From: Stuart Henderson Subject: Re: Fwd: [update] net/sniproxy 0.7.0 To: Renaud Allard Cc: ports@openbsd.org Date: Wed, 1 Oct 2025 16:45:33 +0100 On 2025/10/01 16:39, Renaud Allard wrote: > +@@ -635,8 +635,45 @@ initiate_server_connect(struct Connection *con, struct > + if (con->listener->transparent_proxy && > + con->client.addr.ss_family == con->server.addr.ss_family) { > + #ifdef IP_TRANSPARENT > ++ int result; > ++ /* Make an IPv6 socket if necessary and purge ::ffff: from the v6-mapped address > ++ * We need to take out the ffff because otherwise it'll be IPv4 on the wire. this change is a noop on OpenBSD, IP_TRANSPARENT is not defined. > +Index: tests/bad_dns_request_test > +--- tests/bad_dns_request_test.orig > ++++ tests/bad_dns_request_test > +@@ -60,7 +60,7 @@ sub http_client($$) { > + $socket->send($request); > + > + my $buffer; > +- $socket->recv($buffer, 4096); > ++ $socket->recv($buffer, 16388); typo? here's an updated diff with the IP_TRANSPARENT bit removed and switched to pcre2. I left bad_dns_request_test alone for now. I think I'll commit this as-is for now, so any further changes needed can be done via simpler diffs. I had some test failures but I have something on port 8080 already and didn't feel like changing the sniproxy tests to try a different port. Index: Makefile =================================================================== RCS file: /cvs/ports/net/sniproxy/Makefile,v diff -u -p -r1.10 Makefile --- Makefile 14 Sep 2023 12:29:16 -0000 1.10 +++ Makefile 1 Oct 2025 15:45:08 -0000 @@ -1,12 +1,12 @@ COMMENT = name-based proxying of HTTPS without decrypting traffic -GH_ACCOUNT = renaudallard +GH_ACCOUNT = dlundquist GH_PROJECT = sniproxy -GH_TAGNAME = 0.6.8 +GH_TAGNAME = 0.7.0 CATEGORIES = net -HOMEPAGE = https://github.com/renaudallard/sniproxy +HOMEPAGE = https://github.com/dlundquist/sniproxy MAINTAINER = Renaud Allard @@ -17,20 +17,21 @@ COMPILER = base-clang ports-gcc COMPILER_LANGS = c # use pledge() -WANTLIB += c ev pcre udns +WANTLIB += c ev pcre2-8 udns BUILD_DEPENDS = devel/gettext,-tools LIB_DEPENDS = net/udns \ devel/libev \ - devel/pcre + devel/pcre2 -AUTOCONF_VERSION = 2.69 +AUTOCONF_VERSION = 2.71 AUTOMAKE_VERSION = 1.16 CONFIGURE_STYLE = autoreconf AUTORECONF = ./autogen.sh -CONFIGURE_ARGS = --disable-rpath +CONFIGURE_ARGS = --disable-rpath \ + --enable-dns CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib" Index: distinfo =================================================================== RCS file: /cvs/ports/net/sniproxy/distinfo,v diff -u -p -r1.6 distinfo --- distinfo 14 Sep 2023 12:29:16 -0000 1.6 +++ distinfo 1 Oct 2025 15:45:08 -0000 @@ -1,2 +1,2 @@ -SHA256 (sniproxy-0.6.8.tar.gz) = 8LhjJQUNFaY7H5xqNuGsfHS6bx4dE3ARyBNTatw0Z2k= -SIZE (sniproxy-0.6.8.tar.gz) = 80608 +SHA256 (sniproxy-0.7.0.tar.gz) = u+V5iGwa9g6FC4tb74UPELMX5uvjZssLVHaxIw8ocOQ= +SIZE (sniproxy-0.7.0.tar.gz) = 79685 Index: patches/patch-README_md =================================================================== RCS file: patches/patch-README_md diff -N patches/patch-README_md --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-README_md 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,16 @@ +Index: README.md +--- README.md.orig ++++ README.md +@@ -166,3 +166,12 @@ build without UDNS, but these features will be unavail + UDNS uses a single UDP socket for all queries, so it is recommended you use a + local caching DNS resolver (with a single socket each DNS query is protected by + spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). ++ ++ ++OpenBSD specific behaviour ++-------------------------- ++ ++On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). ++Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets ++must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID ++file must be /var/run/sniproxy.pid Index: patches/patch-sniproxy_conf =================================================================== RCS file: patches/patch-sniproxy_conf diff -N patches/patch-sniproxy_conf --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-sniproxy_conf 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,23 @@ +Index: sniproxy.conf +--- sniproxy.conf.orig ++++ sniproxy.conf +@@ -2,8 +2,8 @@ + # lines that start with # are comments + # lines with only white space are ignored + +-user nobody +-group nogroup ++user _sniproxy ++group _sniproxy + + # PID file, needs to be placed in directory writable by user + pidfile /var/run/sniproxy.pid +@@ -47,7 +47,7 @@ error_log { + # Global access log for all listeners + access_log { + # Same options as error_log +- filename /tmp/sniproxy-access.log ++ filename /var/log/sniproxy-access.log + } + + # blocks are delimited with {...