From: Renaud Allard Subject: Re: Fwd: [update] net/sniproxy 0.7.0 To: ports@openbsd.org Date: Wed, 1 Oct 2025 17:55:49 +0200 On 01/10/2025 17:45, Stuart Henderson wrote: > On 2025/10/01 16:39, Renaud Allard wrote: >> +@@ -635,8 +635,45 @@ initiate_server_connect(struct Connection *con, struct >> + if (con->listener->transparent_proxy && >> + con->client.addr.ss_family == con->server.addr.ss_family) { >> + #ifdef IP_TRANSPARENT >> ++ int result; >> ++ /* Make an IPv6 socket if necessary and purge ::ffff: from the v6-mapped address >> ++ * We need to take out the ffff because otherwise it'll be IPv4 on the wire. > > this change is a noop on OpenBSD, IP_TRANSPARENT is not defined. > Indeed, that was not really designed specifically for OpenBSD. >> +Index: tests/bad_dns_request_test >> +--- tests/bad_dns_request_test.orig >> ++++ tests/bad_dns_request_test >> +@@ -60,7 +60,7 @@ sub http_client($$) { >> + $socket->send($request); >> + >> + my $buffer; >> +- $socket->recv($buffer, 4096); >> ++ $socket->recv($buffer, 16388); > > typo? Yes, good catch, it should be 16384. > > here's an updated diff with the IP_TRANSPARENT bit removed and switched > to pcre2. I left bad_dns_request_test alone for now. I think I'll commit > this as-is for now, so any further changes needed can be done via simpler > diffs. > > I had some test failures but I have something on port 8080 already and > didn't feel like changing the sniproxy tests to try a different port. I have tested it on 5 servers with what I generally use it for and it seems OK. I just didn't test for days, but the former diff I sent (with my repo) has been running for about a week without any issue. > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/sniproxy/Makefile,v > diff -u -p -r1.10 Makefile > --- Makefile 14 Sep 2023 12:29:16 -0000 1.10 > +++ Makefile 1 Oct 2025 15:45:08 -0000 > @@ -1,12 +1,12 @@ > COMMENT = name-based proxying of HTTPS without decrypting traffic > > -GH_ACCOUNT = renaudallard > +GH_ACCOUNT = dlundquist > GH_PROJECT = sniproxy > -GH_TAGNAME = 0.6.8 > +GH_TAGNAME = 0.7.0 > > CATEGORIES = net > > -HOMEPAGE = https://github.com/renaudallard/sniproxy > +HOMEPAGE = https://github.com/dlundquist/sniproxy > > MAINTAINER = Renaud Allard > > @@ -17,20 +17,21 @@ COMPILER = base-clang ports-gcc > COMPILER_LANGS = c > > # use pledge() > -WANTLIB += c ev pcre udns > +WANTLIB += c ev pcre2-8 udns > > BUILD_DEPENDS = devel/gettext,-tools > > LIB_DEPENDS = net/udns \ > devel/libev \ > - devel/pcre > + devel/pcre2 > > -AUTOCONF_VERSION = 2.69 > +AUTOCONF_VERSION = 2.71 > AUTOMAKE_VERSION = 1.16 > CONFIGURE_STYLE = autoreconf > AUTORECONF = ./autogen.sh > > -CONFIGURE_ARGS = --disable-rpath > +CONFIGURE_ARGS = --disable-rpath \ > + --enable-dns > CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \ > LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib" > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/net/sniproxy/distinfo,v > diff -u -p -r1.6 distinfo > --- distinfo 14 Sep 2023 12:29:16 -0000 1.6 > +++ distinfo 1 Oct 2025 15:45:08 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (sniproxy-0.6.8.tar.gz) = 8LhjJQUNFaY7H5xqNuGsfHS6bx4dE3ARyBNTatw0Z2k= > -SIZE (sniproxy-0.6.8.tar.gz) = 80608 > +SHA256 (sniproxy-0.7.0.tar.gz) = u+V5iGwa9g6FC4tb74UPELMX5uvjZssLVHaxIw8ocOQ= > +SIZE (sniproxy-0.7.0.tar.gz) = 79685 > Index: patches/patch-README_md > =================================================================== > RCS file: patches/patch-README_md > diff -N patches/patch-README_md > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-README_md 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,16 @@ > +Index: README.md > +--- README.md.orig > ++++ README.md > +@@ -166,3 +166,12 @@ build without UDNS, but these features will be unavail > + UDNS uses a single UDP socket for all queries, so it is recommended you use a > + local caching DNS resolver (with a single socket each DNS query is protected by > + spoofing by a single 16 bit query ID, which makes it relatively easy to spoof). > ++ > ++ > ++OpenBSD specific behaviour > ++-------------------------- > ++ > ++On OpenBSD, sniproxy is protected by pledge(2) and unveil(2). > ++Therefore, the configuration file must be /etc/sniproxy.conf, unix sockets > ++must be in /var/www/sockets and logs must be in /var/log. Also, sniproxy PID > ++file must be /var/run/sniproxy.pid > Index: patches/patch-sniproxy_conf > =================================================================== > RCS file: patches/patch-sniproxy_conf > diff -N patches/patch-sniproxy_conf > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-sniproxy_conf 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,23 @@ > +Index: sniproxy.conf > +--- sniproxy.conf.orig > ++++ sniproxy.conf > +@@ -2,8 +2,8 @@ > + # lines that start with # are comments > + # lines with only white space are ignored > + > +-user nobody > +-group nogroup > ++user _sniproxy > ++group _sniproxy > + > + # PID file, needs to be placed in directory writable by user > + pidfile /var/run/sniproxy.pid > +@@ -47,7 +47,7 @@ error_log { > + # Global access log for all listeners > + access_log { > + # Same options as error_log > +- filename /tmp/sniproxy-access.log > ++ filename /var/log/sniproxy-access.log > + } > + > + # blocks are delimited with {...