WebSVN – nexmon – Blame – Rev 1 – /utilities/socat/doc/xio.help

1

office

1

# source: xio.help

2

# Copyright Gerhard Rieger 2001-2007

Operating systems:

The options and features described in this document have been implemented (but

7

not always tested) on the operating systems listed below, unless otherwise

8

noted:

9

10

SuSE 10.1 Linux on x86

11

Solaris 8 on Sparc with gcc

12

FreeBSD 6.1 on x86

13

HP-UX B 11.11 on PA-RISC with gcc

14

15

===============================================================================

16

17

The following sections describe the syntax and semantics of the socat command

18

line stream arguments.

19

20

Usually a socat stream argument defines a one- or bidirectional stream. There

21

are two principal forms:

22

* a single stream. Depending on use of the -u or -U options and implicit

23

semantics of the stream, such an argument may be resolved to a one- or

24

twodirectional stream.

25

* two onedirectional streams, separated by '!!'. An argument of this form

26

always specifies a twodirectional stream. The first single stream is only used

27

for reading data, and the second is only used for writing data.

28

29

30

The general structure of a single stream is:

31

keyword[:required-parameters][,options]

32

33

The options part starts with the first ',' of the argument. The required

34

parameters are separated by ':' from their predecessor. The last required

35

parameter is terminated by the end of the argument or by the first ',' that

36

iitroduces the first option. The options are separated with ','. The last

37

option is terminated by end-of-string or by '!!'.

38

39

The are some abbreviations defined that allow to drop the keyword. In these

40

cases the argument syntax is:

41

required-parameter[:required-parameters][,options]

42

The implemented abbreviations are:

43

short form canonical form

44

number FD:number # decimal number

45

path		GOPEN:path	# must must contain at least one '/' and must not contain ':' or ',' and must not start with a decimal digit

46

47

===============================================================================

Addresses:

Every address specification starts with a keyword or an abbreviation. These

53

keywords are case insensitive.

54

Note: because the option group ANY applies for all addresses, it is not

55

mentioned explicitely below.

56

57

58

Bidirectional only addresses:

59

-----------------------------

PIPE

FIFO

ECHO

Opens an unnamed pipe (fifo) where outbound traffic is sent to and inbound

66

traffic is read from. The special semantics of pipes results in an echo like

67

behaviour.

68

Option groups: FD, FIFO (no specific FIFO options are defined yet)

69

70

71

Onedirectional only addresses:

72

------------------------------

73

74

Currently all addresses may be used bidirectional.

75

Note: for regular files, behaviour when being used bidirectionally is

undefined.

One- and bidirectional addresses:

80

---------------------------------

STDIO

- ("minus")

Uses stdin (FD 0) for inbound traffic and/or stdout (FD 1) for outbound traffic

86

on this address.

87

Option groups: FD; others dependent on actual types of stdin and stdout (FIFO,

88

CHR, BLK, REG, and/or SOCKET).

STDIN

Uses stdin for traffic. This might fail for outbound traffic.

94

Option groups: FD; dependent on actual type of stdin (FIFO, CHR, BLK, REG, or

SOCKET).

STDOUT

Uses stdout for traffic. This might fail for inbound traffic.

101

Option groups: FD; dependent on actual type of stdout (FIFO, CHR, BLK, REG, or

SOCKET).

STDERR

Uses stdout for traffic. This might fail for inbound traffic.

108

Option group: FD; dependent on actual types of sterr (FIFO, CHR, BLK, REG, or

SOCKET).

FD:num

num

Uses the already existing file descriptor <num> for traffic.

116

Option groups: FD; dependent on actual types of file descriptor (FIFO, CHR,

117

BLK, REG, or SOCKET).

READLINE

Uses the GNU readline function and history capabilies (best known from bash).

123

It always works on stdin and stdout; if stdio is not a tty, readline does not

124

seem to work correctly.

125

Because readline is blocking during line editing, it does not fit well into

126

socats I/O philosophy.

127

socat integrates readline by waiting in the select call as usual; when stdin

128

reports available data, socat invokes readline(). readline blocks until the

129

user presses ENTER or EOF. Data on socats other stream is not handling in this

130

time.

131

socat controls the ECHO flag of the stdin tty (off during select(), on for

132

readline()).

133

When using socat with readline as front end to a service like telnet, POP3 or

134

an other authenticated service, please note that the password is entered as

135

ordinary data, thus appears on the screen!

136

Option groups: FD, READLINE, TERMIOS

137

Useful options: history-file

OPEN:path

Applies an open() system call to the given path. If the path does not exist a

143

file is created only if the option create is used; if a file, pipe, or device

144

with this name already exists it is opened. Open for reading and/or writing

145

depends on the rw parameter of the xioopen call, or on usage in a socat

146

argument. If no perm option is used, xioopen uses 600 (which might be modified

147

by umask then).

148

Applying this function to files conforms to the semantics as described by the

149

open(2) man page.

150

Opening device files, like /dev/ttyS*, might block until the device gets active

151

(until some peer is connected)

152

With existing named pipes (fifos) please note the usual semantics:

153

Opening the pipe in read/write mode results in an echo service;

154

Opening the pipe in read mode blocks until a writer opens the pipe (close

155

by writer gives EOF for the reader); with option nonblock the open call does

156

not block.

157

Opening the pipe in write mode blocks until a reader opens the pipe (close

158

by reader gives "broken pipe" error on next write); with option nonblock the

159

open call terminates with error "no such device or address" in absence of a

160

reader.

161

Opening a named UNIX stream socket with or without a listening peer might

162

succeed depending on the operating system, but

163

the resulting file descriptor erronously reports available data immediately,

164

and the following read() or write() call always fails with "invalid

165

argument". Even worse, while such a filesystem entry is identified as socket by

166

"file" command and by fstat(), getsockopt() after open() gives error "Socket operation on non-socket".

167

Use GOPEN for reasonable behaviour!

168

Option groups: FD, OPEN, NAMED, and specific for data object type (FILE, FIFO,

169

CHRDEV+TERMIOS, BLKDEV, or SOCKET).

GOPEN:path

path

"Generic open". Tries to open the given path in a smarter way. If the path

176

exists and is a socket, it is connected to; if connecting fails,

177

socat assumes a datagram socket and later uses sendto() calls for data

178

transfer.

179

If the path exists and is not a socket, it is opened:

180

in RDONLY environment for reading from position 0,

181

in WRONLY environment for appending (O_APPEND),

182

in RDWR env. for reading and/or writing starting from position 0.

183

If the path does not exist:

184

in RDONLY environment this is an error

185

in WRONLY environment the file is created (O_CREAT)

186

in RDWR env. for reading and/or writing starting from position 0.

187

However, these flags may be overriden by user supplied options

188

(e.g., "append=0")

189

Option groups: FD, NAMED, and specific for data object type (FILE, FIFO,

190

CHRDEV+TERMIOS, BLKDEV, or SOCKET).

CREATE:path

CREAT:path

Opens the named file with creat(). With UNIX semantics, this address is just a

197

variation of the OPEN address, see there for more details.

198

Note: The creat() system call does not create a completely new file, but

199

inherits some properties of the old file if it exists, e.g. permissions. Use

200

option "unlink-early" to remove the old entry before.

201

Option groups: FD, NAMED, FILE

202

Useful options: unlink-late

PIPE:path

FIFO:path

Creates and opens a pipe if path does not exist; opens path if it already

209

exists.

210

Option groups: FD, NAMED, FIFO

211

Note: this address uses the mknod(2) system call to create the named pipe. On

212

FreeBSD, this call requires root privilege

EXEC:cmdline

Forks off a child process after establishing a bidirectional communication

218

channel (with socketpair, pipes, or pty). The child then starts "cmdline" with

219

execvp().

220

Note: spaces and shell meta characters in cmdline must be quoted if socat is

221

invoked from the command line.

222

Option groups: FD, FORK, EXEC, SOCKET, SOCK_UNIX, FIFO, TERMIOS

223

Useful options: path, fdin, fdout, chroot, su, pty, stderr

224

Note: on AIX, search permissions on /dev/pts/ are required to use option pty.

SYSTEM:cmdline

Forks off a child process after establishing a bidirectional communication

230

channel (with socketpair, pipes, or pty). The child then starts "cmdline" with

231

system().

232

Note: spaces and shell meta characters in cmdline must be quoted if socat is

233

invoked from the command line.

234

Option groups: FD, FORK, EXEC, SOCKET, SOCK_UNIX, FIFO, TERMIOS

235

Useful options: path, fdin, fdout, chroot, su, pty, stderr

236

Note: there are slightly different semantics with options pty or pipes, because

237

they do not communicate an EOF condition to the shell process. Therefore, the

238

shell process and its child do not terminate due to EOF, but are explicitly

239

killed during close of the socat file handle. Consider using

240

exec:'/bin/sh -c command',pty...

UNIX:path

LOCAL:path

Connects to a UNIX domain socket.

247

Option groups: FD, SOCKET, SOCK_UNIX

248

NOTE: you need rw permissions to connect to a local socket. My Linux answers

249

with "connection refused" to insufficient permissions, not existing

250

socket, not a socket, or just a socket entry without a listening process.

251

NOTE: this address does not implement option group NAMED because its connect

252

call succeeds only if there is already someone listening, but at this point the

253

NAMED group actions no longer affect this socket, only the fs entry.

UNIX-listen:path

UNIX-l:path

Create a listening UNIX domain socket. With the fork option, for each accepted

260

connection a new process is forked off, and more connections are accepted on

261

the parent socket. Without fork, only the first connection is accepted.

262

Option groups: FD, NAMED, SOCKET, SOCK_UNIX, LISTEN, CHILD

IP:host:protocol

IP4:host:protocol

Open a raw socket with IP4 protocol. This mode sends packets to and accepts

269

them only from host. protocol is a number from 0 to 255, with 1 meaning ICMP,

270

6..TCP, 17..UDP, 255..raw IP; 0 might be unsupported by the local IP stack,

271

resulting in an error.

272

Requires root privilege.

273

Note: my Linux 2.4.10 kernel seems to drop payloads smaller than 8

274

bytes on their way from the network to the application.

275

Option groups: FD, SOCKET, SOCK_IP

TCP:host:port

TCP4:host:port

INET:host:port

Create a TCP/IP4 client socket and connect to the given host/port combination.

283

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP

284

Useful options: crlf, bind, tos, mtudiscover, mss, nodelay,

TCP-l:port

TCP-listen:port

TCP4-l:port

TCP4-listen:port

INET-l:port

INET-listen:port

Create a TCP/IP4 server socket and wait for an incoming connection. With the

295

fork option, for each accepted connection a new process is forked off, and more

296

connections are accepted on the parent socket. Without fork, only the first

297

connection is accepted.

298

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, LISTEN, RANGE, CHILD

299

Useful options: fork, crlf, bind, backlog, mtu, tcpwrap

UDP:host:port

UDP-CONNECT:host:port

304

305

Connects to port on host using UDP/IP version 4 or 6

306

depending on address specification, name resolution, or option pf.

307

Please note that,

308

due to UDP protocol properties, no real connection is established; data has

309

to be sent for `connecting' to the server, and no end-of-file condition can

310

be transported.

311

Option groups: FD, SOCKET, SOCK_IP4, SOCK_IP6, IP_UDP

312

Useful options: ttl

313

314

UDP4:host:port

315

UDP4-CONNECT:host:port

316

317

Like UDP-CONNECT, but only supports IPv4 protocol.

318

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_UDP

UDP-listen:port

UDP-l:port

Emulates a UDP server in the same way as netcat: Create a UDP/IP4 socket and

325

bind to the given port. Then wait for the first packet, get its sender address

326

(without consuming its data), connect() to this address, and leave xioopen().

327

Afterwards, our socket only communicates with this peer.

328

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_UDP, RANGE

329

Note: with fork option, child processes might hang forever because UDP cannot

330

transport EOF conditions.

#UDP-dgram:port

#UDP-d:port

#

#Create and use a pure datagram oriented UDP socket.

337

#The following restrictions apply:

338

#* range option does not work

339

#* de facto this is a read-only endpoint: sending data to 0.0.0.0 might fail.

TCP6:host:port

INET6:host:port

Create a TCP/IP6 client socket and connect to the given host/port combination.

346

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP

347

Note: Address syntax parsing is awkward, since the IPv6 address word separator

348

is ':' which is used as port separator too.

349

An FTP listen entry looks in netstat ":::21"!

TCP6-l:port

TCP6-listen:port

INET6-l:port

INET6-listen:port

Create a TCP server socket and wait for an incoming connection. With the fork

358

option, for each accepted connection a new process is forked off, and more

359

connections are accepted on the parent socket. Without fork, only the first

360

connection is accepted.

361

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, LISTEN, RANGE, CHILD

362

363

364

SOCKS4:sockd:host:port

365

SOCKS:sockd:host:port

366

367

Use a socks server, socks protocol version 4, to build a TCP (IPv4) connection.

368

Sockd is the name or address of the socks server, host and port specify the

369

destination address. Use option socksport if the socks server does not listen

370

on port 1080.

371

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, IP_SOCKS

372

Useful options: sp, socksport, socksuser

373

Note: If you do not specify option socksuser, xioopen tries to derive it from

374

environment: LOGNAME or USER, and might therefore undisclose your identity.

375

376

377

SOCKS4a:sockd:host:port

378

379

Like SOCKS4, but use the socks version 4a extension for destination name

380

resolution on the socks server.

381

Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, IP_SOCKS

PTY

Creates a pseudo terminal (pty) and uses its master side. Another process may

387

open the pty�s slave side using it like a serial line or terminal.

388

Option groups: FD,NAMED,PTY,TERMIOS

389

Useful options: link, openpty, mode, user, group

390

391

392

OPENSSL-CONNECT:host:port

393

OPENSSL:host:port

394

395

Tries to establish a SSL connection to port on host using TCP/IPv4.

396

Note: this is currently only an experimental integration of openssl!

397

(it does not provide any trust between the peers because is does not check

398

certificates!)

399

Option groups: FD,SOCKET,SOCK_IP4,IP_TCP,OPENSSL,RETRY

400

Useful options: cipher, method, verify, cafile, capath, certificate, bind, sourceport, retry

401

402

403

OPENSSL-LISTEN:port

404

405

Listens on tcp4 port. When a connection is accepted, this address behaves as

406

SSL server.

407

Option groups: FD,SOCKET,SOCK_IP4,TCP,LISTEN,CHILD,RANGE,OPENSSL,RETRY

408

Usefule options: cipher, method, verify, cafile, capath, certificate, retry

409

410

411

PROXY:proxy:host:port

412

PROXY-CONNECT:proxy:host:port

413

414

Connects to an HTTP proxy server on port 8080 using TCP/IPv4, and sends a

415

CONNECT request for host:port. If the proxy grants access and succeeds to

416

connect to the target, data transfer between socat and the target can

417

start. Note that the traffic need not be HTTP but can be an arbitrary

418

protocol.

419

Option groups: FD,SOCKET,IP4,TCP,HTTP

420

Useful options: proxyport, ignorecr, proxyauth, crnl, bind, mss, sourceport

421

422

===============================================================================

Option Groups:

Each option is member of one option group. Address definitions specify which

427

option groups they support. This allows to reject unapplyable options in an

428

early stage of address processing.

429

430

Address groups are identified by single bit positions. Option definitions

431

specify to which group the option belongs (some options are member or more than

432

one group). Addresses use a bit pattern to specify which option groups they

433

support.