} Index: patches/patch-src_cfg_tokenizer_c =================================================================== RCS file: patches/patch-src_cfg_tokenizer_c diff -N patches/patch-src_cfg_tokenizer_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_cfg_tokenizer_c 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,21 @@ +Index: src/cfg_tokenizer.c +--- src/cfg_tokenizer.c.orig ++++ src/cfg_tokenizer.c +@@ -62,7 +62,7 @@ next_token(FILE *config, char *buffer, size_t buffer_l + default: + /* Rewind one byte, so next_word() can fetch from + * the beginning of the word */ +- fseek(config, -1, SEEK_CUR); ++ fseeko(config, -1, SEEK_CUR); + + token_len = next_word(config, buffer, buffer_len); + if (token_len <= 0) +@@ -116,7 +116,7 @@ next_word(FILE *file, char *buffer, int buffer_len) { + if (quoted == 0) { + /* rewind the file one character, so we don't eat + * part of the next token */ +- fseek(file, -1, SEEK_CUR); ++ fseeko(file, -1, SEEK_CUR); + + buffer[len] = '\0'; + len++; Index: patches/patch-src_config_c =================================================================== RCS file: patches/patch-src_config_c diff -N patches/patch-src_config_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_config_c 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,21 @@ +Index: src/config.c +--- src/config.c.orig ++++ src/config.c +@@ -238,13 +238,13 @@ init_config(const char *filename, struct ev_loop *loop + } + + if (parse_config(config, file, global_grammar) <= 0) { +- intmax_t whence = ftell(file); ++ off_t whence = ftello(file); + char line[256]; + +- err("error parsing %s at %jd near:", filename, whence); +- fseek(file, -20, SEEK_CUR); ++ err("error parsing %s at %jd near:", filename, (intmax_t)whence); ++ fseeko(file, -20, SEEK_CUR); + for (int i = 0; i < 5; i++) +- err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file)); ++ err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file)); + + free_config(config, loop); + config = NULL; Index: patches/patch-src_connection_c =================================================================== RCS file: patches/patch-src_connection_c diff -N patches/patch-src_connection_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_connection_c 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,19 @@ +Index: src/connection.c +--- src/connection.c.orig ++++ src/connection.c +@@ -812,13 +812,13 @@ new_connection(struct ev_loop *loop) { + con->query_handle = NULL; + con->use_proxy_header = 0; + +- con->client.buffer = new_buffer(4096, loop); ++ con->client.buffer = new_buffer(16384, loop); + if (con->client.buffer == NULL) { + free_connection(con); + return NULL; + } + +- con->server.buffer = new_buffer(4096, loop); ++ con->server.buffer = new_buffer(16384, loop); + if (con->server.buffer == NULL) { + free_connection(con); + return NULL; Index: patches/patch-src_sniproxy_c =================================================================== RCS file: patches/patch-src_sniproxy_c diff -N patches/patch-src_sniproxy_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_sniproxy_c 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,39 @@ +Index: src/sniproxy.c +--- src/sniproxy.c.orig ++++ src/sniproxy.c +@@ -71,6 +71,35 @@ main(int argc, char **argv) { + rlim_t max_nofiles = 65536; + int opt; + ++ #ifdef __OpenBSD__ ++ if (unveil("/etc/sniproxy.conf", "r") != 0) { ++ perror("unveil /etc/sniproxy.conf"); ++ exit(1); ++ } ++ if (unveil("/var/run/sniproxy.pid", "rwc") != 0) { ++ perror("unveil /var/run/sniproxy.pid"); ++ exit(1); ++ } ++ if (unveil("/var/log", "rwc") != 0) { ++ perror("unveil /var/log"); ++ exit(1); ++ } ++ if (unveil("/var/www/sockets", "rw") != 0) { ++ perror("unveil /var/www/sockets"); ++ exit(1); ++ } ++ if (unveil(NULL, NULL) != 0) { ++ perror("unveil"); ++ exit(1); ++ } ++ ++ if (pledge("stdio getpw inet dns rpath proc id" ++ " wpath cpath unix", NULL) == -1) { ++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); ++ exit(1); ++ } ++ #endif ++ + while ((opt = getopt(argc, argv, "fc:n:V")) != -1) { + switch (opt) { + case 