} > Index: patches/patch-src_cfg_tokenizer_c > =================================================================== > RCS file: patches/patch-src_cfg_tokenizer_c > diff -N patches/patch-src_cfg_tokenizer_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_cfg_tokenizer_c 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,21 @@ > +Index: src/cfg_tokenizer.c > +--- src/cfg_tokenizer.c.orig > ++++ src/cfg_tokenizer.c > +@@ -62,7 +62,7 @@ next_token(FILE *config, char *buffer, size_t buffer_l > + default: > + /* Rewind one byte, so next_word() can fetch from > + * the beginning of the word */ > +- fseek(config, -1, SEEK_CUR); > ++ fseeko(config, -1, SEEK_CUR); > + > + token_len = next_word(config, buffer, buffer_len); > + if (token_len <= 0) > +@@ -116,7 +116,7 @@ next_word(FILE *file, char *buffer, int buffer_len) { > + if (quoted == 0) { > + /* rewind the file one character, so we don't eat > + * part of the next token */ > +- fseek(file, -1, SEEK_CUR); > ++ fseeko(file, -1, SEEK_CUR); > + > + buffer[len] = '\0'; > + len++; > Index: patches/patch-src_config_c > =================================================================== > RCS file: patches/patch-src_config_c > diff -N patches/patch-src_config_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_config_c 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,21 @@ > +Index: src/config.c > +--- src/config.c.orig > ++++ src/config.c > +@@ -238,13 +238,13 @@ init_config(const char *filename, struct ev_loop *loop > + } > + > + if (parse_config(config, file, global_grammar) <= 0) { > +- intmax_t whence = ftell(file); > ++ off_t whence = ftello(file); > + char line[256]; > + > +- err("error parsing %s at %jd near:", filename, whence); > +- fseek(file, -20, SEEK_CUR); > ++ err("error parsing %s at %jd near:", filename, (intmax_t)whence); > ++ fseeko(file, -20, SEEK_CUR); > + for (int i = 0; i < 5; i++) > +- err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file)); > ++ err(" %jd\t%s", (intmax_t)ftello(file), fgets(line, sizeof(line), file)); > + > + free_config(config, loop); > + config = NULL; > Index: patches/patch-src_connection_c > =================================================================== > RCS file: patches/patch-src_connection_c > diff -N patches/patch-src_connection_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_connection_c 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,19 @@ > +Index: src/connection.c > +--- src/connection.c.orig > ++++ src/connection.c > +@@ -812,13 +812,13 @@ new_connection(struct ev_loop *loop) { > + con->query_handle = NULL; > + con->use_proxy_header = 0; > + > +- con->client.buffer = new_buffer(4096, loop); > ++ con->client.buffer = new_buffer(16384, loop); > + if (con->client.buffer == NULL) { > + free_connection(con); > + return NULL; > + } > + > +- con->server.buffer = new_buffer(4096, loop); > ++ con->server.buffer = new_buffer(16384, loop); > + if (con->server.buffer == NULL) { > + free_connection(con); > + return NULL; > Index: patches/patch-src_sniproxy_c > =================================================================== > RCS file: patches/patch-src_sniproxy_c > diff -N patches/patch-src_sniproxy_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_sniproxy_c 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,39 @@ > +Index: src/sniproxy.c > +--- src/sniproxy.c.orig > ++++ src/sniproxy.c > +@@ -71,6 +71,35 @@ main(int argc, char **argv) { > + rlim_t max_nofiles = 65536; > + int opt; > + > ++ #ifdef __OpenBSD__ > ++ if (unveil("/etc/sniproxy.conf", "r") != 0) { > ++ perror("unveil /etc/sniproxy.conf"); > ++ exit(1); > ++ } > ++ if (unveil("/var/run/sniproxy.pid", "rwc") != 0) { > ++ perror("unveil /var/run/sniproxy.pid"); > ++ exit(1); > ++ } > ++ if (unveil("/var/log", "rwc") != 0) { > ++ perror("unveil /var/log"); > ++ exit(1); > ++ } > ++ if (unveil("/var/www/sockets", "rw") != 0) { > ++ perror("unveil /var/www/sockets"); > ++ exit(1); > ++ } > ++ if (unveil(NULL, NULL) != 0) { > ++ perror("unveil"); > ++ exit(1); > ++ } > ++ > ++ if (pledge("stdio getpw inet dns rpath proc id" > ++ " wpath cpath unix", NULL) == -1) { > ++ fprintf(stderr, "%s: pledge: %s\n", argv[0], strerror(errno)); > ++ exit(1); > ++ } > ++ #endif > ++ > + while ((opt = getopt(argc, argv, "fc:n:V")) != -1) { > + switch (opt) { > + case 'c': > Index: patches/patch-tests_bad_dns_request_test > =================================================================== > RCS file: patches/patch-tests_bad_dns_request_test > diff -N patches/patch-tests_bad_dns_request_test > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-tests_bad_dns_request_test 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,12 @@ > +Index: tests/bad_dns_request_test > +--- tests/bad_dns_request_test.orig > ++++ tests/bad_dns_request_test > +@@ -60,7 +60,7 @@ sub http_client($$) { > + $socket->send($request); > + > + my $buffer; > +- $socket->recv($buffer, 4096); > ++ $socket->recv($buffer, 16388); > + > + $socket->close(); > + > Index: patches/patch-tests_bad_request_test > =================================================================== > RCS file: patches/patch-tests_bad_request_test > diff -N patches/patch-tests_bad_request_test > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-tests_bad_request_test 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,12 @@ > +Index: tests/bad_request_test > +--- tests/bad_request_test.orig > ++++ tests/bad_request_test > +@@ -282,7 +282,7 @@ sub tls_client($$) { > + $socket->send($request); > + > + my $buffer; > +- $socket->recv($buffer, 4096); > ++ $socket->recv($buffer, 16384); > + > + $socket->close(); > + > Index: patches/patch-tests_buffer_test_c > =================================================================== > RCS file: patches/patch-tests_buffer_test_c > diff -N patches/patch-tests_buffer_test_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-tests_buffer_test_c 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,21 @@ > +Index: tests/buffer_test.c > +--- tests/buffer_test.c.orig > ++++ tests/buffer_test.c > +@@ -127,7 +127,7 @@ static void test4(void) { > + struct Buffer *buffer; > + int read_fd, write_fd; > + > +- buffer = new_buffer(4096, EV_DEFAULT); > ++ buffer = new_buffer(16384, EV_DEFAULT); > + > + read_fd = open("/dev/zero", O_RDONLY); > + if (read_fd < 0) { > +@@ -155,7 +155,7 @@ static void test_buffer_coalesce(void) { > + char output[sizeof(input)]; > + int len; > + > +- buffer = new_buffer(4096, EV_DEFAULT); > ++ buffer = new_buffer(16384, EV_DEFAULT); > + len = buffer_push(buffer, input, sizeof(input)); > + assert(len == sizeof(input)); > + > Index: patches/patch-tests_connection_reset_test > =================================================================== > RCS file: patches/patch-tests_connection_reset_test > diff -N patches/patch-tests_connection_reset_test > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-tests_connection_reset_test 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,27 @@ > +Index: tests/connection_reset_test > +--- tests/connection_reset_test.orig > ++++ tests/connection_reset_test > +@@ -42,8 +42,8 @@ sub simple_server($) { > + "\r\n"); > + > + # Send a bunch of data (more that will be buffered by the kernel > +- for (my $i = 0; $i < 4096; $i++) { > +- $client->send('x' x 4096); > ++ for (my $i = 0; $i < 16384; $i++) { > ++ $client->send('x' x 16384); > + } > + $client->close(); > + exit; > +@@ -76,9 +76,9 @@ sub bad_client($) { > + "\r\n"); > + > + my $buffer; > +- $socket->recv($buffer, 4096); > +- $socket->recv($buffer, 4096); > +- $socket->recv($buffer, 4096); > ++ $socket->recv($buffer, 16384); > ++ $socket->recv($buffer, 16384); > ++ $socket->recv($buffer, 16384); > + > + $socket->close(); > + > Index: patches/patch-tests_fallback_test > =================================================================== > RCS file: patches/patch-tests_fallback_test > diff -N patches/patch-tests_fallback_test > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-tests_fallback_test 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,12 @@ > +Index: tests/fallback_test > +--- tests/fallback_test.orig > ++++ tests/fallback_test > +@@ -56,7 +56,7 @@ sub http10_client($$) { > + $socket->send("GET /$path HTTP/1.0\r\n\r\n"); > + > + my $buffer; > +- $socket->recv($buffer, 4096); > ++ $socket->recv($buffer, 16384); > + > + $socket->close(); > + > Index: patches/patch-tests_slow_client_test > =================================================================== > RCS file: patches/patch-tests_slow_client_test > diff -N patches/patch-tests_slow_client_test > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-tests_slow_client_test 1 Oct 2025 15:45:08 -0000 > @@ -0,0 +1,12 @@ > +Index: tests/slow_client_test > +--- tests/slow_client_test.orig > ++++ tests/slow_client_test > +@@ -46,7 +46,7 @@ sub slow_client($$) { > + } > + > + my $buffer; > +- $socket->recv($buffer, 4096); > ++ $socket->recv($buffer, 16384); > + > + $socket->close(); > +