434

435

Currently the following option groups are defined:

436

437

GROUP_FD: All addresses that result in one or more file descriptors. These

438

options are typically applied with fcntl() or some special calls like fchown()

439

or fchmod(). There is no documented restriction to apply these functions to any

440

file descriptor; but they are not always meaningful, and sometimes lead to OS

441

exceptions.

442

443

GROUP_APPL: All addresses. The options do not need file descriptors, because

444

they manipulate the data streams at application level (ignoreeof, line

445

terminator conversion).

446

447

GROUP_PROCESS: For options that change process related attributes, like user id

448

(setuid).

449

450

GROUP_FIFO: Options for pipes. Currently not used.

451

452

GROUP_CHR: Options for character devices. Currently not used.

453

454

GROUP_BLK: Options for block devices. Currently not used.

455

456

GROUP_REG, GROUP_FILE: Options for regular files. Currently not used.

457

458

GROUP_SOCKET: Options for arbitrary type sockets, e.g. so-sndbuf, so-linger.

459

460

GROUP_NAMED: Options for file system entries, e.g. user-early, unlink.

461

462

GROUP_OPEN: Options that are applied with the open() system call.

463

464

GROUP_EXEC: Options for program or script execution, e.g. path.

465

466

GROUP_FORK: Options for communication with children processes, e.g. fdin, pty.

467

468

GROUP_LISTEN: Options for listening sockets. Only backlog.

469

470

GROUP_DEVICE: not used

471

472

GROUP_CHILD: Options for addresses that may fork off independent child

473

processes. Currently only option fork.

474

475

GROUP_RETRY: Options for failure handling. Currently not used.

476

477

GROUP_TERMIOS: Options for terminal settings, e.g. echo, b38400, raw.

478

479

GROUP_READLINE: Options for readline (GNU line editing and history).

480

481

GROUP_RANGE: Options for checking peer address. Currently only range.

482

483

GROUP_SOCK_UNIX: Options for UNIX domain sockets. Currently not used.

484

485

GROUP_SOCK_IP4: Options for IP4 sockets. Currently not used.

486

487

GROUP_SOCK_IP6: Options for IP6 sockets. Currently not used.

488

489

GROUP_SOCK_IP: Options for IP sockets, e.g. mtu, ip-options, ttl.

490

491

GROUP_IP_UDP: Options for UDP sockets. Currently not used.

492

493

GROUP_IP_TCP: Options for TCP sockets, e.g. maxseg, nodelay.

494

495

GROUP_IPAPP: Options for UDP and TCP sockets. Currently only sourceport.

496

497

GROUP_IP_SOCKS4: Options for SOCKS client connections, e.g. socksuser.

498

499

GROUP_PROCESS: Options for process wide attributes, e.g. su, chroot.

500

501

GROUP_APPL: Options handled by application. Currently not used.

502

503

GROUP_PTY: Options for pseudo terminals. Used with addresses PTY, EXEC, and

504

SYSTEM.

505

506

GROUP_OPENSSL: Options for the OPENSSL address.

507

508

There are "combined" group definitions too:

509

#define GROUP_ANY (GROUP_PROCESS|GROUP_APPL)

510

#define GROUP_ALL 0xffffffff

511

512

===============================================================================

Address Options

Address options are identified by a case insensitive keyword. If the options

517

needs a parameter value, the option syntax is always:

518

OPTION=VALUE

519

Currently there do not exist options that take more than one argument;

520

sometimes, two values are combined to form one argument value, e.g. IP4 address

and port:

192.168.0.1:80

Note:

"Type" describes the type of data that may or must be given to the option and

526

that is passed to the system. There are some options with boolean semantics

527

(on/off or yes/no), but their values are passed to the system with an int

528

parameter. This situation is indicated as "Logical type: bool" and "Physical

529

type: int". In this case xioopen passes the physical value to the system,

530

giving the user one more hacking playground.

Option: append

Type: BOOL

Option group: FD

Phase: LATE

Platforms: all (UNIX98)

539

540

Sets the O_APPEND flag via a fcntl() call and F_SETFL; with OPEN type

541

addresses, this flag is applied with the open() call. All data written is

542

appended to the actual file end, even if other processes have written to or

543

truncated the file in the meantime.

Option: async

Type: BOOL

Option group: FD

Phase: LATE

Platforms: FreeBSD, Linux, SunOS

552

553

Sets the O_ASYNC (or FASYNC) flag via a fcntl() call and F_SETFL; with FILE

554

addresses, this flag is applied with the open() call. Consult your kernel

555

documentation for effects of this flag.

556

NOTE: socat does not handle the SIGIO signal.

Option: cloexec

Type: BOOL

Option group: FD

Phase: LATE

Platforms: all

Sets the FD_CLOEXEC (close-on-exec) flag on the file descriptor via a

567

fcntl()call with F_SETFD. Use with caution, because xioopen() makes use of this

568

flag to archieve what we consider the most reasonable behaviour; using this

569

option overrides xioopen's setting!

Option: flock-ex

Aliases: flock, lock

Type: BOOL

Option group: FD

Phase: FD

Platforms: FreeBSD, Linux

579

580

Applies the flock(fd, LOCK_EX) call to the file descriptor(s). This locks a file

581

exclusively (but only for processes also using flock() on this file - otherwise, they seem to have unrestricted access).

582

If the file is already locked with flock, our flock call blocks until the other

583

processes lock is released.

584

Note: the "lock" option name alias applies to this option only

585

if the fcntl locking mechanism is not available on a platform.

586

587

588

Option: flock-ex-nb

Aliases: flock-nb

Type: BOOL

Option group: FD

Phase: FD

Platforms: FreeBSD, Linux

595

596

Applies the flock(fd, LOCK_EX|LOCK_NB) call to the file descriptor(s). This locks a file

597

exclusively (but only for processes also using flock() on this file -

598

otherwise, they seem to have unrestricted access).

599

If the file is already locked with flock, our flock call returns the error

600

"Resource temporarily unavailable".

Option: flock-sh

Type: BOOL

Option group: FD

Phase: FD

Platforms: FreeBSD, Linux

609

610

Applies a shared advisory lock to the file using the flock(fd, LOCK_SH) call.

611

This prevents processes from locking the file exclusively.

612

If the file has already an exclusive lock, our flock call blocks until the

613

other processes lock is released.

614

615

616

Option: flock-sh-nb

Type: BOOL

Option group: FD

Phase: FD

Platforms: FreeBSD, Linux

622

623

Applies a shared advisory lock to the file using the flock(fd, LOCK_SH|LOCK_NB) call.

624

This prevents processes from locking the file exclusively.

625

If the file has already an exclusive lock, our flock call returns with error

626

"Resource temporarily unavailable".

Option: f-setlk-rd

Aliases: setlk-rd

Type: BOOL

Option group: FD

Phase: FD

Platforms: all

Locks the complete file with fcntl(fd, F_SETLK, {F_RDLCK}) (complete means from its

638

start to its maximal length). This locks the file exclusively (but only if the

639

other processes accessing this file also use f-setlk or f-setlkw - otherwise,

640

they seem to have unrestricted access). If the file is already locked with

641

f-setlk or f-setlkw, the fcntl call blocks until release by the other process.

Option: f-setlk-wr

Aliases: f-setlk, setlk-wr, setlk

Type: BOOL

Option group: FD

Phase: FD

Platforms: all

Locks the complete file with fcntl(fd, F_SETLK, {F_WRLCK}) (complete means from its

653

start to its maximal length). This locks the file exclusively (but only if the

654

other processes accessing this file also use f-setlk or f-setlkw - otherwise,

655

they seem to have unrestricted access). If the file is already locked with

656

f-setlk or f-setlkw, the fcntl call blocks until release by the other process.

657

658

659

Option: f-setlkw-rd

Aliases: setlkw-rd

Type: BOOL

Option group: FD

Phase: FD

Platforms: all

Locks the complete file with fcntl(fd, F_SETLKW, {F_RDLCK}) (complete means from its

668

start to its maximal length). This locks the file exclusively (but only if the

669

other processes accessing this file also use f-setlk or f-setlkw - otherwise,

670

they seem to have unrestricted access). If the file is already locked with

671

f-setlk or f-setlkw, fcntl returns with EAGAIN.

672

673

674

Option: f-setlkw-wr

675

Aliases: setlkw-wr, f-setlkw, setlkw, lockw, lock

Type: BOOL

Option group: FD

Phase: FD

Platforms: all

Locks the complete file with fcntl(fd, F_SETLKW, {F_WRLCK}) (complete means from its

683

start to its maximal length). This locks the file exclusively (but only if the

684

other processes accessing this file also use f-setlk or f-setlkw - otherwise,

685

they seem to have unrestricted access). If the file is already locked with

686

f-setlk or f-setlkw, fcntl returns with EAGAIN.

Option: fork

Type: BOOL

Option group: CHILD

Phase: PASTACCEPT

Platforms: all

Without fork (or fork=0), the listening process accepts exactly one

697

connections, and terminates afterwards. With fork set, it forks off a new socat

698

child process for each incoming connection.

699

It is very important to understand what socat does with this fork option:

700

The parent process remains in a loop of accept() and fork() calls until

701

terminated from outside. The child process leaves this loop and goes on with

702

the socat processing. If the fork occurs in the first address argument, the

703

child process continues with parsing and activating the second address

704

argument. This will in most cases be what you want or expect.

705

If the fork call occurs in socats second address argument, all children will

706

inherit and share the already activated first address.

707

708

709

Option: group=value

710

Aliases: gid=value

711

712

Type: GIDT or unsigned int

713

Option group: NAMED

Type: GIDT

Platforms: all

Takes one argument, a UNIX group name or a numeric group id. The first

718

character of value is a digit for group ids.

719

With NAMED addresses this option is applied via a chown() call, with a

720

fchown() call otherwise.

721

If groupname is a name it must be a valid groupname from /etc/group and is

722

converted to a group id with a getgrnam(3) call.

723

On most modern operating systems, the owner of the process must be member of

724

the group being set; only root may set any group, even numbers without group

725

name.

726

A Linux 2.2.10 kernel SIGSEGVs the process in the fchown() call when this

727

option is used with a socket or pipe. Is fixed with Linux 2.4.

728

LINUXBUG TESTCASE:

729

SH1: socat -D - unix-l:/tmp/socket,unlink-early

730

SH2: socat -d -d -d -d -D gopen:/tmp/socket,group=floppy -

731

732

733

Option: group-late=value

734

735

Type: GIDT or string

Option group: FD

Type: GIDT

Platforms: all

Takes one argument, a UNIX group name or a numeric group id. The first

741

character of value is a digit for group ids.

742

This option is applied via a fchown(2) call.

743

If groupname is a name it must be a valid groupname from /etc/group and is

744

converted to a group id with a getgrnam(3) call.

745

On most modern operating systems, the owner of the process must be member of

746

the group being set; only root may set any group, even numberic group ids

747

without group name.

Option: o-nonblock

Aliases: nonblock

Type: BOOL

Option group: FD

Phase: FD

Platforms: all (UNIX98)

757

758

Sets the O_NONBLOCK flag of a file descriptor via a fcntl(2) call and F_SETFL;

759

with OPEN type addresses, this flag is applied with the open() call.

760

It does not change the behaviour of socat's data transfer loop because socat

761

uses select() which blocks nevertheless.

762

Currently is has only two documented uses:

763

1) With address TCP, the connect() call

764

does not block; instead, it continues through the open step. The channel is

765

passed to the select() call. If something is written to the channel before it

766

is connected, this is an error. If connection fails, a read condition occurs

767

and read() returns the error.

768

2) Opening a named pipe does not block with this option.

Option: o-ndelay

Aliases: ndelay

Type: BOOL

Option group: FD

Phase: LATE

Platforms: HP-UX, SunOS (UNIX98)

778

779

Under Solaris it sets the O_NDELAY of the file descriptor via a fcntl(2) call

780

and F_SETFL; with OPEN type addresses, this flag is applied with the open()

781

call.

782

With all other operating systems, this is just another name for the nonblock option.

Option: o-noatime

Aliases: noatime

Type: BOOL

Option group: FD

Phase: FD

Platforms: Linux

Sets the O_NOATIME flag of a file descriptor via a fcntl(2) call and F_SETFL;

794

with OPEN type addresses, this flag is applied with the open() call.

795

It prevents the access time from being updated during read operations.

Option: perm=value

Aliases: mode=value

800

801

Type: MODET (mode_t)

802

Option group: NAMED

Phase: FD

Platforms: all

This option changes the mode (permissions) of an addresses inode. xioopen

807

tries to apply this option already during open phase. If the address does not

808

have a open phase or if the option cannot be applied there, the value is

809

applied directly on the file descriptor afterwards.

810

It is up to you to (1) have the permission to change the permissions, and (2)

811

not to set permissions that prevent you from performing your transactions :-)

812

NOTE: At least with some Linux 2.2, setting permissions on an existing file or

813

device with fchmod() does not change the permissions of its inode on disk. See

814

perm-early which uses chmod() instead.

815

NOTE: At least with some Linux 2.2, restricting mode on file descriptors does

816

not restrict this file descriptors data transfer capabilities.

817

818

819

Option: perm-late=value

820

821

Type: MODET (mode_t)

Option group: FD

Phase: LATE

Platforms: all

This option changes the mode (permissions) of a file descriptor with fchmod()

827

in the last phase of address processing.

828

829

830

Option: seek-set=offset

831

Aliases: lseek=offset, seek=offset

832

833

Type: OFF32 or OFF64

834

Option group: BLK

835

Phase: LATE

836

Platforms: HP-UX, Linux, SunOS

837

838

Positions the file at the given absolute offset, using lseek() (or lseek64() if

839

available) with SEEK_SET.

840

841

842

Option: seek-cur=offset

843

844

Type: OFF32 or OFF64

845

Option group: BLK

846

Phase: LATE

847

Platforms: HP-UX, Linux, SunOS

848

849

Positions the file at the given offset from the current position,

850

using lseek() (or lseek64() if available) with SEEK_SET.

851

852

853

Option: seek-end=offset

854

855

Type: OFF32 or OFF64

856

Option group: BLK

857

Phase: LATE

858

Platforms: HP-UX, Linux, SunOS

859

860

Positions the file at the given offset from the file end,

861

using lseek() (or lseek64() if available) with SEEK_END.

862

863

864

Option: lseek32-set=offset

865

Aliases: lseek32=offset

Type: OFF32

Option group: BLK

Phase: LATE

Platforms: HP-UX, Linux, SunOS

871

872

Positions the file at the given absolute offset using lseek() with SEEK_SET.

873

This call might fail for non

874

random access data objects like character devices or sockets.

875

NOTE: this option seems to be useless on files with O_APPEND set.

876

877

878

Option: lseek32-cur=offset

879

880

Type: OFF32 (instead of off_t)

881

Option group: BLK

882

Phase: LATE

883

Platforms: HP-UX, Linux, SunOS

884

885

Positions the file at the given offset from the current position using lseek()

886

with SEEK_CUR. This call

887

might fail for non random access data objects like character devices.

888

On Linux, the seek() call fails on pipes, sockets and ttys but works on files

889

and /dev/null

890

NOTE: this option seems to be useless on files with O_APPEND set.

891

892

893

Option: lseek32-end=offset

Type: OFF32

Option group: BLK

Phase: LATE

Platforms: HP-UX, Linux, SunOS

899

900

Positions the file at the given offset from the file end using lseek() with

901

SEEK_END. This call might fail

902

for non random access data objects like character devices.

903

NOTE: this option seems to be useless on files with O_APPEND set.

904

905

906

Option: lseek64-set=offset

907

Aliases: lseek64=offset

Type: OFF64

Option group: BLK

Phase: LATE

Platforms: all

Positions the file at the given absolute offset using lseek64() with SEEK_SET.

