Subject: Re: Stunnel - Transparent proxy
To: Hendra Widarta <hwidarta@yahoo.com>
From: mouss <usebsd@free.fr>
List: tech-net
Date: 02/28/2002 15:38:31
At 07:13 23/02/02 -0800, Hendra Widarta wrote:
>I installed stunnel-3.22 on NetBSD-1.5.2.
>But it seems stunnel can not use (-T) transparent proxy for NetBSD.
>The error message:
>stunnel[16636]: bind transparent: Can't assign requested address (49)
You can't bind to an address not configured on your system.
In netinet/in_pcb.c, the bind related code calls ifa_ifwithaddr() to get the
interface for the address. this returns NULL, wich gives you a EADDRNOTAVAIL
error.
Changing this (assuming it is desirable which is far from certain) is not
easy, as
you need to make sure that:
- only "authorized" processes can do so (otherwise, any user would spoof
tcp packets)
- the reply is redirected to the socket (for example using ipnat or a
similar mechanism).
>I want correct src IP in the logfiles.
>
>Anyone have any suggestions?
The easiest way I see is to change stunnel code to use ipnat.
So instead of bind(not my address), bind to a local addr and add an ipnat rule
to map the (src addr, srcport) for this socket (getsockname gives both) to
(client ip addr, some good port). make sure the last port is a "good" one
(you should not deviate any traffic but the one you want).
Caveat: you cannot use IPADDR_ANY (the wildcard addr) with bind, as it will
be modified by connect()
which trashes your nat rule. so you must know which addr & interface the
packet is
going to take.
cheers,
mouss