Date: Mon, 10 Dec 2007 12:22:45 +0100 From: Raffaele De Lorenzo <raffaele.delorenzo@libero.it> To: Julian Elischer <julian@elischer.org> Cc: freebsd-security@freebsd.org, "raffaele.delorenzo" <raffaele.delorenzo@libero.it>, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: Added native socks support to libc in FreeBSD 7 Message-ID: <475D2185.3090405@libero.it> In-Reply-To: <47599AE1.6060805@elischer.org> References: <4759022A.4020105@libero.it> <47599AE1.6060805@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: > Raffaele De Lorenzo wrote: >> Hi, >> i added a native (client) Socks V4/V5 support inside FreeBSD libc >> library. The work is based of my project (see >> http://csocks.altervista.org) CSOCKS. >> You can get it here: >> >> > > thanks for doing this. now we just need to see if thre is someone who > knows socks who can look at it.. > > The big question is whether it should be in libc or not. Making > everyone who does not use socks pay a cost is a big decision. > > Obviously, for people who use socks, it is good. What is the cost for > others? > > > > > > . > Hi, I understand your doubts... The socks implementation wraps some syscall socket functions like "_connect" and "_bind" trasparently from the applications. When one of these is called, the "socks" check starts: 1) Load rules from /etc/csocks.conf (if exist or there are rules..) 2) Check the rules ("check-rules") with the connection data (the check have a O(1) cost because the rules are stored in a hash-table). If "/etc/csocks.conf" doesn't exist or there are no rules inside it, the entire socks check is skipped and go run native syscall (for example "_connect") . 3) If a rule is matched, then starts the socksified's (connection ) processes, else run the native syscall Now, if the users never will use the socks features (the configuration file is empty), the computation cost is negligible, because the "check-rules" are skipped. If some (or all) users use the socks features, for each syscall wrapped by socks there is a low cost identified by the "check-rule" procedure. I tested this solution in a big network , up to 60 client rules and i didn't see slowdowns for non-socks connections. When a process calls a socks wrapped syscall for the first time (and only the first time!) the entire rules are loaded in memory, and the hash array (empty) too: The hash array empty consumes around 5.6K of memory The single rule consumes 20 Byte of memory User Name and Password consume 2K of memory Raffaele
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?475D2185.3090405>