915

This call might fail for non

916

random access data objects like character devices or sockets.

917

NOTE: this option seems to be useless on files with O_APPEND set.

918

919

920

Option: lseek64-cur=offset

Type: OFF64

Option group: BLK

Phase: LATE

Platforms: all

Positions the file at the given offset from the current position using

928

lseek64() with SEEK_CUR. This call

929

might fail for non random access data objects like character devices.

930

NOTE: this option seems to be useless on files with O_APPEND set.

931

932

933

Option: lseek64-end=offset

Type: OFF64

Option group: BLK

Phase: LATE

Platforms: all

Positions the file at the given offset from the file end using lseek64() with

941

SEEK_END. This call might fail

942

for non random access data objects like character devices.

943

NOTE: this option seems to be useless on files with O_APPEND set.

944

945

946

Option: chroot=path

947

948

Type: STRING

949

Option group: PROCESS

Phase: LATE

Platforms: all

Invokes the chroot() system call with the given path after the address

954

resolution, so the path names of the address must be specified with absolute

955

pathes.

956

Note: when you combine chroot with substuser, with substuser applied within the

957

chroot environment, usually the etc/passwd and etc/group files in the chroot

958

environment are used for group set etc.

959

See appendix "generating a sandbox"

960

961

962

Option: chroot-early=path

963

964

Type: STRING

965

Option group: PROCESS

Phase: EARLY

Platforms: all

Invokes the chroot() system call with the given path before the address is

970

resolved, this means before file opening in OPEN, GOPEN and before program

971

execution in EXEC and SYSTEM, so their pathes must be specified related to

972

their chroot directory.

973

See appendix "generating a sandbox"

974

975

976

Option: setgid=group

977

978

Type: GIDT (gid_t or string)

979

Option group: PROCESS

Phase: LATE2

Platforms: all

Invokes setgid() with the group id. For EXEC and SYSTEM this call is performed

984

for the child process after the fork and therefore does not affect the socat

985

process directly. For LISTEN group addresses with fork option, this call is

986

performed only on the child processes. For all other addresses, it is performed

987

in the late phase of address processing, so it does not affect the address

988

where it is used, but for the next address (if any), and for the data loop.

989

Note: setgid() does not remove any groups from the current process group set.

990

991

992

Option: setuid=user

993

994

Type: UIDT (uid_t or string)

995

Option group: PROCESS

Phase: LATE2

Platforms: all

Invokes setuid() with the user id. For EXEC and SYSTEM this call is performed

1000

for the child process after the fork and therefore does not affect the socat

1001

process directly. For LISTEN group addresses with fork option, this call is

1002

performed only on the child processes. For all other addresses, it is performed

1003

in the late phase of address processing, so it does not affect the address

1004

where it is used, but the next address (if any), and the data loop.

1005

Note: setuid() is invoked AFTER setgid(), if both are applied.

1006

Note: setuid() does not influence the processes group set; in most cases, you

1007

want to prefer substuser option.

1008

1009

1010

Option: substuser=user

1011

Aliases: su=user

1012

1013

Type: UIDT (uid_t or string)

1014

Option group: PROCESS

Phase: LATE2

Platforms: all

Tries to switch the process to the given user and its group set.

1019

To make sure that the groups are set correctly for the new process owner, the

1020

system calls initgroups(), setgid(), and setuid() are invoked with the

1021

appropriate arguments.

1022

On sane operating system, this option requires root privileges.

1023

Note: this option sets the user and group ids of the process, but does not

1024

change the environment; therefore, all variables including $USER, $HOME,

1025

$LOGNAME, $SHELL etc. are inherited from the old users environment.

1026

Note: starting a SETUID program after applying substuser or setuid gives the

1027

process the SETUID owner, which might give root privileges again.

1028

1029

1030

Option: substuser-delayed=user

1031

Aliases: su-d=user

1032

1033

Type: UIDT (unsigned int or string)

1034

Option group: PROCESS

Phase: INIT

Platforms: all

Like substuser, but reads the user and group information in an early phase of

1039

address processing, but applies the appropriate system calls in a late

1040

phase. This allows to use user information from the host in a chroot

1041

environment, without exposing this data within the sandbox.

Option: o-trunc

Aliases: trunc

Type: BOOL

Option group: OPEN

Phase: LATE

Platforms: all

Sets the O_TRUNC flag of the open() call, thus truncating the file to zero

length.

#! block devices?

Option: ftruncate=value

1058

Aliases: truncate=value

1059

1060

Type: OFF32 or OFF64

1061

Option group: REG

1062

Phase: LATE

1063

Platforms: HP-UX, Linux, SunOS

1064

1065

Invokes the ftruncate() (or ftruncate64() if available) call for the file descriptor with the given value,

1066

thus reducing the length of the file to the given length.

1067

On Linux, ftruncate() fails on sockets and devices but works on regular files

1068

and pipes.

1069

#! block devices?

1070

Note: AIX docu says: for regular files only

1071

1072

1073

Option: ftruncate32=value

Type: OFF32

Option group: REG

Phase: LATE

Platforms: HP-UX, Linux, SunOS

1079

1080

Invokes the ftruncate() call (even if ftruncate64() is available) call for the file descriptor with the given value,

1081

thus reducing the length of the file to the given length.

1082

1083

1084

Option: ftruncate64=value

Type: OFF64

Option group: REG

Phase: LATE

Platforms: all

Invokes the ftruncate64() call if available, for the file descriptor with the given value,

1092

thus reducing the length of the file to the given length.

Option: o-binary

Aliases: binary, bin

Type: BOOL

Option group: FD

Phase: OPEN

Platforms: none; Cygwin

1102

1103

Sets the O_BINARY flag with open() or fcntl() to avoid implicit line terminator conversions.

Option: o-text

Aliases: text

Type: BOOL

Option group: FD

Phase: OPEN

Platforms: none; Cygwin

1113

1114

Sets the O_TEXT flag with open() or fcntl() to force implicit line terminator conversions.

1115

1116

1117

Option: o-noinherit

Aliases: noinherit

Type: BOOL

Option group: FD

Phase: OPEN

Platforms: none; Cygwin

1124

1125

Sets the O_NOINHERIT flag with open() or fcntl() to not keep this file open in a spawned process.

Option: cool-write

Aliases: coolwrite

Type: BOOL

Option group: FD

Phase: INIT

Platforms: all

Takes it easy when write fails with EPIPE or ECONNRESET and logs the message

1137

with notice level instead of error.

1138

This prevents the log file from being filled with useless error messages

1139

when socat is used as a high volume server or proxy where clients often

1140

abort the connection.

1141

This option is experimental.

Option: end-close

Aliases: close

Type: CONST

Option group: FD

Phase: INIT

Platforms: all

Changes the (address dependent) method to close a connection to just close

1153

the file descriptors. This is useful when the connection is to be reused by

1154

or shared with other processes.

1155

Normally, socket connections will be ended with shutdown(2) which

1156

terminates the socket even if it is shared by multiple processes.

1157

close(2) "unlinks" the socket from the process but keeps it active as

1158

long as there are still links from other processes.

1159

Similarly, when an address of type EXEC or SYSTEM is ended, socat usually

1160

will explicitely kill the sub process. With this option, it will just close

1161

the file descriptors.

Option: user=value

Aliases: owner=value, uid=value

1166

1167

Type: UIDT (unsigned int or string)

1168

Option group: NAMED

Phase: FD

Platforms: all

Takes one argument, a UNIX user name or a numeric user id. The first

1173

character of value is a digit for user ids.

1174

For NAMED addresses, if the file already exists, this option is applied via a

1175

chown() call, with fchown() for all other cases.

1176

If username is a name it must be a valid username from /etc/passwd and is

1177

converted to a user id with a getpwnam() call.

1178

On sane operating systems, the owner of the process must be root to change

1179

the owner of a file descriptor; root may even apply undefined (unnamed) user

1180

ids.

1181

My Linux 2.2 kernel SIGSEGVs the process in the fchown() call when this

1182

option is used with a (UNIX, unconnected or connected) socket or pipe. Linux

1183

2.4.0 handles this call correctly.

1184

TESTCASE: ./socat -d -d -d -d - tcp:loopback:21,user=root

1185

1186

1187

Option: user-late=value

1188

Aliases: uid-l=value

1189

1190

Type: UIDT (unsigned int or string)

Option group: FD

Phase: LATE

Platforms: all

Takes one argument, a UNIX user name or a numeric user id. The first

1196

character of value is a digit for user ids.

1197

This option is applied via a fchown() call just before xioopen_single()

1198

terminates.

1199

If username is a name it must be a valid username from /etc/passwd and is

1200

converted to a user id with a getpwnam() call.

1201

On sane operating systems, the owner of the process must be root to change

1202

the owner of a file descriptor; root may even apply undefined (unnamed) user

1203

ids.

1204

My Linux 2.2 kernel SIGSEGVs the process in the fchown() call when this

1205

option is used with a socket or pipe.

1206

1207

1208

===============================================================================

1209

OPEN group options

1210

Options of this group may be used with all addresses that support OPEN group

options.

Option: o-rdonly

Aliases: rdonly

Type: BOOL (inherent - no value)

Option group: OPEN

Phase: OPEN

Platforms: all

Use O_RDONLY with the open() call instead of the position dependend default.

1223

Take care not to block later write operations.

Option: o-wronly

Aliases: wronly

Type: BOOL (inherent - no value)

Option group: OPEN

Phase: OPEN

Platforms: all

Use O_WRONLY with the open() call instead of the position dependend default.

1235

Take care not to block later write operations.

Option: o-rdwr

Aliases: rdwr

Type: BOOL (inherent - no value)

Option group: OPEN

Phase: OPEN

Platforms: all

Use O_RDWR with the open() call instead of the position dependend default.

Option: o-create

Aliases: create, creat

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: all

Sets the O_CREAT flag of the open() call. This means that it is not an error if

1258

the file does not exist.

Option: o-defer

Aliases: defer

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: none

Sets the O_DEFER flag of the open() call. This means that write data is stored

1270

in paging space until an fsync() call.

Option: o-delay

Aliases: delay

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: none

Sets the O_DELAY flag of the open() call. This lets open block until the share

1282

conditions are fulfilled (see nshare, rshare)

Option: o-direct

Aliases: direct

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: FreeBSD, HP-UX, Linux

1292

1293

Sets the O_DIRECT flag of the open() call.

1294

1295

1296

Option: o-directory

Aliases: directory

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: Linux

Sets the O_DIRECTORY flag of the open() call. This lets open fail if the given

1305

path is not a directory. This does not seem to be useful with socat.

Option: o-dsync

Aliases: dsync

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: HP-UX, Linux, SunOS (UNIX98)

1315

1316

Sets the O_DSYNC flag with the open() call. This lets write() calls wait until

1317

modification metainfo is physically written to media.

Option: o-excl

Aliases: excl

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: all

Sets the O_EXCL flag of the open() call.

1329

1330

1331

Option: o-largefile

Aliases: largefile

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: HP-UX, Linux, SunOS

1338

1339

Sets the O_LARGEFILE flag of the open() flag.

Option: o-noctty

Aliases: noctty

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: all

Sets the O_NOCTTY flag of the open() call, so the opened device does not become

1351

the controlling tty of the process.

Option: o-nofollow

Aliases: nofollow

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: FreeBSD, Linux

1361

1362

Sets the O_NOFOLLOW flag of the open() call. This means that the last component

1363

of the open path must no be a symlink.

Option: o-sync

Aliases: sync

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: all (UNIX98)

1373

1374

Sets the O_SYNC flag with the open() call. This lets write() calls wait until

1375

data is physically written to media.

Option: o-rshare

Aliases: rshare

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: none

Sets the O_RSHARE flag of the open() call. This means that the file must not be

1387

opened for writing by other processes ("read sharing").

Option: o-nshare

Aliases: nshare

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: none

Sets the O_NSHARE flag of the open() call. This means that the file must not be

1399

shared with other processes ("no sharing").

Option: o-rsync

Aliases: rsync

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: HP-UX, Linux, SunOS (UNIX98)

1409

1410

Sets the O_RSYNC flag with the open() call. This lets write() calls wait until

1411

read metainfo is physically written to media.

Option: o-priv

Aliases: priv

Type: BOOL

Option group: OPEN

Phase: OPEN

Platforms: none (Solaris)

1421

1422

Sets the O_PRIV flag with the open() call.

1423

1424

===============================================================================

1425

NAMED group options

1426

This group is valid for all addresses that refer to a file system entry like

1427

file, device, named pipe, or named UNIX domain socket.

1428

1429

1430

Option: unlink-early

Aliases: new

Type: BOOL

Option group: NAMED

Phase: EARLY

Platforms: all

This options tries to remove the filesystem entry given in the address before

1439

starting any other processing (even before user-early, perm-early, or

1440

group-early). unlink() is called; note that this call, in contrast to rm(1),

1441

removes entries regardless of their permissions. Instead, ownership or root

1442

privileges and write permissions in the directory are required and sufficient.

Option: unlink

Type: BOOL

Option group: NAMED

Phase: PREOPEN

Platforms: all

This options tries to remove the filesystem entry given in the address before

1453

it is tried to open, but past user-early, perm-early, or group-early).

1454

unlink() is called; note that this call, in contrast to rm(1), removes entries

1455

regardless of their permissions. Instead, ownership or root privileges and

1456

write permissions in the directory are required and sufficient.

1457

1458

1459

Option: unlink-late

1460

1461

Type: BOOL

1462

Option group: NAMED

Phase: PASTOPEN

Platforms: all

This option tries to remove the filesystem entry after it has been opened.

1467

Options can still be applied to the file descriptor, and

1468

the node or files data can be used, but it can no longer be accessed by other

1469

processes (except by tricks?), and after closing the stream the data or node is

1470

completely removed.

1471

unlink() is called; note that this call, in contrast to rm(1), removes entries

1472

regardless of their permissions. Instead, ownership or root privileges and

1473

write permissions in the directory are required and sufficient.

1474

1475

1476

Option: perm-early=value

1477

1478

Type: MODET (mode_t)

1479

Option group: NAMED

Phase: PREOPEN

Platforms: all

This option changes the mode (permissions) of an already existing filesystem

1484

entry with chmod() before the file is opened or after the UNIX domain socket is

1485

bound, but before it listens/connects.

1486

1487

1488

Option: user-early=value

1489

Aliases: uid-e=value

1490

1491

Type: UIDT (unsigned int or string)

1492

Option group: NAMED

Phase: PREOPEN

Platforms: all

Takes one argument, a UNIX user name or a numeric user id. The first

1497

character of value is a digit for user ids.

1498

This option is applied via a chown() call before the file system entry is

1499

opened or after the UNIX domain socket is bound, but before it starts to

1500

listen/connect.

1501

If username is a name it must be a valid username from /etc/passwd and is

1502

converted to a user id with a getpwnam() call.

1503

On sane operating systems, the owner of the process must be root to change

1504

the owner of a file descriptor; root may even apply undefined (unnamed) user

ids.

Option: group-early=value

1509

Aliases: gid-e=value

1510

1511

Type: GIDT (unsigned int or string)

1512

Option group: NAMED

Phase: PREOPEN

Platforms: all

Takes one argument, a UNIX group name or a numeric group id. The first

1517

character of value is a digit for group ids.

1518

This option is applied via a chown() call before the file system entry is

1519

opened or after the UNIX domain socket is bound, but before it

1520

listens/connects.

1521

If groupname is a name it must be a valid groupname from /etc/group and is

1522

converted to a group id with a getgrnam() call.

