Instruct your server daemon, with the LD_PRELOAD library injected, to bind to the following IPv6 address:
- X = 0, open
$SKBOX_DIRECTORY_ROOT/skbox_dir_Yd000where Yd000 is the decimal representation of YYYY zero-left-padded to five digits. Use the first 108 (or UNIX_PATH_MAX) bytes starting from byte offset
128 * Zdof that file as the Unix domain socket address (i.e. the bytes in that range are copied into struct sockaddr_un->sun_path), where Zd is the numeric value of ZZZZ in decimal (if past the end of the file, bind() returns -1 and sets errno to
ERANGE). If that address contains the string
_@SB_, then it is replaced with the original requested port number of the bind() call zero-left-padded to five digits. The socket will be created as an instance of a Socketbox "A" protocol listener. If $SKBOX_DIRECTORY_ROOT is unset, this will result in an error.
- X = 1, same as X = 0, but create a traditional stream socket instead.
- X = 2, open
$SKBOX_DIRECTORY_ROOT2/Yd000/Zd000_Pd000as the socket address, using the Socketbox "A" protocol, where Yd000 is the decimal value of YYYY zero-left-padded to five digits, Zd000 is the decimal value of ZZZZ zero-left-padded to five digits, and Pd000 is the decimal value of the original port number zero-left-padded to five digits. If $SKBOX_DIRECTORY_ROOT2 is unset, this will result in an error.
- X = 3, same as X = 2, but create a traditional stream socket instead.
- All other values for X are reserved and will result in an error.
The following additional restrictions apply:
- The length of the socket address passed to bind() must be equal to
sizeof(struct sockaddr_in6)and the value of sa_family is set to AF_INET6.
- Original socket must be detected as domain AF_INET or AF_INET6 and type SOCK_STREAM.
- Requested port number to bind() must be greater than zero and less than 1024.
- sin6_scope_id must be set to 0.
- IPv6 must not be disabled on the machine using
/etc/sysctl.confinstead, though I would question why you would want to run socketbox in such an environment.)
- The "B" protocol is not supported.
It is possible to also enable the ability to connect to fe8f:: addresses using SKBOX_ENABLE_CONNECT (it is disabled by default), but depending on the credentials of the web (or other) server, enabling it may also result in the ability to create server-side request forgery attacks. Use with caution!
- This end-user documentation is part of socketbox. Reproduction and use of this material for any purpose is permitted, provided that a link to this page is provided as attribution.