'c': Index: patches/patch-tests_bad_dns_request_test =================================================================== RCS file: patches/patch-tests_bad_dns_request_test diff -N patches/patch-tests_bad_dns_request_test --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_bad_dns_request_test 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,12 @@ +Index: tests/bad_dns_request_test +--- tests/bad_dns_request_test.orig ++++ tests/bad_dns_request_test +@@ -60,7 +60,7 @@ sub http_client($$) { + $socket->send($request); + + my $buffer; +- $socket->recv($buffer, 4096); ++ $socket->recv($buffer, 16388); + + $socket->close(); + Index: patches/patch-tests_bad_request_test =================================================================== RCS file: patches/patch-tests_bad_request_test diff -N patches/patch-tests_bad_request_test --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_bad_request_test 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,12 @@ +Index: tests/bad_request_test +--- tests/bad_request_test.orig ++++ tests/bad_request_test +@@ -282,7 +282,7 @@ sub tls_client($$) { + $socket->send($request); + + my $buffer; +- $socket->recv($buffer, 4096); ++ $socket->recv($buffer, 16384); + + $socket->close(); + Index: patches/patch-tests_buffer_test_c =================================================================== RCS file: patches/patch-tests_buffer_test_c diff -N patches/patch-tests_buffer_test_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_buffer_test_c 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,21 @@ +Index: tests/buffer_test.c +--- tests/buffer_test.c.orig ++++ tests/buffer_test.c +@@ -127,7 +127,7 @@ static void test4(void) { + struct Buffer *buffer; + int read_fd, write_fd; + +- buffer = new_buffer(4096, EV_DEFAULT); ++ buffer = new_buffer(16384, EV_DEFAULT); + + read_fd = open("/dev/zero", O_RDONLY); + if (read_fd < 0) { +@@ -155,7 +155,7 @@ static void test_buffer_coalesce(void) { + char output[sizeof(input)]; + int len; + +- buffer = new_buffer(4096, EV_DEFAULT); ++ buffer = new_buffer(16384, EV_DEFAULT); + len = buffer_push(buffer, input, sizeof(input)); + assert(len == sizeof(input)); + Index: patches/patch-tests_connection_reset_test =================================================================== RCS file: patches/patch-tests_connection_reset_test diff -N patches/patch-tests_connection_reset_test --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_connection_reset_test 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,27 @@ +Index: tests/connection_reset_test +--- tests/connection_reset_test.orig ++++ tests/connection_reset_test +@@ -42,8 +42,8 @@ sub simple_server($) { + "\r\n"); + + # Send a bunch of data (more that will be buffered by the kernel +- for (my $i = 0; $i < 4096; $i++) { +- $client->send('x' x 4096); ++ for (my $i = 0; $i < 16384; $i++) { ++ $client->send('x' x 16384); + } + $client->close(); + exit; +@@ -76,9 +76,9 @@ sub bad_client($) { + "\r\n"); + + my $buffer; +- $socket->recv($buffer, 4096); +- $socket->recv($buffer, 4096); +- $socket->recv($buffer, 4096); ++ $socket->recv($buffer, 16384); ++ $socket->recv($buffer, 16384); ++ $socket->recv($buffer, 16384); + + $socket->close(); + Index: patches/patch-tests_fallback_test =================================================================== RCS file: patches/patch-tests_fallback_test diff -N patches/patch-tests_fallback_test --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_fallback_test 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,12 @@ +Index: tests/fallback_test +--- tests/fallback_test.orig ++++ tests/fallback_test +@@ -56,7 +56,7 @@ sub http10_client($$) { + $socket->send("GET /$path HTTP/1.0\r\n\r\n"); + + my $buffer; +- $socket->recv($buffer, 4096); ++ $socket->recv($buffer, 16384); + + $socket->close(); + Index: patches/patch-tests_slow_client_test =================================================================== RCS file: patches/patch-tests_slow_client_test diff -N patches/patch-tests_slow_client_test --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_slow_client_test 1 Oct 2025 15:45:08 -0000 @@ -0,0 +1,12 @@ +Index: tests/slow_client_test +--- tests/slow_client_test.orig ++++ tests/slow_client_test +@@ -46,7 +46,7 @@ sub slow_client($$) { + } + + my $buffer; +- $socket->recv($buffer, 4096); ++ $socket->recv($buffer, 16384); + + $socket->close(); +