1523

On most modern operating systems, the owner of the process must be member of

1524

the group being set; only root may set any group, even numbers without group

name.

Option: umask=value

1529

1530

Type: MODET

1531

Option group: NAMED

Phase: EARLY

Platforms: all

Sets the umask before opening a file or creating a UNIX domain socket. This is

1536

especially useful for these sockets, because there interface does not provide a

mode argument.

Option: unlink-close

1541

1542

Type: BOOL

1543

Option group: NAMED

Phase: LATE

Platforms: all

Remove the addresses file system entry when closing the address.

1548

For named pipes, listening unix domain sockets, and the symbolic links of pty

1549

addresses, the default is 1; for created files, opened files, generic opened

1550

files, and client unix domain sockets the default is 0.

1551

1552

1553

===============================================================================

1554

FORK and EXEC options

1555

1556

Option: path=string

Type: STRING

Option group: EXEC

Phase: PREEXEC

Platforms: all

Changes the PATH environment variable in the child process before the exec() or

system() call.

Option: nofork

Type: BOOL

Option group: FORK

Phase: BIGEN

Platforms: all

Does not fork a subprocess for executing the program, instead calls execvp()

1575

directly from the actual socat instance. This avoids the overhead of another process

1576

between the program and the communication peer, but introduces lots of

1577

restrictions:

1578

* this option can only be applied to the second socat() address.

1579

* the first socat address cannot be OPENSSL or READLINE

1580

* socat options -b, -t, -D, -l, -v, -x, -t become useless

1581

* for both addresses, options ignoreeof, cr and crnl become useless

1582

* for the second address (the one with option nofork), options

1583

append, async, cloexec, flock, user, group, mode, nonblock,

1584

perm-late, setlk, and setpgid cannot be applied, and should be used on the

1585

first address instead.

Option: pipes

Type: BOOL

Option group: FORK

Phase: BIGEN

Platforms: all

For communication between the exec() or system() subprocess with socat, use two

1596

unnamed pipes instead of creating a socket pair.

Option: pty

Type: BOOL

Option group: FORK

Phase: BIGEN

Platforms: all

For communication between the exec() or system() subprocess with socat, use a

1607

pseudo terminal instead of a socket pair. The executed program gets the slave

1608

side, and socat the controlling side of the pseudo terminal.

1609

This is especially useful if you want to use, e.g., chat with socat (see

1610

EXAMPLES). Plus, ptys do not buffer I/O.

1611

Note: implementation of pseudo terminals are differing between platforms, so

1612

extra porting struggles might be required for porting this feature.

Option: fdin=num

Type: USHORT

Option group: FORK

Phase: PASTBIGEN

Platforms: all

After forking the child process, assign the stream where the child

1623

receives data from socat, to file descriptor num instead of stdin.

Option: fdout=num

Type: USHORT

Option group: FORK

Phase: PASTBIGEN

Platforms: all

After forking the child process, assign the stream where the child

1634

writes data to socat, to file descriptor num instead of stdout.

Option: stderr

Type: BOOL

Option group: FORK

Phase: PASTFORK

Platforms: all

Normally, the stderr filedescriptor of the forked program is a clone of socat's

1645

stderr fd. If this option is used, the programs stderr filedescriptor is a copy

1646

of the "normal" data output of the program, i.e. of its stdout or fdout.

Option: setsid

Aliases: sid

Type: BOOL

Option group: PROCESS

Phase: LATE

Platforms: all

Invokes setsid() to make the forked off subprocess the leader of a new

1658

session. This also generates a new process group with this process as leader.

1659

This is useful, e.g., when exec'ing ssh to get the password prompt into the I/O

1660

channel (see EXAMPLES)

Option: setpgid

Aliases: pgid

Type: INT

Option group: FORK

Phase: LATE

Platforms: all

Invokes setpgid(0, val) from the child process.

Option: tiocsctty

Aliases: ctty

Type: BOOL

Option group: TERMIOS

Phase: LATE2

Platforms: all

Applies only in combination with the pty option or its variants. Tries to make

1683

the pty the controlling terminal. May require option setsid to work correctly.

Option: dash

Aliases: login

Type: BOOL

Option group: EXEC

Phase: PREEXEC

Platforms: all

Prefixes argv[0] for the execvp() call with '-', thus making a shell behave as

login shell.

Option: sighup

Type: CONST

Option group: PARENT

Phase: LATE

Platforms: all

Has socat pass an eventual SIGHUP signal to the sub process.

1706

If no address has this option, socat terminates on SIGHUP.

Option: sigint

Type: CONST

Option group: PARENT

Phase: LATE

Platforms: all

Has socat pass an eventual SIGINT signal to the sub process.

1717

If no address has this option, socat terminates on SIGINT.

Option: sigquit

Type: CONST

Option group: PARENT

Phase: LATE

Platforms: all

Has socat pass an eventual SIGQUIT signal to the sub process.

1728

If no address has this option, socat dumps core and terminates on SIGQUIT.

1729

1730

1731

===============================================================================

1732

PTY options

1733

These options may be used with addresses that create a pseudo terminal (pty).

1734

In particular, these are addresses EXEC, SYSTEM, and PTY.

Option: openpty

Type: BOOL

Option group: PTY

Phase: BIGEN

Platforms: FreeBSD, Linux

1743

1744

Like pty, but only use the openpty mechanism, not any other way for pty

generation.

Option: ptmx

Type: BOOL

Option group: PTY

Phase: BIGEN

Platforms: HP-UX, Linux, SunOS

1754

1755

Like pty, but only use the /dev/ptmx (/dev/ptc on AIX) mechanism, not any other

1756

way for pty generation.

1757

1758

1759

Option: symbolic-link=filename

Type: FILENAME

Option group: PTY

Phase: LATE

Platforms: all

Generates a symbolic link that points to the actual pseudo terminal (pty). This

1767

might help to solve the problem that ptys are generated with more or less

1768

unpredictable names, making it difficult to directly access the socat generated

1769

pty automatically. With this option, the user can specify a "fix" point in the

1770

file hierarchy that helps him to access the actual pty.

1771

1772

1773

Option: pty-wait-slave

1774

Aliases: wait-slave, waitslave

Type: BOOL

Option group: PTY

Phase: EARLY

Platforms: all

Blocks the open phase until a process opens the slave side of the pty.

1782

Usually, socat continues after generating the pty with opening the next

1783

address or with entering the transfer engine. With the wait-slave option,

1784

socat waits until some process opens the slave side of the pty before

1785

continuing.

1786

This option only works if the operating system provides the tt(poll())

1787

system call. And it depends on an undocumented behaviour of pty's, so it

1788

does not work on all operating systems. It has successfully been tested on

1789

Linux, FreeBSD, NetBSD, and on Tru64 with openpty.

1790

1791

1792

Option: pty-interval

Type: TIMESPEC

Option group: PTY

Phase: EARLY

Platforms: all

When the wait-slave option is set, socat periodically checks the HUP

1800

condition using poll() to find if the pty's slave side has been

1801

opened. The default

1802

polling interval is 1s. Use the pty-interval option to change this value.

1803

1804

1805

===============================================================================

1806

SOCKET options

1807

These are options that may be applied to all socket type addresses: UNIX

1808

(LOCAL) domain sockets (even with EXEC type addresses if not pipes), IP, and

IPv6.

Option: so-debug

Aliases: debug

Logical type: bool

Physical type: INT

Option group: SOCKET

1818

Phase: PASTSOCKET

1819

Platforms: all (UNIX98)

1820

1821

Sets the SO_DEBUG socket option. Requires root.

1822

1823

1824

Option: so-acceptconn

1825

Aliases: acceptconn

Logical type: bool

Physical type: INT

Option group: SOCKET

1830

Phase: PASTSOCKET

1831

Platforms: all (UNIX98)

1832

1833

Tries to set the SO_ACCEPTCONN socket option. Read-only!

1834

1835

1836

Option: so-broadcast

Aliases: broadcast

Logical type: bool

Physical type: INT

Option group: SOCKET

1842

Phase: PASTSOCKET

1843

Platforms: all (UNIX98)

1844

1845

Sets the SO_BROADCAST socket option.

1846

1847

1848

Option: so-reuseaddr

Aliases: reuseaddr

Logical type: bool

Physical type: INT

Option group: SOCKET

1854

Phase: PASTSOCKET

1855

Platforms: all (UNIX98)

1856

1857

Sets the SO_REUSEADDR socket option. Allows to bind to a port even if this

1858

port is already used for a connection.

1859

1860

1861

Option: so-keepalive

Aliases: keepalive

Logical type: bool

Physical type: INT

Option group: SOCKET

1867

Phase: FD

1868

Platforms: all (UNIX98)

1869

1870

Sets the SO_KEEPALIVE socket option.

1871

1872

1873

Option: so-linger=value

1874

Aliases: linger=value

1875

1876

Type: LINGER

1877

Option group: SOCKET

1878

Phase: PASTSOCKET

1879

Platforms: all (UNIX98)

1880

1881

Activates the SO_LINGER option and sets a value (seconds) for it.

1882

This lets shutdown() or close() block until data transfers have finished or the

1883

given value timed out.

1884

Note: on some systems, the type for setsockopt() is struct { int; int; }

1885

In this case, xioopen() sets {1,value}.

1886

1887

1888

Option: so-oobinline

Aliases: oobinline

Logical type: bool

Physical type: INT

Option group: SOCKET

1894

Phase: PASTSOCKET

1895

Platforms: all (UNIX98)

1896

1897

Sets the SO_OOBINLINE socket option.

1898

1899

1900

Option: so-sndbuf=value

1901

Aliases: sndbuf=value

1902

1903

Type: INT

1904

Option group: SOCKET

1905

Phase: PASTSOCKET

1906

Platforms: all (UNIX98)

1907

1908

Sets the SO_SNDBUF option of the socket to the given value. This option is

1909

applied after the socket() (or socketpair()) call.

1910

NOTE: The kernel might change the effective value:

1911

My Linux 2.2 with TCP doubles the value, but uses at least 2048.

1912

1913

1914

Option: so-sndbuf-late=value

1915

Aliases: sndbuf-late=value

1916

1917

Type: INT

1918

Option group: SOCKET

1919

Phase: LATE

1920

Platforms: all (UNIX98)

1921

1922

Sets the SO_SNDBUF option of the socket to the given value. This option is

1923

applied after the connect() or accept() (or socketpair) call.

1924

NOTE: The kernel might change the effective value:

1925

My Linux 2.2 with TCP doubles the value, but uses at least 2048, and a

1926

maximum of 131070 (system limit?).

1927

1928

1929

Option: so-rcvbuf=value

1930

Aliases: rcvbuf=value

1931

1932

Type: INT

1933

Option group: SOCKET

1934

Phase: PASTSOCKET

1935

Platforms: all (UNIX98)

1936

1937

Sets the SO_RCVBUF option of the socket to the given value. This option is

1938

applied after the socket() call.

1939

NOTE: The kernel might change the effective value:

1940

My Linux 2.2 with TCP connect doubles the value, but uses at least 256 and

1941

at most 131070.

1942

My Linux 2.2 with TCP listen doubles the value but uses at least 11772.

1943

NOTE: For applying the SO_RCVBUF options after the connect() or accept() calls

see rcvbuf-late.

Option: so-rcvbuf-late=value

1948

Aliases: rcvbuf-late=value

1949

1950

Type: INT

1951

Option group: SOCKET

1952

Phase: LATE

1953

Platforms: all (UNIX98)

1954

1955

Sets the SO_RCVBUF option of the socket to the given value. This option is

1956

applied after the connect() or listen() call.

1957

NOTE: The kernel might change the effective value:

1958

My Linux 2.2 with TCP doubles the value, but uses at least 256 and maximal

1959

131070.

1960

NOTE: sequence of this call may be relevant for the effecting value (AIX

1961

4.3.3). For applying the SO_RCVBUF option immediately after the socket() call

see rcvbuf.

Option: so-error

Aliases: error

Logical type: bool

Physical type: INT

Option group: SOCKET

1971

Phase: PASTSOCKET

1972

Platforms: all (UNIX98)

1973

1974

Tries to set the SO_ERROR socket option which is a read-only option.

1975

On my Linux 2.2 it gives "protocol not available".

1976

1977

1978

Option: so-type=value

1979

Aliases: type=value

1980

1981

Type: INT

1982

Option group: SOCKET

Phase: PASTSOCKET

Platforms: all

Set the sockettype argument of the socket() or socketpair() call. This

1987

overrides the per

1988

protocol default (e.g., TCP: SOCK_STREAM). Most values might

1989

not be supported by a given protocol.

1990

The following combinations are known to work at least under one OS:

1991

TCP SOCK_STREAM (system default)

1992

UDP SOCK_DGRAM (system default)

1993

IP SOCK_RAW (socat default)

1994

UNIX SOCK_STREAM (system default)

UNIX SOCK_DGRAM

Option: so-dontroute

Aliases: dontroute

Logical type: bool

Physical type: INT

Option group: SOCKET

2004

Phase: PASTSOCKET

2005

Platforms: all (UNIX98)

2006

2007

Sets the SO_DONTROUTE socket option.

2008

2009

2010

Option: so-rcvlowat=value

2011

Aliases: rcvlowat=value

2012

2013

Type: INT

2014

Option group: SOCKET

2015

Phase: PASTSOCKET

2016

Platforms: all (UNIX98)

2017

2018

Sets the SO_RCVLOWAT socket option. Cannot be changed in Linux (always

2019

gives "protocol not available").

2020

2021

2022

Option: so-rcvtimeo=value

2023

Aliases: rcvtimeo=value

2024

2025

Provided type: double

2026

Physical type: TIMEVAL (long[2])

2027

Option group: SOCKET

2028

Phase: PASTSOCKET

2029

Platforms: all (UNIX98)

2030

2031

Sets the SO_RCVTIMOE socket option. Cannot be changed in Linux (always

2032

gives "protocol not available").

2033

2034

2035

Option: so-sndlowat=value

2036

Aliases: sndlowat=value

2037

2038

Type: INT

2039

Option group: SOCKET

2040

Phase: PASTSOCKET

2041

Platforms: all (UNIX98)

2042

2043

Sets the SO_SNDLOWAT socket option. Cannot be changed in Linux (always

2044

gives "protocol not available").

2045

2046

2047

Option: so-sndtimeo=value

2048

Aliases: sndtimeo=value

2049

2050

Provided type: double

2051

Physical type: TIMEVAL (long[2])

2052

Option group: SOCKET

2053

Phase: PASTSOCKET

2054

Platforms: all (UNIX98)

2055

2056

Sets the SO_SNDTIMEO socket option. Cannot be changed in Linux (always

2057

gives "protocol not available").

Option: so-audit

Aliases: audit

Type: INT

Option group: SOCKET

Phase: PASTSOCKET

Platforms: none

Sets the SO_AUDIT socket option.

2069

2070

2071

Option: so-attach-filter

2072

Aliases: attach-filter, attachfilter

2073

2074

Type: INT

2075

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Linux docu recommends to use libpcap for this feature.

2080

"protocol not available", need kernel CONFIG_FILTER!

2081

2082

2083

Option: so-detach-filter

2084

Aliases: detach-filter, detachfilter

2085

2086

Type: INT

2087

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

See Linux "man 7 socket".

2092

"protocol not available", need kernel CONFIG_FILTER!

2093

2094

2095

Option: so-bindtodevice=string

2096

Aliases: bindtodevice, interface, if

2097

2098

Type: NAME

2099

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Binds the socket to a net interface, e.g. lo0 or eth0 (interface names depend

2104

on operating system). Might require root privilege.

