search

semigodking / redsocks

transparent redirector of any TCP/UDP connection to proxy
Apache License 2.0
1.16k stars 246 forks source link

added support for FreeBSD/OpenBSD #201

Closed ge9 closed 3 months ago

ge9 commented 3 months ago

Added support for FreeBSD/OpenBSD (https://github.com/semigodking/redsocks/issues/200).

FreeBSD

Tested with FreeBSD 14.0, ipfw, with redirector=generic.

The main point is setting "IP_BINDANY" to avoid os error 49 (Can't assign requested address) at bound_udp_get(). Also, sizeof(struct sockaddr_in) seems to be required to avoid "Invalid address" error.

This is my script for ipfw/ifconfig.

kldload ipfw
fwcmd=ipfw
ifconfig em0 alias 10.0.2.25 netmask 0xffffff00
$fwcmd add 100 allow all from any to any via lo0
$fwcmd add 500 fwd 127.0.0.1,22222 tcp from 10.0.2.25 to any
$fwcmd add 600 fwd 127.0.0.1,22222 udp from 10.0.2.25 to any
$fwcmd add 700 allow ip from any to any

FreeBSD has firewalls other than IPFW, i.e. pf and ipfilter (ipf).

pf partially worked but destination addresses were obtained as the transparent proxy port (127.0.0.1:22222), useless in actual cases. For TCP, there is a way to get the original destination, but this seems not work for UDP (https://stackoverflow.com/questions/46675715/how-do-i-get-the-original-destination-ip-of-a-redirected-connection-with-pf-on-f#comment119982054_56689694).

FYI, this is my pf configiration. 

rdr pass on lo0 proto {tcp, udp} from 10.0.2.25 -> 127.0.0.1 port 22222
pass out quick route-to lo0 from 10.0.2.25
pass

For ipfilter, I couldn't figure out how to set it up for transparent proxy (though it seems supported by redsocks according to documentation).

I also tried pfSense, but strangely, only UDP worked. (TCP packets won't be received by redsocks).

OpenBSD

Tested with OpenBSD 7.5 and pf, redirector=generic.

I added 10.0.2.25 as before, and this is the configuration.

pass        # establish keep-state
pass in quick proto {tcp, udp} from 10.0.2.25 to ! 10.0.2.25 divert-to 127.0.0.1 port 22222
pass out quick proto {tcp, udp} from 10.0.2.25 route-to lo0

To make it work, I added some options like IP_RECVDSTADDR for sockets, according to man page documentation on divert-to syntax. https://github.com/ge9/redsocks/commit/65fa263c3ed594531a7d0ae5d5ffeb8bd998602a
Currently it support only IPv4. (IPv6 udp relay seems not supported by redsocks itself)

Also, similarly to FreeBSD, SO_BINDANY is set to avoid os error 49.

If we use rdr-to instead of divert-to here, the destination addresses are obtained as 127.0.0.1:22222, much like the behavior of FreeBSD's pf.

redirector=pf doesn't work correctly for TCP, because it's for FreeBSD's pf.

I also tried NetBSD which OpenBSD originates from, but it seems that there are no divert-to in NetBSD's pf.

semigodking commented 3 months ago

Thank you for great PR. Redsocks2 supports IPv6. I think you could improve IPv6 for BSD by new PR.