Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Dec 2007 12:22:45 +0100
From:      Raffaele De Lorenzo <info@plot.uz>
To:        Julian Elischer <julian@elischer.org>
Cc:        freebsd-security@freebsd.org, "raffaele.delorenzo" <raffaele.delorenzo@libero.it>, FreeBSD Net <freebsd-net@freebsd.org>
Subject:   Re: Added native socks support to libc in FreeBSD 7
Message-ID:  <475D2185.3090405@libero.it>
In-Reply-To: <47599AE1.6060805@elischer.org>
References:  <4759022A.4020105@libero.it> <47599AE1.6060805@elischer.org>

next in thread | previous in thread | raw e-mail | index | archive | help



Julian Elischer wrote:
> Raffaele De Lorenzo wrote:
>> Hi,
>> i added a native (client) Socks V4/V5 support inside FreeBSD libc
>> library. The work is based of my  project (see
>> http://csocks.altervista.org) CSOCKS.
>> You can get it here:
>>
>>
>
> thanks for doing this. now we just need to see if thre is someone who 
> knows socks who can look at it..
>
> The big question is whether it should be in libc or not. Making 
> everyone who does not use socks pay a cost is a big decision.
>
> Obviously, for people who use socks, it is good. What is the cost for 
> others?
>
>
>
>
>
> .
>
Hi,
I understand your doubts...
The socks implementation wraps some syscall socket functions like 
"_connect" and "_bind" trasparently from the applications. When one of 
these is called, the "socks" check starts:

1) Load rules from /etc/csocks.conf (if exist or there are rules..)
2) Check the rules ("check-rules") with the connection data (the check 
have a O(1) cost because the rules are stored in a hash-table). If 
"/etc/csocks.conf" doesn't exist or there are no rules inside it,  the 
entire socks check is skipped and go run native syscall (for example 
"_connect") .
3) If a rule is matched, then starts the socksified's (connection ) 
processes, else  run the  native syscall
 
Now, if the users never will use the socks features (the configuration 
file is empty), the computation cost is negligible, because the  
"check-rules" are skipped.  If some (or all)  users use the socks 
features, for each syscall wrapped by socks there is a low cost 
identified by the "check-rule" procedure.
I tested this solution in a big  network , up to 60 client rules and i 
didn't see slowdowns for non-socks connections.
When a process calls a socks wrapped syscall for the first time (and 
only the first time!) the entire rules are loaded in memory, and the 
hash array (empty) too:

The hash array empty consumes around 5.6K of memory
The single rule consumes 20 Byte of memory
User Name and Password consume 2K of memory

Raffaele



 

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?475D2185.3090405>