2105

2106

2107

Option: so-bsdcompat

Aliases: bsdcompat

Logical type: bool

Physical type: INT

Option group: SOCKET

Phase: PASTSOCKET

Platforms: none

Sets the SO_BSDCOMPAT socket option. See Linux "man 7 socket".

2117

2118

2119

Option: so-cksumrecv

Aliases: cksumrecv

Logical type: bool

Physical type: INT

Option group: SOCKET

Phase: PASTSOCKET

Platforms: none

Sets the SO_CKSUMRECV socket option.

2129

2130

2131

Option: so-kernaccept

2132

Aliases: kernaccept

Logical type: bool

Physical type: INT

Option group: SOCKET

Phase: PASTSOCKET

Platforms: none

Sets the SO_KERNACCEPT socket option.

2141

2142

2143

Option: so-no-check

2144

Aliases: no-check, nocheck

Logical type: bool

Physical type: INT

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Sets the SO_NO_CHECK socket option." Intentionally undocumented" under

2153

Linux (see "man 7 socket"), don't know what it does....

2154

2155

2156

Option: so-noreuseaddr

2157

Aliases: noreuseaddr

2158

2159

Type: INT?

2160

Option group: SOCKET

Phase: PASTSOCKET

Platforms: none

Sets the SO_NOREUSEADDR socket option.

Option: passcred

Aliases: so-passcred

2169

2170

Type: INT

2171

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Sets the SO_PASSCRED option of a socket.

2176

2177

2178

Option: so-peercred

2179

Aliases: peercred

2180

2181

Type: INT3 or int[3]?

2182

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Enables receiving of credentials. Read only.

2187

Not really implemented yet.

2188

Nevertheless, Gives "Protocol not available".

2189

2190

2191

Option: so-priority=value

2192

Aliases: priority=value

2193

2194

Type: INT

2195

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Sets the protocol defined priority for all packets to be sent on this socket.

2200

Docu says it requires root privileges. Normal user may set 0..6 for UNIX domain

2201

and TCP client sockets on Linux 2.2. root may send any int value.

2202

2203

2204

Option: so-reuseport

Aliases: reuseport

Type: INT?

Option group: SOCKET

2209

Phase: PASTSOCKET

2210

Platforms: FreeBSD, HP-UX

2211

2212

Sets the SO_REUSEPORT socket option.

2213

2214

2215

Option: so-security-authentication

2216

Aliases: security-authentication, securityauthentication

2217

2218

Type: INT?

2219

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Sets the SO_SECURITY_AUTHENTICATION socket option. Gives "protocol not

2224

available" error.

2225

In Linux 2.2.16 source, only exists in asm-*/socket.h

2226

2227

2228

Option: so-security-encryption-network

2229

Aliases: security-encryption-network, securityencryptionnetwork

2230

2231

Type: INT?

2232

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Sets the SO_SECURITY_ENCRYPTION_NETWORK option of the socket. Gives "protocol

2237

not available" error.

2238

In Linux 2.2.16 source, only exists in asm-*/socket.h

2239

2240

2241

Option: so-security-encryption-transport

2242

Aliases: security-encryption-transport, securityencryptiontransport

2243

2244

Type: INT?

2245

Option group: SOCKET

Phase: PASTSOCKET

Platforms: Linux

Sets the SO_SECURITY_ENCRYPTION_TRANSPORT option of the socket. Gives "protocol

2250

not available" error.

2251

In Linux 2.2.16 source, only exists in asm-*/socket.h

2252

2253

2254

Option: so-use-ifbufs

2255

Aliases: use-ifbufs, useifbufs

2256

2257

Type: INT?

2258

Option group: SOCKET

Phase: PASTSOCKET

Platforms: none

Sets the SO_USE_IFBUFS socket option.

2263

2264

2265

Option: so-useloopback

2266

Aliases: useloopback

2267

2268

Type: INT?

2269

Option group: SOCKET

2270

Phase: PASTSOCKET

2271

Platforms: FreeBSD, HP-UX, SunOS

2272

2273

Sets the SO_USELOOPBACK socket option.

2274

2275

2276

Option: so-dgram-errind

2277

Aliases: dgram-errind, dgramerrind

2278

2279

Logical type: bool?

2280

Physical type: INT?

2281

Option group: SOCKET

Phase: PASTSOCKET

Platforms: SunOS

Sets the SO_DGRAM_ERRIND flag.

2286

2287

2288

Option: so-dontlinger

2289

Aliases: dontlinger

2290

2291

Type: INT?

2292

Option group: SOCKET

Phase: PASTSOCKET

Platforms: SunOS

Sets the SO_DONTLINGER socket option.

2297

2298

2299

Option: so-prototype

Aliases: prototype

Type: INT?

Option group: SOCKET

2304

Phase: PASTSOCKET

2305

Platforms: HP-UX, SunOS

2306

2307

Sets the SO_PROTOTYPE socket option.

Option: type

Type: INT

Option group: SOCKET

Phase: PASTSOCKET

Platforms: all

Sets the type of the socket, usually as argument to the socket() or

2318

socketpair() call, to <type>. Under Linux, 1 means stream oriented socket, 2

2319

means datagram socket, and 3 means raw socket.

2320

2321

2322

Option: protocol-family

Aliases: pf

Type: STRING

Option group: SOCKET

Phase: PRESOCKET

Platforms: all

Forces the use of the specified IP version. <string> can be something like

"ip4" or "ip6".

Option: fiosetown

Logical type: bool

Physical type: INT

Option group: SOCKET

2339

Phase: PASTSOCKET

2340

Platforms: FreeBSD, Linux

2341

2342

Sets the FIOSETOWN ioctl (in "man 7 socket" called FIOCSETOWN).

#Option: ciocspgrp

#

#Allowed in addresses: SOCKET

2348

#Logical type: bool

2349

#Physical type: int

2350

#

2351

#Sets the CIOCSPGRP ioctl.

2352

2353

2354

#Option: addr=value

2355

#

2356

#Allowed in addresses: SOCKET

2357

#Type: socket-address

2358

#

2359

#For client socket, sets the local (bind) address. Not yet implemented.

2360

2361

2362

Option: bind=socketaddress

2363

2364

Type: STRING

2365

Option group: SOCKET

Phase: BIND

Platforms: all

Gives the address to be used in the bind(2) system call. The format of the

2370

socketaddress depends on the socket type (see below). For "client" sockets this

2371

option inserts a bind(2) call between socket(2) and connect(2) calls. For

2372

"server" sockets this option is ignored! For datagram sockets behaviour of this

2373

option is currently unspecified.

2374

Note: for client sockets in the UNIX domain this option is not useful: with the

2375

same address as connect it will conflict with the bind call of the server

2376

socket; another address for bind is ignored (with Linux 2.2).

2377

For TCP sockets these formats are currently implemented:

HOSTNAME

HOSTNAME:PORT

IPADDR

IPADDR:PORT

:PORT

.PORT

Option: connect-timeout=seconds

2387

2388

Type: TIMEVAL

2389

Option group: SOCKET

Phase: PASTSOCKET

Platforms: all

Abort the connection attempt after the given time with error status.

2394

2395

#

2396

Option: backlog=value

2397

2398

Type: INT

2399

Option group: LISTEN

Phase: LISTEN

Platforms: all

Sets the value to be used with the listen(2) system call. The default is 5.

2404

It does not seem to work for Linux 2.2; Linux seems to allow much more

2405

established connections, but then they stay even after server process

shutdown...

Option: range=address:mask, range=address/bits

2410

2411

Type: STRING

2412

Option group: RANGE

2413

Phase: ACCEPT

2414

Platforms: all

2415

Implementation status: only for INET (IP4) addresses

2416

2417

Defines a subnet where clients may connect from. If other clients connect the

2418

accepted connection is shut down immediately after examination of the client

2419

address. If this option is not used, the default is 0.0.0.0:0.0.0.0, allowing

2420

arbitrary client addresses. bits is the number of high order bits that must

2421

match between the range value and the clients address.

2422

2423

2424

Option: tcpwrap, tcpwrap=name

2425

2426

Type: STRING_NULL

2427

Option group: RANGE

2428

Phase: ACCEPT

2429

Platforms: (depends on libwrap installation)

2430

2431

Uses the rules introduced by Wietse Venema's libwrap (tcpd) library to check

2432

if the client is allowed to connect. The configuration files are

2433

/etc/hosts.allow and /etc/hosts.deny. See "man 5 hosts_access" for

2434

more information. <name> is passed to the wrapper functions as daemon

2435

process name. If omitted, the basename of socats invokation (argv[0]) is

2436

passed.

2437

If both tcpwrap and and range options are applied to an address, both

2438

conditions must be fulfilled to allow the connection.

2439

2440

2441

Option: hosts-allow, tcpwrap-hosts-allow-table

2442

2443

Type: FILENAME

2444

Option group: RANGE

2445

Phase: ACCEPT

2446

Platforms: (depends on libwrap installation)

2447

2448

Takes the specified file instead of /etc/hosts.allow.

2449

2450

2451

Option: hosts-deny, tcpwrap-hosts-deny-table

2452

2453

Type: FILENAME

2454

Option group: RANGE

2455

Phase: ACCEPT

2456

Platforms: (depends on libwrap installation)

2457

2458

Takes the specified file instead of /etc/hosts.deny.

2459

2460

2461

Option: tcpwrap-etc, tcpwrap-dir

2462

2463

Type: FILENAME

2464

Option group: RANGE

2465

Phase: ACCEPT

2466

Platforms: (depends on libwrap installation)

2467

2468

Looks for hosts.allow and hosts.deny in the specified directory. Is

2469

overriden by options hosts-allow and hosts-deny.

2470

2471

2472

-------------------------------------------------------------------------------

IP options

Option: ip-options=values

Aliases: ipoptions

Type: BIN

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Sets the IP_OPTIONS values of the IP socket. For example, to send packets to

2485

destination D.D.D.D via a router G.G.G.G you have to specify G.G.G.G as the

2486

"normal" destination, and D.D.D.D in the source route:

2487

TCP:G.G.G.G:25,ip-options=x890704dddddddd

2488

Note that the destination will see G.G.G.G as sender of the packets, and

2489

therefore might not return the answers correctly.

2490

See RFC791 for detailed specification of IP option fields.

2491

Examples:

2492

x01 ... nop

2493

x8307040a000001 ... loose source route

2494

x890b040a000001c0c1c2c3 ... strict source route

2495

Note: with source routes, you should not specifiy destination address and

2496

hops as defined in RFC791 (first hop as IP header destination address,

2497

further hops and final destination in source route) because the (Linux?) kernel changes

2498

them to a more intuitive form (final destination as destination in IP header,

2499

gateways in source route). So, in destination address give the final

2500

destination, and in the source route the gateways!

2501

Note: this option may be mulitply applied per socket but the (Linux?) kernel

2502

pads each setting with 0' to align the options end to 4 octets. So you should

2503

better pad the options data with nops (01) yourself.

Option: ip-pktinfo

Aliases: ippktinfo, pktinfo

2508

2509

Type: INT (should be struct in_pktinfo)

2510

Option group: SOCK_IP

2511

Phase: PASTSOCKET

2512

Platforms: Linux

2513

Status: Not completely implemented (ancillary messages are not supported by

2514

socat/xio)

2515

2516

Pass an IP_PKTINFO ancillary message.

Option: ip-recvtos

Aliases: iprecvtos, recvtos

Logical type: bool

Physical type: INT

Option group: SOCK_IP

2525

Phase: PASTSOCKET

2526

Platforms: Linux

2527

Status: Not completely implemented (ancillary messages are not supported by

2528

socat/xio)

2529

2530

Set the IP_RECVTOS socket option which enables IP_TOS ancillary message

passing.

Option: ip-recvttl

Aliases: iprecvttl, recvttl

Logical type: bool

Physical type: INT

Option group: SOCK_IP

2540

Phase: PASTSOCKET

2541

Platforms: all

2542

Implementation status: No results.

2543

2544

Set the IP_RECVTTL socket option.

2545

2546

2547

Option: ip-recvopts

2548

Aliases: iprecvopts, recvopts

Logical type: bool

Physical type: INT

Option group: SOCK_IP

2553

Phase: PASTSOCKET

2554

Platforms: all

2555

Implementation status: No results.

2556

2557

Set the IP_RECVOPTS socket option.

Option: ip-retopts

Aliases: ipretopts, retopts

Logical type: bool

Physical type: INT

Option group: SOCK_IP

2566

Phase: PASTSOCKET

2567

Platforms: all

2568

Implementation status: No results.

2569

2570

Set the IP_RETOPTS socket option.

2571

2572

2573

Option: ip-tos=value

2574

Aliases: iptos=value, tos=value

Logical type: byte

Physical type: INT

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Sets the TOS (type of service) flags for the outgoing IP headers of the

2583

socket. My Linux 2.2 does not allow to set values other than 0 (probably

2584

needs some optional kernel features).

2585

2586

2587

Option: ip-ttl=value

2588

Aliases: ipttl=value, ttl=value

Logical type: byte

Physical type: INT

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Sets the TTL (time to live) field for the outgoing IP headers of the socket.

2597

2598

This option can be used to implement a "poor mans traceroute" in conjunction

with tcpdump.

Option: ip-hdrincl

Aliases: iphdrincl, hdrincl

Logical type: bool

Physical type: INT

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Set the IP_HDRINCL socket option. User will supply IP header before user

2612

data. For raw IP sockets only. Not tested.

Option: ip-recverr

Aliases: iprecverr, recverr

2617

2618

Type: INT

2619

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: Linux

Set the IP_RECVERR socket option.

2624

Implementation status: No results.

2625

2626

2627

Option: ip-mtu-discover=value

2628

Aliases: ipmtudiscover=value, mtudiscover=value

2629

2630

Type: INT (0..2)

2631

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: Linux

Sets the IP_MTU_DISCOVER flag of the IP socket. In Linux there are three values

2636

defined: 0..dont(never), 1..want(per route), 2..do(always)

Option: ip-mtu

Aliases: ipmtu, mtu

2641

2642

Type: INT

2643

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: none

Sets the MTU (maximal transfer unit) of the socket. In Linux this is a

2648

read-only parameter and results in a "protocol not available" error.

2649

2650

2651

Option: ip-freebind

2652

Aliases: ipfreebind, freebind

Logical type: bool

Physical type: INT

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: none

Allows the socket to locally bind to any address, even those that are

2661

not covered by an interface address, alias address or a local subnet. Even

2662

broadcast and multicast addresses are possible.

2663

Note: this option has been found on Linux 2.4 in <linux/in.h>. This file might

2664

not be included per default, because it creates errors.

2665

To make this option available, "make" socat with the CCOPT environment

2666

variable set to "-DIP_FREEBIND=15"

2667

2668

2669

Option: ip-router-alert=value

2670

Aliases: iprouteralert, routeralert

2671

2672

Type: INT

2673

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: Linux

Sets the IP_ROUTER_ALERT socket option. Only works with raw sockets.

"Invalid argument"

Option: ip-add-membership=multicast-address:interface-address

2682

ip-add-membership=multicast-address:interface-name

2683

ip-add-membership=multicast-address:interface-index

2684

ip-add-membership=multicast-address:interface-address:interface-name

2685

ip-add-membership=multicast-address:interface-address:interface-index

2686

Aliases: add-membership

ip-membership

Type: IP_MREQN

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Makes the socket member of the specified multicast group. This is currently

2695

only implemented for IPv4. The option takes the IP address of the multicast

2696

group and info about the desired network interface. The most common syntax

2697

is the first one, while the others are only available on systems that

2698

provide tt(struct mreqn) (Linux).nl()

2699

The indices of active network interfaces can be shown using the utility

procan().

