2 # Copyright Gerhard Rieger and contributors (see file CHANGES)
6 The options and features described in this document have been implemented (but
7 not always tested) on the operating systems listed below, unless otherwise
10 SuSE 10.1 Linux on x86
11 Solaris 8 on Sparc with gcc
13 HP-UX B 11.11 on PA-RISC with gcc
15 ===============================================================================
17 The following sections describe the syntax and semantics of the socat command
18 line stream arguments.
20 Usually a socat stream argument defines a one- or bidirectional stream. There
21 are two principal forms:
22 * a single stream. Depending on use of the -u or -U options and implicit
23 semantics of the stream, such an argument may be resolved to a one- or
24 twodirectional stream.
25 * two onedirectional streams, separated by '!!'. An argument of this form
26 always specifies a twodirectional stream. The first single stream is only used
27 for reading data, and the second is only used for writing data.
30 The general structure of a single stream is:
31 keyword[:required-parameters][,options]
33 The options part starts with the first ',' of the argument. The required
34 parameters are separated by ':' from their predecessor. The last required
35 parameter is terminated by the end of the argument or by the first ',' that
36 iitroduces the first option. The options are separated with ','. The last
37 option is terminated by end-of-string or by '!!'.
39 The are some abbreviations defined that allow to drop the keyword. In these
40 cases the argument syntax is:
41 required-parameter[:required-parameters][,options]
42 The implemented abbreviations are:
43 short form canonical form
44 number FD:number # decimal number
45 path GOPEN:path # must must contain at least one '/' and must not contain ':' or ',' and must not start with a decimal digit
47 ===============================================================================
52 Every address specification starts with a keyword or an abbreviation. These
53 keywords are case insensitive.
54 Note: because the option group ANY applies for all addresses, it is not
55 mentioned explicitely below.
58 Bidirectional only addresses:
59 -----------------------------
65 Opens an unnamed pipe (fifo) where outbound traffic is sent to and inbound
66 traffic is read from. The special semantics of pipes results in an echo like
68 Option groups: FD, FIFO (no specific FIFO options are defined yet)
71 Onedirectional only addresses:
72 ------------------------------
74 Currently all addresses may be used bidirectional.
75 Note: for regular files, behaviour when being used bidirectionally is
79 One- and bidirectional addresses:
80 ---------------------------------
85 Uses stdin (FD 0) for inbound traffic and/or stdout (FD 1) for outbound traffic
87 Option groups: FD; others dependent on actual types of stdin and stdout (FIFO,
88 CHR, BLK, REG, and/or SOCKET).
93 Uses stdin for traffic. This might fail for outbound traffic.
94 Option groups: FD; dependent on actual type of stdin (FIFO, CHR, BLK, REG, or
100 Uses stdout for traffic. This might fail for inbound traffic.
101 Option groups: FD; dependent on actual type of stdout (FIFO, CHR, BLK, REG, or
107 Uses stdout for traffic. This might fail for inbound traffic.
108 Option group: FD; dependent on actual types of sterr (FIFO, CHR, BLK, REG, or
115 Uses the already existing file descriptor <num> for traffic.
116 Option groups: FD; dependent on actual types of file descriptor (FIFO, CHR,
117 BLK, REG, or SOCKET).
122 Uses the GNU readline function and history capabilies (best known from bash).
123 It always works on stdin and stdout; if stdio is not a tty, readline does not
124 seem to work correctly.
125 Because readline is blocking during line editing, it does not fit well into
126 socats I/O philosophy.
127 socat integrates readline by waiting in the select call as usual; when stdin
128 reports available data, socat invokes readline(). readline blocks until the
129 user presses ENTER or EOF. Data on socats other stream is not handling in this
131 socat controls the ECHO flag of the stdin tty (off during select(), on for
133 When using socat with readline as front end to a service like telnet, POP3 or
134 an other authenticated service, please note that the password is entered as
135 ordinary data, thus appears on the screen!
136 Option groups: FD, READLINE, TERMIOS
137 Useful options: history-file
142 Applies an open() system call to the given path. If the path does not exist a
143 file is created only if the option create is used; if a file, pipe, or device
144 with this name already exists it is opened. Open for reading and/or writing
145 depends on the rw parameter of the xioopen call, or on usage in a socat
146 argument. If no perm option is used, xioopen uses 600 (which might be modified
148 Applying this function to files conforms to the semantics as described by the
150 Opening device files, like /dev/ttyS*, might block until the device gets active
151 (until some peer is connected)
152 With existing named pipes (fifos) please note the usual semantics:
153 Opening the pipe in read/write mode results in an echo service;
154 Opening the pipe in read mode blocks until a writer opens the pipe (close
155 by writer gives EOF for the reader); with option nonblock the open call does
157 Opening the pipe in write mode blocks until a reader opens the pipe (close
158 by reader gives "broken pipe" error on next write); with option nonblock the
159 open call terminates with error "no such device or address" in absence of a
161 Opening a named UNIX stream socket with or without a listening peer might
162 succeed depending on the operating system, but
163 the resulting file descriptor erronously reports available data immediately,
164 and the following read() or write() call always fails with "invalid
165 argument". Even worse, while such a filesystem entry is identified as socket by
166 "file" command and by fstat(), getsockopt() after open() gives error "Socket operation on non-socket".
167 Use GOPEN for reasonable behaviour!
168 Option groups: FD, OPEN, NAMED, and specific for data object type (FILE, FIFO,
169 CHRDEV+TERMIOS, BLKDEV, or SOCKET).
175 "Generic open". Tries to open the given path in a smarter way. If the path
176 exists and is a socket, it is connected to; if connecting fails,
177 socat assumes a datagram socket and later uses sendto() calls for data
179 If the path exists and is not a socket, it is opened:
180 in RDONLY environment for reading from position 0,
181 in WRONLY environment for appending (O_APPEND),
182 in RDWR env. for reading and/or writing starting from position 0.
