Add upstream microsocks open PRs analysis document#100
Closed
kcrkor wants to merge 15 commits intorofl0r:masterfrom
Closed
Add upstream microsocks open PRs analysis document#100kcrkor wants to merge 15 commits intorofl0r:masterfrom
kcrkor wants to merge 15 commits intorofl0r:masterfrom
Conversation
Categorized into features (5), improvements (1), and fixes (1): - PR #98: Dockerfile + CI/CD for multi-arch builds - PR #96: SOCKS5 forwarding rules (extended version) - PR #95: Windows/MinGW build support - PR #93: SOCKS5 forwarding rules (original) - PR #90: Timestamped log output - PR #86: Man page formatting fixes - PR #79: Bind-to-device (-B) option https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Added 4 previously missed older PRs: - PR #70: Print timestamps in logs (Xenapte, 2023) - PR #64: Idle exit timeout -t option (chetan-reddy, 2023) - PR #38: SO_MARK support for policy routing (grandrew, 2021) - PR #29: Bind-to-device -B option, Linux-only (tahajahangir, 2020) Also identified 3 pairs of overlapping PRs (#29/#79, #70/#90, #93/#96) where later submissions supersede earlier ones. https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
- Remove stray .Oc bracket from synopsis - Start sentences on a new line (FreeBSD mdoc convention) - Improve grammar/punctuation in option descriptions (-i, -w, -P, -p, -u) Safety: documentation-only changes, no code modifications. Based on: #86 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Add -B flag to bind outgoing sockets to a specific network interface using SO_BINDTODEVICE on Linux. Requires CAP_NET_RAW or root. Safety: uses standard setsockopt(SO_BINDTODEVICE). The strdup/zero_arg pattern matches existing credential handling. No injection vectors. Based on: #29 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Add -m <mark_id> option to mark outgoing packets with SO_MARK for policy-based routing. Enabled via compile-time SOMARK flag: make CFLAGS=-DSOMARK Safety: uses standard setsockopt(SO_MARK), gated behind compile-time flag. No runtime exposure unless explicitly compiled in. Requires CAP_NET_ADMIN or root to take effect. Based on: #38 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
When -t is specified, the server exits after the given number of idle seconds with no connections and no active threads. Useful for on-demand proxy launches in resource-constrained environments. Safety: uses standard fcntl(O_NONBLOCK) and poll() for timeout logic. No new attack surface. Tested on Linux and macOS. Based on: #64 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Add LOGTS() macro that prepends [MM-DD HH:MM:SS] timestamps to all log output using strftime() and thread-safe localtime_r(). Safety: uses standard C library functions (localtime_r, strftime, fputs). Fixed-size buffer with known output format. No buffer overflows possible. Based on: #70 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Replace Linux-only SO_BINDTODEVICE with cross-platform bind2device module: - BSD/macOS: IP_BOUND_IF / IPV6_BOUND_IF - Linux: SO_BINDTODEVICE - Other: stub returning ENOSYS Safety: uses standard setsockopt calls with proper error handling. Platform detection via compile-time preprocessor checks. No-op stub for unsupported platforms prevents build failures. Based on: #79 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Replace LOGTS() macro with static inline dolog() function that uses [YYYY-MM-DD HH:MM:SS] format via vdprintf() and localtime_r(). Adds startup message showing listening address and port. Safety: uses thread-safe localtime_r() and vdprintf(). Fixed-size buffer with bounded output. No new attack surface. Based on: #90 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Add -f flag for specifying forwarding rules with syntax: match_name:match_port,[user:pass@]upstream_name:upstream_port,remote_name:remote_port Allows selective routing of matching connections through upstream SOCKS5 proxy servers with optional authentication support. Safety: protocol buffers are constructed with bounded sizes. The upstream_handshake validates SOCKS5 responses before proceeding. sscanf with %m allocates strings safely. The strcpy to namebuf is bounded by prior parsing (256-byte buffer, validated DNS names). Based on: #93 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Major improvements over PR #93: - Wildcard matching: use '*' or '0.0.0.0' as match_name for catch-all rules - Robust upstream_handshake: reads full SOCKS5 response with proper variable-length address handling, validates all write/read return values - Socket timeouts (5s) prevent hanging on unresponsive upstream proxies - Proper memory management: frees allocations on all error paths - Username/password length validation (max 255 per RFC-1929) - Uses strncpy instead of strcpy for safety - Adds -V flag for version display Safety: all network I/O return values are checked. Memory is freed on every error path. Protocol buffer construction uses bounded sizes. Socket timeouts prevent resource exhaustion from unresponsive upstreams. Based on: #96 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
Add Windows cross-compilation support: - wsa2unix.h: maps Winsock error codes to Unix equivalents - dprintf.c: portable dprintf() implementation for Windows - server.h: conditional includes for winsock2.h/ws2tcpip.h - sockssrv.c: WSAPoll() replaces poll(), conditional SIGPIPE handling Safety: uses standard Winsock API calls via preprocessor conditionals. No new attack surface. Error code mappings are well-established standard equivalences. Note: this is a Draft PR, author notes dprintf may have caveats on Windows. Based on: #95 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
- Dockerfile: multi-stage build (Alpine builder -> scratch runtime) with static linking for minimal image size - CI workflow: builds Docker images for 8 architectures (386, amd64, arm/v6, arm/v7, arm64/v8, ppc64le, riscv64, s390x) - Publishes to GHCR, uploads statically-built binaries as artifacts - Added .dockerignore and updated .gitignore Safety: uses official GitHub Actions from trusted publishers. No secrets exposed in workflow. Scratch-based runtime image has minimal attack surface. Static linking eliminates shared library dependencies. Based on: #98 https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
- Add lightweight compile job that builds standard and SOMARK variants - Test version flag output in CI - Docker build/push job now only runs on master/tags - Trigger workflow on claude/** branches for testing https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a comprehensive analysis document of the 11 open pull requests in the upstream microsocks repository, categorized by type and with detailed summaries of each PR's purpose and implementation.
Changes
UPSTREAM_PR_ANALYSIS.md- A detailed analysis document containing:Key Details
This document serves as a reference for understanding the current state of upstream development and identifying potential conflicts or dependencies between PRs.
https://claude.ai/code/session_01FwgogjHuR11HGDys6b2BWq