Option: ip-drop-membership

Not implemented.

#! Option: ipv6-join-group

2709

2710

2711

Option: ip-multicast-ttl=byte

2712

Aliases: ipmulticastttl, multicastttl

2713

2714

Type: BYTE

2715

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Sets the TTL used for outgoing multicast traffic. Default is 1.

2720

2721

2722

Option: ip-multicast-loop

2723

Aliases: ipmulticastloop, multicastloop

Logical type: bool

Physical type: INT

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Specifies if outgoing multicast traffic should loop back to the interface.

2732

2733

2734

Option: ip-multicast-if=hostname

2735

Aliases: multicast-if

2736

2737

Type: IP4NAME

2738

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: all

Specifies hostname or address of the network interface to be used for

multicast traffic.

Option: ip-pktoptions

2747

Aliases: ippktoptions, pktoptions, pktopts

2748

2749

Type: INT?

2750

Option group: SOCK_IP

Phase: PASTSOCKET

Platforms: Linux

Set the IP_PKTOPTIONS socket option. No docu found.

2755

Implementation status: "Protocol not available".

Option: res-debug

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the debug resolver option to all queries of this XIO address.

Option: res-aaonly

Aliases: aaonly

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the aaonly resolver option to all queries of this XIO address.

Option: res-usevc

Aliases: usevc

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the usevc resolver option to all queries of this XIO address.

2788

2789

2790

Option: res-primary

Aliases: primary

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the primary resolver option to all queries of this XIO address.

Option: res-igntc

Aliases: igntc

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the igntc resolver option to all queries of this XIO address.

2810

2811

2812

Option: res-recurse

Aliases: recurse

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the recurse resolver option to all queries of this XIO address.

2821

2822

2823

Option: res-defnames

Aliases: defnames

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the defnames resolver option to all queries of this XIO address.

2832

2833

2834

Option: res-stayopen

Aliases: stayopen

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the stayopen resolver option to all queries of this XIO address.

Option: res-dnsrch

Aliases: dnsrch

Type: BOOL

Option group: SOCK_IP

Phase: INIT

Platforms: all

Apply the dnsrch resolver option to all queries of this XIO address.

2854

2855

2856

-------------------------------------------------------------------------------

IP6 options

Option: ipv6-v6only=value

2861

Alias: ipv6only, v6only

2862

2863

Type: BOOL

2864

Option group: SOCK_IP6

2865

Phase: PASTSOCKET

2866

Platforms: FreeBSD, Linux

2867

2868

Apply the IPV6_V6ONLY socket option to the file descriptor. This controls if

2869

the socket listens only on the IPv6 protocol or also on IPv4.

2870

2871

2872

-------------------------------------------------------------------------------

2873

IPAPP (TCP and UDP) options

2874

2875

2876

Option: sourceport=value

Alias: sp=value

Type: 2BYTE

Option group: IPAPP (IP_TCP and IP_UDP)

Phase: LATE

Platforms: all

For outgoing (client) TCP and UDP connections, it sets the source port (local port, client side port) of

2885

the socket connection. For server type addresses, requires the client to use

2886

this sourceport, otherwise socat immediately shuts down the connection.

2887

On UNIX class operating systems root privilege are required to set a source

2888

port between 1 and 1023 incl. 0 gives a "random" port number >= 1024, which is

the default.

Option: lowport

Type: BOOL

Option group: IPAPP (IP_TCP and IP_UDP)

Phase: LATE

Platforms: all

For outgoing (client) TCP and UDP connections, it sets the source

2900

to an unused random port between 640 and 1023 incl. On UN*X type operating

2901

systems, this requires root privilege, and thus guaranties the peer to be

2902

root authorized.

2903

With TCP or UDP listen addresses, socat immediately shuts down the

2904

connection if the client does not use a sourceport <= 1023.

2905

This mechanism can provide limited authorization under some circumstances.

2906

2907

-------------------------------------------------------------------------------

TCP options

Option: tcp-nodelay

Aliases: nodelay

Logical type: bool

Physical type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: all

Sets the TCP_NODELAY flag of the TCP socket. This turns off Nagles algorithm.

Option: tcp-maxseg

Aliases: maxseg, mss

2925

2926

Type: INT

2927

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: all

Limits the MAXSEG (MSS) value of the TCP socket. This option is applied before

2932

the connect or listen call, so it is transferred in the SYN packet to the peer

2933

socket.

2934

Linux client: 0 gives "invalid argument", higher values are used in SYN

2935

negotiation, but effective MSS is n-12, at least 8.

2936

On AIX, this is a read-only option.

2937

2938

2939

Option: tcp-maxseg-late

2940

Aliases: maxseg-late, mss-late

2941

2942

Type: INT

2943

Option group: IP_TCP

Phase: CONNECTED

Platforms: all

Limits the MAXSEG (MSS) value of the TCP socket. This option is applied past

2948

the connect or accept call, so it is not transferred as MSS to the peer socket.

2949

Observation with Linux 2.2: does not influence the size of packets generated

2950

by the local socket.

Option: tcp-cork

Aliases: cork

Logical type: bool

Physical type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_CORK option.

Option: tcp-stdurg

Aliases: stdurg

Logical type: bool

Physical type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Applies the TCP_STDURG option with setsockopt. This enables RFC 1122 compliant

2975

urgent point handling.

2976

2977

2978

Option: tcp-rfc1323

Aliases: rfc1323

Logical type: bool

Physical type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Applies the TCP_RFC1323 option with setsockopt. This enables RFC1323 TCP

2988

enhancements (window scale, timestamp).

2989

2990

2991

Option: tcp-keepidle

Aliases: keepidle

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_KEEPIDLE value of the socket with setsockopt(). Starts keepalive

3000

after this period (in seconds?)

3001

3002

3003

Option: tcp-keepintvl

Aliases: keepintvl

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_KEEPINTVL value of the socket with setsockopt(). Interval between

3012

keepalives (in seconds?)

3013

3014

3015

Option: tcp-keepcnt

Aliases: keepcnt

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_KEEPCNT value of the socket with setsockopt(). Number of

3024

keepalives before death.

Option: tcp-syncnt

Aliases: syncnt

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_SYNCNT value of the socket with setsockopt(). Number of SYN

retransmits.

Option: tcp-linger2

Aliases: linger2

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_LINGER2 value of the socket with setsockopt(). Life time of

3048

orphaned FIN-WAIT-2 state.

3049

3050

3051

Option: tcp-defer-accept

3052

Aliases: defer-accept

3053

3054

Type: INT

3055

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_DEFER_ACCEPT value of the socket with setsockopt(). accept() of

3060

the listener will only return when data arrived at the new connection. The

3061

value is converted to seconds by some algorithm.

3062

3063

3064

Option: tcp-window-clamp

3065

Aliases: window-clamp

3066

3067

Type: INT

3068

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_WINDOW_CLAMP value of the socket with setsockopt(). "Bound advertised

window".

Option: tcp-info

Aliases: info

Type: INT

Option group: IP_TCP

3081

Phase: PASTSOCKET

3082

Platforms: FreeBSD, Linux

3083

3084

Sets the TCP_INFO value of the socket with setsockopt(). Is a read only option,

3085

so it always generates an error.

3086

3087

3088

Option: tcp-quickack

Aliases: quickack

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: Linux

Sets the TCP_QUICKACK option with setsockopt().

Option: tcp-md5sig

Aliases: md5sig

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Enables generation of MD5 digests on the packets.

Option: tcp-noopt

Aliases: noopt

Type: INT

Option: group: IP_TCP

Phase: PASTSOCKET

Platforms: FreeBSD

Disables use of TCP options.

Option: tcp-nopush

Aliases: nopush

Type: INT

Option: group: IP_TCP

Phase: PASTSOCKET

Platforms: FreeBSD

Sets the TCP_NOPUSH option.

3130

3131

3132

Option: tcp-sack-disable

3133

Aliases: sack-disable

3134

3135

Type: INT

3136

Option: group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Disables use the selective acknowledge feature.

3141

3142

3143

Option: tcp-signature-enable

3144

Aliases: signature-enable

3145

3146

Type: INT

3147

Option: group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Enables generation of MD5 digests on the packets.

3152

3153

3154

Option: tcp-abort-threshold

3155

Aliases: abort-threshold

3156

3157

Type: INT

3158

Option group: IP_TCP

3159

Phase: PASTSOCKET

3160

Platforms: HP-UX, SunOS

3161

3162

Sets the time to wait for an answer of the peer on an established connection.

3163

3164

3165

Option: tcp-conn-abort-threshold

3166

Aliases: conn-abort-threshold

3167

3168

Type: INT

3169

Option group: IP_TCP

3170

Phase: PASTSOCKET

3171

Platforms: HP-UX, SunOS

3172

3173

Sets the time to wait for an answer of the server during the initial connect.

3174

3175

3176

Option: tcp-keepinit

Aliases: keepinit

Type: INT

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Sets the time to wait for an answer of the server during connect() before

3185

giving up. Value in half seconds, default is 150 (75s).

Option: tcp-paws

Aliases: paws

Type: BOOL

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Enables the "protect against wrapped sequence numbers" feature.

3197

3198

3199

Option: tcp-sackena

Aliases: sackena

Type: BOOL

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Enables selective acknowledge.

3208

3209

3210

Option: tcp-tsoptena

Aliases: tsoptena

Type: BOOL

Option group: IP_TCP

Phase: PASTSOCKET

Platforms: none

Enables the time stamp option that allows RTT recalculation on existing

connections.

===============================================================================

SOCKS options

Option: socksport

Type: STRING

Option group: IP_SOCKS4

Phase: LATE

Platforms: all

Overrides the default socks server port 1080

Option: socksuser

Type: NAME

Option group: IP_SOCKS4

Phase: LATE

Platforms: all

Overrides the system derived socks user name ($USER or $LOGNAME or "anonymous")

3244

3245

3246

===============================================================================

HTTP options

Option: proxyport

Type: STRING

Option group: HTTP

Phase: LATE

Platforms: all

Overrides the default HTTP proxy port 8080.

Option: ignorecr

Type: BOOL

Option group: HTTP

Phase: LATE

Platforms: all

The HTTP protocol requires the use of CR+NL as line terminator. When a proxy

3268

server violates this standard, socat might not understand its answer.

3269

This option directs socat to interprete NL as line terminator and

3270

to ignore CR in the answer. Nevertheless, socat sends CR+NL to the proxy.

Option: proxyauth

Type: STRING

Option group: HTTP

Phase: LATE

Platforms: all

Provide "basic" authentication to the proxy server. The argument to the option

3281

must be the username followed by ':' followed by the password. This string is

3282

used with a "Proxy-Authorize: Base" header in base64 encoded form.

Option: resolve

Type: BOOL

Option group: HTTP

Phase: LATE

Platforms: all

Per default, socat sends to the proxy a CONNECT request containing the target

3293

hostname. With this option, socat resolves the hostname locally and sends the

IP address.

===============================================================================

3298

TERMIOS options

3299

3300

These options are applied with tcsetattr calls with a struct termios.

3301

Attention: Applying these options to stdin/stdout when they refer to your

3302

terminal might directly effect your terminal!

3303

See Linux:"man 3 termios" and Linux:"man 2 stty"

3304

3305

-------------------------------------------------------------------------------

3306

TERMIOS combined modes

Option: raw

Type: CONST

Option group: TERMIOS

Phase: FD

Platforms: all

Is equivalent to

ignbrk=0,brkint=0,ignpar=0,parmrk=0,inpck=0,istrip=0,inlcr=0,igncr=0,icrnl=0,ixon=0,ixoff=0,iuclc=0,ixany=0,imaxbel=0,opost=0,isig=0,icanon=0,xcase=0,vmin=1,vtime=0

Option: sane

Type: CONST

Option group: TERMIOS

Phase: FD

Platforms: all

Is equivalent to

cread,ignbrk=0,brkint,inlcr=0,igncr=0,icrnl,ixoff=0,iuclc=0,-ixany=0,imaxbel,opost,olcuc=0,ocrnl=0,onlcr,onocr=0,onlret=0,ofill=0,ofdel=0,nl0,cr0,tab0,bs0,vt0,ff0,isig,icanon,iexten,echo,echoe,echok,echonl=0,noflsh=0,xcase=0,tostop=0,echoprt=0,echoctl,echoke

3329

3330

-------------------------------------------------------------------------------

3331

TERMIOS input mode flags

Option: ignbrk

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IGNBRK flag of the terminal driver.

Option: brkint

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the BRKINT flag of the terminal driver.

Option: ignpar

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IGNPAR flag of the terminal driver.

Option: parmrk

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the PARMRK flag of the terminal driver.

Option: inpck

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the INPCK flag of the terminal driver. Enables input parity checking.

Option: istrip

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ISTRIP flag of the terminal driver. Strips off the eighth bit.

Option: inlcr

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the INLCR flag of the terminal driver. Translates NL to CR on input.

Option: igncr

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IGNCR flag of the terminal driver. Ignores CR character on input.

Option: icrnl

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ICRNL flag of the terminal driver. Translates CR to NL on input. This

3422

option is ignored when IGNCR is set.

Option: iuclc

Type: BOOL

Option group: TERMIOS

3429

Phase: FD

3430

Platforms: HP-UX, Linux, SunOS

3431

3432

Sets the IUCLC flag of the terminal driver. Changes characters in input from

3433

uppercase to lowercase.

Option: ixon

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IXON flag of the terminal driver. Enables XON/XOFF flow control on

output (?).

Option: ixany

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IXANY flag of the terminal driver. Enables any character to restart

output.

Option: ixoff

Aliases: tandem

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IXOFF flag of the terminal driver. Enables XON/XOFF flow control on

input.

Option: imaxbel

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IMAXBEL flag of the terminal driver. Rings the bell when the input

3478

queue is full.

3479

3480

-------------------------------------------------------------------------------

3481

TERMIOS output mode flags

Option: opost

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the OPOST flag of the terminal driver.

Option: olcuc

Type: BOOL

Option group: TERMIOS

3498

Phase: FD

3499

Platforms: HP-UX, Linux, SunOS

3500

3501

Sets the OLCUC flag of the terminal driver.

Option: onlcr

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ONLCR flag of the terminal driver.

Option: ocrnl

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the OCRNL flag of the terminal driver.

Option: onocr

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ONOCR flag of the terminal driver.

Option: onlret

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ONLRET flag of the terminal driver.

Option: ofill

Type: BOOL

Option group: TERMIOS

3548

Phase: FD

3549

Platforms: HP-UX, Linux, SunOS

3550

3551

Sets the OFILL flag of the terminal driver.

Option: ofdel

Type: BOOL

Option group: TERMIOS

3558

Phase: FD

3559

Platforms: HP-UX, Linux, SunOS

3560

3561

Sets the OFDEL flag of the terminal driver.

Option: nldly

Type: BOOL

Option group: TERMIOS

3568

Phase: FD

3569

Platforms: HP-UX, Linux, SunOS

3570

3571

Sets the NLDLY flag of the terminal driver. 0 sets the value to NL0, and 1 to

NL1. See nl0, nl1.

Option: nl0

Type: CONST (const bool, always sets 0)

3578

Option group: TERMIOS

3579

Phase: FD

3580

Platforms: HP-UX, Linux, SunOS

3581

3582

Sets the field NLDLY to the value NL0.

