the same address family */ if (transparent && a->ai_family != from.ai_addr->sa_family) diff --git a/sslh-main.c b/sslh-main.c index 9f326a5..3fe16d9 100644 --- a/sslh-main.c +++ b/sslh-main.c @@ -124,8 +124,13 @@ static void config_protocols() int i; for (i = 0; i < cfg.protocols_len; i++) { struct sslhcfg_protocols_item* p = &(cfg.protocols[i]); - if (resolve_split_name(&(p->saddr), p->host, p->port)) { - print_message(msg_config_error, "cannot resolve %s:%s\n", p->host, p->port); + + if ( + !cfg.protocols.resolve_on_forward && + resolve_split_name(&(p->saddr), p->host, p->port) + ) { + print_message(msg_config_error, "cannot resolve %s:%s\n", + p->host, p->port); exit(4); } From 3f5c81d2f605595e0e501953940f8b1fcc8e5fe1 Mon Sep 17 00:00:00 2001 From: Paul Schroeder Date: Fri, 18 Mar 2022 18:03:58 +0100 Subject: [PATCH 3/4] be more clearly Signed-off-by: Paul Schroeder --- example.cfg | 2 +- sslhconf.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/example.cfg b/example.cfg index 76383ca..6f0585f 100644 --- a/example.cfg +++ b/example.cfg @@ -61,7 +61,7 @@ listen: # (only useful for sslh-select) # tfo_ok: Set to true if the server supports TCP FAST OPEN # resolve_on_forward: Set to true if server address should be resolved on -# (every) incoming connection (again) +# (every) newly incoming connection (again) # transparent: Set to true to proxy this protocol # transparently (server sees the remote client IP # address). Same as the global option, but per-protocol diff --git a/sslhconf.cfg b/sslhconf.cfg index 776d98f..f0aca35 100644 --- a/sslhconf.cfg +++ b/sslhconf.cfg @@ -111,7 +111,7 @@ config: { { name: "transparent"; type: "bool"; default: false; description: "Set to proxy this protocol transparently" }, { name: "resolve_on_forward"; type: "bool"; default: false; - description: "Set to true if server address should be resolved on (every) incoming connection (again)" }, + description: "Set to true if server address should be resolved on (every) newly incoming connection (again)" }, { name: "log_level"; type: "int"; default: 1 }, { name: "keepalive"; type: "bool"; default: false }, { name: "sni_hostnames", From 78bc954769ed1732dd3a79778f99ccbac22b01af Mon Sep 17 00:00:00 2001 From: Paul Schroeder Date: Sat, 19 Mar 2022 23:18:29 +0100 Subject: [PATCH 4/4] review Signed-off-by: Paul Schroeder --- common.c | 2 +- sslh-main.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common.c b/common.c index b3251d8..a9916d9 100644 --- a/common.c +++ b/common.c @@ -319,7 +319,7 @@ int connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking) res = getpeername(fd_from, from.ai_addr, &from.ai_addrlen); CHECK_RES_RETURN(res, "getpeername", res); - if (cfg.protocols.resolve_on_forward) { + if (cnx->proto->resolve_on_forward) { resolve_split_name(&(cnx->proto->saddr), cnx->proto->host, cnx->proto->port); } diff --git a/sslh-main.c b/sslh-main.c index 3fe16d9..05acba2 100644 --- a/sslh-main.c +++ b/sslh-main.c @@ -126,7 +126,7 @@ static void config_protocols() struct sslhcfg_protocols_item* p = &(cfg.protocols[i]); if ( - !cfg.protocols.resolve_on_forward && + !p->resolve_on_forward && resolve_split_name(&(p->saddr), p->host, p->port) ) { print_message(msg_config_error, "cannot resolve %s:%s\n",