Option: nl1

Type: CONST (const bool, always sets 1)

3588

Option group: TERMIOS

3589

Phase: FD

3590

Platforms: HP-UX, Linux, SunOS

3591

3592

Sets the field NLDLY to the value NL1.

3593

3594

3595

Option: crdly=value

3596

3597

Type: UINT (0..3)

3598

Option group: TERMIOS

3599

Phase: FD

3600

Platforms: HP-UX, Linux, SunOS

3601

3602

Sets the field CRDLY to the given value.

3603

See cr0, cr1, cr2, cr3.

Option: cr0

Type: CONST

Option group: TERMIOS

3610

Phase: FD

3611

Platforms: HP-UX, Linux, SunOS

3612

3613

Sets the CRDLY field to the value CR0.

See crdly.

Option: cr1

Type: CONST

Option group: TERMIOS

3621

Phase: FD

3622

Platforms: HP-UX, Linux, SunOS

3623

3624

Sets the CRDLY field to the value CR1.

See crdly.

Option: cr2

Type: CONST

Option group: TERMIOS

3632

Phase: FD

3633

Platforms: HP-UX, Linux, SunOS

3634

3635

Sets the CRDLY field to the value CR2.

See crdly.

Option: cr3

Type: CONST

Option group: TERMIOS

3643

Phase: FD

3644

Platforms: HP-UX, Linux, SunOS

3645

3646

Sets the CRDLY field to the value CR3.

See crdly.

Option: tab0

Type: CONST

Option group: TERMIOS

3654

Phase: FD

3655

Platforms: HP-UX, Linux, SunOS

3656

3657

Sets the horizontal tab delay mask to TAB0.

See tabdly.

Option: tab1

Type: CONST

Option group: TERMIOS

3665

Phase: FD

3666

Platforms: HP-UX, Linux, SunOS

3667

3668

Sets the horizontal tab delay mask to TAB1.

See tabdly.

Option: tab2

Type: CONST

Option group: TERMIOS

3676

Phase: FD

3677

Platforms: HP-UX, Linux, SunOS

3678

3679

Sets the horizontal tab delay mask to TAB2.

See tabdly.

Option: tab3

Type: CONST

Option group: TERMIOS

3687

Phase: FD

3688

Platforms: HP-UX, Linux, SunOS

3689

3690

Sets the horizontal tab delay mask to TAB3.

See tabdly.

Option: tabdly=value

3695

3696

Type: UINT (0..3)

3697

Option group: TERMIOS

3698

Phase: FD

3699

Platforms: HP-UX, Linux, SunOS

3700

3701

Sets the field TABDLY to the given value.

3702

See tab0, tab1, tab2, and tab3.

Option: xtabs

Type: CONST

Option group: TERMIOS

3709

Phase: FD

3710

Platforms: HP-UX, Linux, SunOS

3711

3712

Sets the horizontal tab delay mask to XTABS.

Option: bs0

Type: CONST (0)

Option group: TERMIOS

3719

Phase: FD

3720

Platforms: HP-UX, Linux, SunOS

3721

3722

Sets the field BSDLY to the value BS0

Option: bs1

Type: CONST (1)

Option group: TERMIOS

3729

Phase: FD

3730

Platforms: HP-UX, Linux, SunOS

3731

3732

Sets the field BSDLY to the value BS1

Option: bsdly

Type: BOOL

Option group: TERMIOS

3739

Phase: FD

3740

Platforms: HP-UX, Linux, SunOS

3741

3742

Sets the BSDLY flag of the terminal driver. 0 sets the value to BS0, and 1 to

BS1. See bs0, bs1.

Option: vt0

Type: CONST (0)

Option group: TERMIOS

3750

Phase: FD

3751

Platforms: HP-UX, Linux, SunOS

3752

3753

Sets the field VTDLY to the value VT0

Option: vt1

Type: CONST (1)

Option group: TERMIOS

3760

Phase: FD

3761

Platforms: HP-UX, Linux, SunOS

3762

3763

Sets the field VTDLY to the value VT1

Option: vtdly

Type: BOOL

Option group: TERMIOS

3770

Phase: FD

3771

Platforms: HP-UX, Linux, SunOS

3772

3773

Sets the VTDLY flag of the terminal driver. 0 sets the value to VT0, and 1 to

VT1. See vt0, vt1.

Option: ff0

Type: CONST (0)

Option group: TERMIOS

3781

Phase: FD

3782

Platforms: HP-UX, Linux, SunOS

3783

3784

Sets the field FFDLY to the value FF0

See ffdly.

Option: ff1

Type: CONST (1)

Option group: TERMIOS

3792

Phase: FD

3793

Platforms: HP-UX, Linux, SunOS

3794

3795

Sets the field FFDLY to the value FF1

See ffdly.

Option: ffdly

Type: BOOL (0..1)

Option group: TERMIOS

3803

Phase: FD

3804

Platforms: HP-UX, Linux, SunOS

3805

3806

Sets the FFDLY flag of the terminal driver. 0 sets the value to FF0, and 1 to

FF1. See ff0, ff1.

-------------------------------------------------------------------------------

3812

TERMIOS control mode flags

Option: cs5

Type: CONST

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the field CSIZE to the value CS5

Option: cs6

Type: CONST

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the field CSIZE to the value CS6

Option: cs7

Type: CONST

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the field CSIZE to the value CS7

Option: cs8

Type: CONST

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the field CSIZE to the value CS8

Option: csize

Type: UINT (0..3)

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the field CSIZE. 0..CS5, 1..CS6, 2..CS7, 3..CS8

Option: cstopb

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the flag CSTOPB.

Option: cread

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the value of the CREAD flag.

Option: parenb

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the PARENB flag of the terminal driver.

Option: parodd

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the PARODD flag of the terminal driver.

Option: hupcl

Aliases: hup

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the HUPCL flag of the terminal driver.

Option: clocal

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the CLOCAL flag of the terminal driver.

Option: crtscts

Type: BOOL

Option group: TERMIOS

3930

Phase: FD

3931

Platforms: FreeBSD, Linux, SunOS

3932

3933

Sets the CRTSCTS flag of the terminal driver.

3934

3935

3936

Option: b0 (HP-UX, Linux, SunOS)

3937

Option: b50 (HP-UX, Linux, SunOS)

3938

Option: b75 (HP-UX, Linux, SunOS)

3939

Option: b110 (HP-UX, Linux, SunOS)

3940

Option: b134 (HP-UX, Linux, SunOS)

3941

Option: b150 (HP-UX, Linux, SunOS)

3942

Option: b200 (HP-UX, Linux, SunOS)

3943

Option: b300 (HP-UX, Linux, SunOS)

3944

Option: b600 (HP-UX, Linux, SunOS)

3945

Option: b900 (HP-UX)

3946

Option: b1200 (HP-UX, Linux, SunOS)

3947

Option: b1800 (HP-UX, Linux, SunOS)

3948

Option: b2400 (HP-UX, Linux, SunOS)

3949

Option: b3600 (HP-UX)

3950

Option: b4800 (HP-UX, Linux, SunOS)

3951

Option: b7200 (HP-UX)

3952

Option: b9600 (HP-UX, Linux, SunOS)

3953

Option: b19200 (HP-UX, Linux, SunOS)

3954

Option: b38400 (HP-UX, Linux, SunOS)

3955

Option: b57600 (HP-UX, Linux, SunOS)

3956

Option: b115200 (HP-UX, Linux, SunOS)

3957

Option: b230400 (HP-UX, Linux, SunOS)

3958

Option: b460800 (HP-UX, Linux, SunOS)

3959

Option: b500000 (Linux)

3960

Option: b576000 (Linux)

3961

Option: b921600 (Linux)

3962

Option: b1000000 (Linux)

3963

Option: b1152000 (Linux)

3964

Option: b1500000 (Linux)

3965

Option: b2000000 (Linux)

3966

Option: b2500000 (Linux)

3967

Option: b3000000 (Linux)

3968

Option: b3500000 (Linux)

3969

Option: b4000000 (Linux)

3970

3971

Type: CONST

3972

Option group: TERMIOS

3973

Phase: FD

3974

3975

Sets the baud rate to the implied value. b0 "hangs up" the connection.

Option: ispeed

Type: UINT

Option group: TERMIOS

3982

Phase: FD

3983

Platforms: FreeBSD, Linux

3984

3985

Sets the input baud rate to the specified value. This works on systems where

3986

struct termios has a special c_ispeed field.

Option: ospeed

Type: UINT

Option group: TERMIOS

3993

Phase: FD

3994

Platforms: FreeBSD, Linux

3995

3996

Sets the input baud rate to the specified value. This works on systems where

3997

struct termios has a special c_ospeed field.

-------------------------------------------------------------------------------

4003

TERMIOS local mode flags

Option: isig

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ISIG flag of the terminal driver.

Option: icanon

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ICANON flag of the terminal driver.

Option: xcase

Type: BOOL

Option group: TERMIOS

4030

Phase: FD

4031

Platforms: HP-UX, Linux, SunOS

4032

4033

Sets the XCASE flag of the terminal driver.

Option: echo

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ECHO flag of the terminal driver.

Option: echoe

Aliases: crterase

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ECHOE flag of the terminal driver.

Option: echok

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ECHOK flag of the terminal driver.

Option: echonl

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ECHONL flag of the terminal driver.

Option: echoctl

Aliases: ctlecho

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ECHOCTL flag of the terminal driver.

Option: echoprt

Aliases: prterase

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ECHOPRT flag of the terminal driver.

Option: echoke

Aliases: crtkill

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the ECHOKE flag of the terminal driver.

Option: flusho

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the FLUSHO flag of the terminal driver.

Option: noflsh

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the NOFLSH flag of the terminal driver.

Option: tostop

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the TOSTOP flag of the terminal driver.

Option: pendin

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the PENDIN flag of the terminal driver.

Option: iexten

Type: BOOL

Option group: TERMIOS

Phase: FD

Platforms: all

Sets the IEXTEN flag of the terminal driver.

4158

4159

4160

-------------------------------------------------------------------------------

4161

TERMIOS options for functional characters

4162

4163

Option: vintr=value

4164

Aliases: intr=value

4165

4166

Type: BYTE

4167

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VINTR character that interrupts the current process.

4173

On UNIX systems the preset value usually is 3 (^C).

4174

4175

4176

Option: vquit=value

4177

Aliases: quit=value

4178

4179

Type: BYTE

4180

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VQUIT character that quits the current process.

4186

On my Linux 2.2 system the preset value is 0x1c (^\).

4187

4188

4189

Option: verase=value

4190

Aliases: erase=value

4191

4192

Type: BYTE

4193

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VERASE character that erases the last character.

4199

On many UNIX systems the preset value is 0x7f.

4200

4201

4202

Option: vkill=value

4203

Aliases: kill=value

4204

4205

Type: BYTE

4206

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VKILL character that kills (erases) the current line.

4212

On my Linux 2.2 system systems the preset value is 0x15 (^U).

Option: veof=value

Aliases: eof=value

Type: BYTE

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VEOF character that kills indicate end of file.

4225

On most UNIX systems the preset value is 0x04 (^D).

4226

4227

4228

Option: vtime=value

4229

Aliases: time=value

4230

4231

Type: BYTE

4232

Option group: TERMIOS

Phase: FD

Platforms: all

Status: not tested

Sets the value of VTIME. See "man 1 stty" / time.

4238

On my Linux 2.2 system the preset value is 0.

Option: vmin=value

Aliases: min=value

Type: BYTE

Option group: TERMIOS

Phase: FD

Platforms: all

Status: not tested

Sets the value of VMIN. See "man 1 stty" / time.

4251

On my Linux 2.2 system the preset value is 1.

4252

4253

4254

Option: vswtc=value

4255

Aliases: swtc=value, swtch=value

4256

4257

Type: BYTE

4258

Option group: TERMIOS

Phase: FD

Platforms: Linux

Status: not tested

Sets the value of VSWTC. "Switches to a different shell layer".

4264

On my Linux 2.2 system the preset value is 0.

4265

4266

4267

Option: vstart=value

4268

Aliases: start=value

4269

4270

Type: BYTE

4271

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VSTART character that resumes data flow after a stop.

4277

Usually the preset value is 0x11 (^Q).

4278

4279

4280

Option: vstop=value

4281

Aliases: stop=value

4282

4283

Type: BYTE

4284

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VSTOP character that stops output.

4290

Usually the preset value is 0x13 (^S)

4291

4292

4293

Option: vsusp=value

4294

Aliases: susp=value

4295

4296

Type: BYTE

4297

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VSUSP character that suspends the current foreground

4303

process and reactivates the shell.

4304

Usually the preset value is 0x1a (^Z)

4305

4306

4307

Option: vdsusp=value

4308

Aliases: dsusp=value

4309

4310

Type: BYTE

4311

Option group: TERMIOS

4312

Phase: FD

4313

Platforms: FreeBSD, HP-UX, SunOS

4314

Status: tested

4315

4316

Sets the value for the VDSUSP character that suspends the current foreground

4317

process and reactivates the shell.

Option: veol=value

Aliases: eol=value

Type: BYTE

Option group: TERMIOS

4325

Phase: FD

4326

Platforms: all

4327

Status: tested with awkward results

4328

4329

Sets the value for the VEOL character that should indicate end of line.

4330

Not clear what differentiates it from the return key; xterm window put "xterm"

4331

into the input buffer.

4332

On my Linux 2.2 system the preset value is 0 (disabled)

4333

4334

4335

Option: vreprint=value

4336

Aliases: reprint=value, rprnt=value

4337

4338

Type: BYTE

4339

Option group: TERMIOS

4340

Phase: FD

4341

Platforms: FreeBSD, Linux, SunOS

4342

Status: not tested

4343

4344

Sets the value for the VREPRINT character that should reprint the current line.

4345

On my Linux 2.2 system the preset value is 0x12 (^R). Nevertheless, bash

4346

enters backward search mode.

4347

4348

4349

Option: vdiscard=value

4350

Aliases: discard=value

4351

4352

Type: BYTE

4353

Option group: TERMIOS

4354

Phase: FD

4355

Platforms: FreeBSD, Linux, SunOS

4356

Status: not tested

4357

4358

Sets the value for the VDISCARD character.

4359

On my Linux 2.2 system the preset value is 0x0f (^O)

4360

4361

4362

Option: vwerase=value

4363

Aliases: werase=value

4364

4365

Type: BYTE

4366

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VWERASE character that erases the last word.

4372

On my Linux 2.2 system the preset value is 0x17 (^W)

4373

4374

4375

Option: vlnext=value

4376

Aliases: lnext=value

4377

4378

Type: BYTE

4379

Option group: TERMIOS

Phase: FD

Platforms: all

Status: tested

Sets the value for the VLNEXT character that lets the next input character raw

4385

(not interpreted).

4386

On my Linux 2.2 system the preset value is 0x16 (^V)

4387

4388

4389

Option: veol2=value

4390

Aliases: eol2=value

4391

4392

Type: BYTE

4393

Option group: TERMIOS

Phase: FD

Platforms: all

Status: not tested

Sets the value for the VEOL2 character.

4399

On my Linux 2.2 system the preset value is 0 (disabled).

4400

4401

4402

===============================================================================

4403

READLINE options

4404

4405

Option: history-file=filename

4406

Aliases: history=filename

4407

4408

Type: STRING

4409

Option group: READLINE

4410

Phase: LATE

4411

Platforms: (depends on libreadline installation)

4412

4413

Without this option, the readline address uses only a per process history

4414

list. With this option, socat tries to read history lines during initialization

4415

from the given file, and on termination writes the old and new lines to the

4416

file.

4417

NOTE: currently, no mechanism is implemented for limiting the length of the

4418

history file.

4419

NOTE: filename must be a valid relativ or absolute path; "~" is not supported!

Option: noprompt

Type: BOOL

Option group: READLINE

Phase: LATE

Platforms: all

Since version 1.3.3, socat per default tries to determine a prompt -

4430

that is then passed to the readline call - by remembering the last

4431

incomplete line of the output. With this option, socat does not pass a

4432

prompt to the readline call, so it might set the cursor to the first column

of the terminal.

Option: noecho

Type: STRING

Option group: READLINE

Phase: LATE

Platforms: all

Specifies a regular pattern for a prompt that prevents the following input

4444

line from being displayed on the screen and from being added to the history.

4445

The prompt is defined as the text that was output to the readline address

4446

after the lastest newline character and before an input character was

4447

typed. The pattern is a regular expression, e.g.

4448

"^[Pp]assword:.*$" or "([Uu]ser:|[Pp]assword:)". See regex(7) for details.

Option: prompt

Type: STRING

Option group: READLINE

Phase: LATE

Platforms: all

Passes the string as prompt to the readline function. readline prints this

4459

prompt when stepping through the history. If this string matches a constant

4460

prompt issued by an interactive program on the other socat address,

4461

consistent look and feel can be archieved.

4462

4463

===============================================================================

4464

OPENSSL options

4465

4466

Option: openssl-cipherlist=string

4467

Aliases: cipherlist=string, ciphers=string, cipher=string

4468

4469

Type: STRING

4470

Option group: OPENSSL

4471

Phase: SPEC

4472

Platforms: (depends on openssl installation)

4473

4474

Selects the list of ciphers that may be used for the connection.

4475

See the man page ciphers(1), section CIPHER LIST FORMAT, for

4476

detailed information about syntax, values, and default of the cipherlist

4477

string.

4478

Several cipher strings may be given, separated by ':'.

4479

Some simple cipher strings:

4480

3DES Uses a cipher suite with triple DES.

4481

MD5 Uses a cipher suite with MD5.

4482

aNULL Uses a cipher suite without authentication.

4483

NULL Does not use encryption.

4484

HIGH Uses a cipher suite with "high" encryption.

4485

Note that the peer must support the selected property, or the negotiation

will fail.

Option: openssl-method=string

4490

Aliases: method=string

4491

4492

Type: STRING

4493

Option group: OPENSSL

4494

Phase: SPEC

4495

Platforms: (depends on openssl installation)

4496

4497

Sets the protocol version to be used. Valid strings (not case sensitive) are:

4498

SSLv2 Select SSL protocol version 2.

4499

SSLv3 Select SSL protocol version 3.

4500

SSLv23 Select SSL protocol version 2 or 3. This is the default when

4501

this option is not provided.

4502

TLSv1 Select TLS protocol version 1.

4503

4504

4505

Option: openssl-verify=bool

4506

Aliases: verify=bool

4507

4508

Type: BOOL

4509

Option group: OPENSSL

4510

Phase: SPEC

4511

Platforms: (depends on openssl installation)

4512

4513

Controls check of the peer's certificate. Default is 1 (true). Disabling

4514

verify might open your socket for everyone!

4515

4516

4517

Option: openssl-certificate=file

Aliases: cert=file

Type: FILENAME

Option group: OPENSSL

4522

Phase: SPEC

4523

Platforms: (depends on openssl installation)

4524

4525

Specifies the file with the certificate. The certificate must be

4526

in OpenSSL format (*.pem). With openssl-listen, this option is strongly

4527

recommended: except with cipher aNULL, "no shared ciphers" error might

4528

occur when no certificate is given.

4529

4530

4531

Option: openssl-key=file

Aliases: key

Type: FILENAME

Option group: OPENSSL

4536

Phase: SPEC

4537

Platforms: (depends on openssl installation)

4538

4539

Specifies the file with the private key. The private key may be in this

4540

file or in the file given with the ref(cert) option. The party that has

4541

to proof that it is the owner of a certificate needs the private key.

4542

4543

4544

Option: openssl-cafile=file

Aliases: cafile

Type: FILENAME

Option group: OPENSSL

4549

Phase: SPEC

4550

Platforms: (depends on openssl installation)

4551

4552

Specifies the file with the trusted (root) authority certificates. The file

4553

must be in PEM format and should contain one or more certificates.

4554

4555

4556

Option: openssl-capath=directory

Aliases: capath

Type: FILENAME

Option group: OPENSSL

4561

Phase: SPEC

4562

Platforms: (depends on openssl installation)

4563

4564

Specify the directory with the trusted (root) certificates. The directory

4565

must contain certificates in PEM format and their hashes (see OpenSSL

documentation)

Option: openssl-egd=file

Aliases: egd

Type: FILENAME

Option group: OPENSSL

4574

Phase: SPEC

4575

Platforms: (depends on openssl installation)

4576

4577

On some systems, openssl requires an explicit source of random data. Specify

4578

the socket name where an entropy gathering daemon like egd provides random

4579

data, e.g. /dev/egd-pool.

4580

4581

4582

Option: openssl-pseudo

Aliases: pseudo

Type: BOOL

Option group: OPENSSL

4587

Phase: SPEC

4588

Platforms: (depends on openssl installation)

4589

4590

On systems where openssl cannot find an entropy source and where no entropy

4591

gathering daemon can be utilized, this option activates a mechanism for

4592

providing pseudo entropy. This is archieved by taking the current time in

4593

microseconds for feeding the libc pseudo random number generator with an

4594

initial value. openssl is then feeded with output from random calls.

4595

NOTE:This mechanism is not sufficient for generation of secure keys!

4596

4597

4598

Option: openssl-fips

Aliases: fips

Type: BOOL

Option group: BOOL

Phase: SPEC

Platforms: (depends on OpenSSL installation and FIPS implementation)

4605

4606

Enables FIPS mode if compiled in. For info about the FIPS encryption

4607

implementation standard see http://oss-institute.org/fips-faq.html.

4608

This mode might require that the involved certificates are generated with a

4609

FIPS enabled version of openssl. Setting or clearing this option on one

4610

socat address affects all OpenSSL addresses of this process.

4611

4612

4613

Option: openssl-compress

Aliases: compress

Type: STRING

Option group: OPENSSL

4618

Phase: SPEC

4619

Platforms: (depends on openssl installation)

4620

4621

Enable or disable the use of compression for a connection. Setting this to

4622

"none" disables compression, setting it to "auto" lets OpenSSL choose the best

4623

available algorithm supported by both parties. The default is to not touch any

4624

compression-related settings.

4625

NOTE: Requires OpenSSL 0.9.8 or higher.

4626

NOTE: Disabling compression with OpenSSL 0.9.8 affects all new connections in

the same process.

===============================================================================

4631

Application specific address options

Option: ignoreeof

Aliases: ignoreof

Type: BOOL

Option group: APPL

Phase: LATE

Platforms: all

This option has to be supported by the application. For socat it means that an

4643

EOF condition on this data source does not trigger termination procedures, but

4644

instead the read/write loop waits for one second and then tries to read more

4645

input data. This behaviour emulates "tail -f" and might not be useful for all

4646

kinds of input devices, but regular files and /dev/null are good candidates.

4647

Termination of socat then can only occur by EOF condition of the other input

4648

device, an error, or by external events.

Option: cr

Type: CONST

Option group: APPL

Phase: LATE

Platforms: all

The appropriate data endpoint uses CR ('\r', 0x0d) as line terminator

4659

character. Convert data to and from this stream appropriately.

4660

This is useful for, e.g., modems.

Option: crnl

Aliases: crlf

Type: CONST

Option group: APPL

Phase: LATE

Platforms: all

The appropriate data endpoint uses CR+LF ("\r\n", 0x0d0a ) as line terminator

4672

string. Convert data to and from this stream appropriately.

4673

This is useful for, e.g., TCP protocols like SMTP and FTP.

4674

4675

4676

Option: readbytes=num

Aliases: bytes

Type: SIZE_T

Option group: APPL

Phase: LATE

Platforms: all

socat reads only so many bytes from this address (the address provides

4685

only so many bytes for transfer and pretends to be at EOF afterwards).

4686

4687

4688

Option: lockfile=filename

Type: FILENAME

Option group: APPL

Phase: INIT

Platforms: all

If lockfile exists, exits with error. If lockfile does not exist, creates it

4696

and continues; removes lockfile on exit.

4697

4698

4699

Option: waitlock=filename

Type: FILENAME

Option group: APPL

Phase: INIT

Platforms: all

If lockfile exists, waits until it disappears. When lockfile does not exist,

4707

creates it and continues; removes lockfile on exit.

4708

4709

===============================================================================

4710

RETRY options

4711

4712

Option: retry=<num>

4713

4714

Type: UINT

4715

Option group: RETRY

Phase: INIT

Platforms: all

Number of retries before the connection or listen attempt is aborted.

4720

Default is 0, which means just one attempt.

4721

4722

4723

Option: interval=<double>

4724

4725

Type: TIMESPEC

4726

Option group: RETRY

Phase: INIT

Platforms: all

Time between consecutive attempts (seconds). Default is 1 second.

Option: forever

Type: BOOL

Option group: RETRY

Phase: INIT

Platforms: all

Performs an unlimited number of retry attempts.

4741

4742

===============================================================================

4743

EXT2 options

4744

4745

Option: ext2-secrm=<bool>

4746

Aliases: secrm=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the secrm file attribute on the file.

4754

4755

4756

Option: ext2-unrm=<bool>

4757

Aliases: unrm=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the unrm file attribute on the file.

4765

4766

4767

Option: ext2-compr=<bool>

4768

Aliases: compr=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the compr file attribute on the file.

4776

4777

4778

Option: ext2-sync=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: all

Sets the sync file attribute on the file.

4786

4787

4788

Option: ext2-immutable=<bool>

4789

Aliases: immutable=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the immutable file attribute on the file.

4797

4798

4799

Option: ext2-append=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: all

Sets the append file attribute on the file.

4807

4808

4809

Option: ext2-nodump=<bool>

4810

Aliases: nodump=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the nodump file attribute on the file.

4818

4819

4820

Option: ext2-noatime=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the noatime file attribute on the file.

4828

4829

4830

Option: ext2-journal-data=<bool>

4831

Aliases: journal-data=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the journal-data file attribute on the file.

4839

4840

4841

Option: ext2-notail=<bool>

4842

Aliases: notail=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: none

Sets the notail file attribute on the file.

4850

4851

4852

Option: ext2-dirsync=<bool>

4853

Aliases: dirsync=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the dirsync file attribute on the file.

4861

4862

4863

Option: ext2-topdir=<bool>

4864

Aliases: topdir=<bool>

Type: BOOL

Option group: REG

Phase: FD

Platforms: Linux

Sets the topdir file attribute on the file.

4872

4873

4874

===============================================================================

4875

4876

Appendix: generating a sandbox (chroot environment)

4877

4878

While it is possible to generate a sandbox almost anywhere in the file system,

4879

I recommend to use a file system that has been mounted with restrictions,

4880

especially nosuid and maybe nodev, or even ro.

4881

4882

You may mount a dedicated file system for the sandbox, so it gets a little

4883

harder for the guests to determine for sure if they are within a sandbox when

4884

using "ls -id /"

4885

4886

The following desribes typical steps for generating a sandbox. Depending on

4887

your operating system, application, and security requirements, your mileage may

4888

vary. With the below steps, you will be able to run some check programs to play

4889

around with the sandbox.

4890

4891

I Installation

4892

1) Create a sandbox group - but give it and all following "sandbox" ids a more

4893

cryptic name!

4894

2) Create a sandbox user, only in sandbox group. If this user must never login,

4895

give it a useless shell like /bin/false

4896

3) Check the sandbox home directory (e.g. /home/sandbox) and save and remove

4897

all .profile, public_html/ etc.

4898

4) Optionally mount a new file system over the new home directory

4899

5) Generate subdirectories bin, lib, etc, usr, usr/bin, usr/lib.

4900

Set their permissions and ownership equal to the original directories (or use

4901

only root.root)

4902

6) Generate subdirectory home/sandbox (or similarly; like sandbox home)

4903

7) Generate etc/passwd with users sandbox and root, but do not store original

4904

password hashes there!

4905

8) Generate etc/group with only groups sandbox and root (or system on AIX)

4906

9) Copy test programs and utilities to bin, e.g. su, id, ls, mount, strace (but

4907

without SUID/SGID)

4908

10) Copy the required shared libraries and the shared library loader to their

4909

directories.

4910

On Linux, e.g. /lib/ld-linux.so.2, /lib/libnss_compat.so.2

4911

Note: it is often difficult to find out what shared libraries are (still) not

4912

installed in the sandbox. The programs invoked in the sandbox typically do not

4913

give useful error messages. If chroot's exec call gives an error like "no such

4914

file or directory", and you do not know if it even found the program itself,

4915

then remove the test programs execute permission; the error message should

4916

change to "execute permission denied" or so. Redo the execute permissions and

4917

look for the shared libraries...

4918

List required libraries of a program:

4919

Linux: ldd <program>

AIX: xdb <program>

map

11) For testing purposes, install id, ls, su, mount, strace, and maybe sh in

4924

the sandbox. Test it.

4925

4926

II Customization

4927

12) Copy your applications, configuration files, and data to the appropriate

4928

directories within the sandbox.

4929

Test function of the application in the sandbox, and add missing files and

4930

libraries. If an application program gets killed immediately after start, it

4931

might miss a shared library.

4932

4933

III Cleanup, check

4934

13) Implement your own tricks how to improve security of the sandbox

4935

14) Remove test programs like bin/sh, id, ls, mount, strace

4936

4937

4938

===============================================================================

4939

socket types, modes and their security features:

4940

IP.v4.TCP.connect

4941

IP.v4.TCP.listen range tcpwrap srcport lowport

4942

IP.v4.UDP.connect

4943

IP.v4.UDP.listen range tcpwrap srcport lowport

4944

IP.v4.UDP.sendto

4945

IP.v4.UDP.recvfrom range tcpwrap srcport lowport

4946

IP.v4.UDP.recv range tcpwrap srcport lowport

4947

IP.v4.raw.sendto

4948

IP.v4.raw.recvfrom range tcpwrap

4949

IP.v4.raw.recv range tcpwrap

4950

IP.v6.TCP.connect

4951

IP.v6.TCP.listen range tcpwrap srcport lowport

4952

IP.v6.UDP.connect

4953

IP.v6.UDP.listen range tcpwrap srcport lowport

4954

IP.v6.UDP.sendto

4955

IP.v6.UDP.recvfrom range tcpwrap srcport lowport

4956

IP.v6.UDP.recv range tcpwrap srcport lowport

4957

IP.v6.raw.sendto

4958

IP.v6.raw.recvfrom range tcpwrap

4959

IP.v6.raw.recv srcport lowport

4960

UNIX.stream.connect

4961

UNIX.stream.listen

4962

UNIX.dgram.sendto

4963

UNIX.dgram.recvfrom

4964

UNIX.dgram.recv

4965

OPENSSL.connect

4966

OPENSSL.TCP4.listen range tcpwrap srcport lowport

4967

OPENSSL.TCP6.listen range tcpwrap srcport lowport

4968

4969

===============================================================================

4970

Missing features and Caveats:

4971

4972

. no support for SIGIO mechanism

4973

. no support for socket ancillary messages

4974

. Probably many ioctls not implemented due to missing documentation

4975

. only limited implementation of raw sockets and interfaces,

4976

. no support for high level sockets beyond UNIX, INET, and INET6 domains

nexmon – Blame information for rev 1