183 If the path does not exist:
184 in RDONLY environment this is an error
185 in WRONLY environment the file is created (O_CREAT)
186 in RDWR env. for reading and/or writing starting from position 0.
187 However, these flags may be overriden by user supplied options
189 Option groups: FD, NAMED, and specific for data object type (FILE, FIFO,
190 CHRDEV+TERMIOS, BLKDEV, or SOCKET).
196 Opens the named file with creat(). With UNIX semantics, this address is just a
197 variation of the OPEN address, see there for more details.
198 Note: The creat() system call does not create a completely new file, but
199 inherits some properties of the old file if it exists, e.g. permissions. Use
200 option "unlink-early" to remove the old entry before.
201 Option groups: FD, NAMED, FILE
202 Useful options: unlink-late
208 Creates and opens a pipe if path does not exist; opens path if it already
210 Option groups: FD, NAMED, FIFO
211 Note: this address uses the mknod(2) system call to create the named pipe. On
212 FreeBSD, this call requires root privilege
217 Forks off a child process after establishing a bidirectional communication
218 channel (with socketpair, pipes, or pty). The child then starts "cmdline" with
220 Note: spaces and shell meta characters in cmdline must be quoted if socat is
221 invoked from the command line.
222 Option groups: FD, FORK, EXEC, SOCKET, SOCK_UNIX, FIFO, TERMIOS
223 Useful options: path, fdin, fdout, chroot, su, pty, stderr
224 Note: on AIX, search permissions on /dev/pts/ are required to use option pty.
229 Forks off a child process after establishing a bidirectional communication
230 channel (with socketpair, pipes, or pty). The child then starts "cmdline" with
232 Note: spaces and shell meta characters in cmdline must be quoted if socat is
233 invoked from the command line.
234 Option groups: FD, FORK, EXEC, SOCKET, SOCK_UNIX, FIFO, TERMIOS
235 Useful options: path, fdin, fdout, chroot, su, pty, stderr
236 Note: there are slightly different semantics with options pty or pipes, because
237 they do not communicate an EOF condition to the shell process. Therefore, the
238 shell process and its child do not terminate due to EOF, but are explicitly
239 killed during close of the socat file handle. Consider using
240 exec:'/bin/sh -c command',pty...
246 Connects to a UNIX domain socket.
247 Option groups: FD, SOCKET, SOCK_UNIX
248 NOTE: you need rw permissions to connect to a local socket. My Linux answers
249 with "connection refused" to insufficient permissions, not existing
250 socket, not a socket, or just a socket entry without a listening process.
251 NOTE: this address does not implement option group NAMED because its connect
252 call succeeds only if there is already someone listening, but at this point the
253 NAMED group actions no longer affect this socket, only the fs entry.
259 Create a listening UNIX domain socket. With the fork option, for each accepted
260 connection a new process is forked off, and more connections are accepted on
261 the parent socket. Without fork, only the first connection is accepted.
262 Option groups: FD, NAMED, SOCKET, SOCK_UNIX, LISTEN, CHILD
268 Open a raw socket with IP4 protocol. This mode sends packets to and accepts
269 them only from host. protocol is a number from 0 to 255, with 1 meaning ICMP,
270 6..TCP, 17..UDP, 255..raw IP; 0 might be unsupported by the local IP stack,
271 resulting in an error.
272 Requires root privilege.
273 Note: my Linux 2.4.10 kernel seems to drop payloads smaller than 8
274 bytes on their way from the network to the application.
275 Option groups: FD, SOCKET, SOCK_IP
282 Create a TCP/IP4 client socket and connect to the given host/port combination.
283 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP
284 Useful options: crlf, bind, tos, mtudiscover, mss, nodelay,
294 Create a TCP/IP4 server socket and wait for an incoming connection. With the
295 fork option, for each accepted connection a new process is forked off, and more
296 connections are accepted on the parent socket. Without fork, only the first
297 connection is accepted.
298 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, LISTEN, RANGE, CHILD
299 Useful options: fork, crlf, bind, backlog, mtu, tcpwrap
303 UDP-CONNECT:host:port
305 Connects to port on host using UDP/IP version 4 or 6
306 depending on address specification, name resolution, or option pf.
308 due to UDP protocol properties, no real connection is established; data has
309 to be sent for `connecting' to the server, and no end-of-file condition can
311 Option groups: FD, SOCKET, SOCK_IP4, SOCK_IP6, IP_UDP
315 UDP4-CONNECT:host:port
317 Like UDP-CONNECT, but only supports IPv4 protocol.
318 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_UDP
324 Emulates a UDP server in the same way as netcat: Create a UDP/IP4 socket and
325 bind to the given port. Then wait for the first packet, get its sender address
326 (without consuming its data), connect() to this address, and leave xioopen().
327 Afterwards, our socket only communicates with this peer.
328 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_UDP, RANGE
329 Note: with fork option, child processes might hang forever because UDP cannot
330 transport EOF conditions.
336 #Create and use a pure datagram oriented UDP socket.
337 #The following restrictions apply:
338 #* range option does not work
339 #* de facto this is a read-only endpoint: sending data to 0.0.0.0 might fail.
345 Create a TCP/IP6 client socket and connect to the given host/port combination.
346 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP
347 Note: Address syntax parsing is awkward, since the IPv6 address word separator
348 is ':' which is used as port separator too.
349 An FTP listen entry looks in netstat ":::21"!
357 Create a TCP server socket and wait for an incoming connection. With the fork
358 option, for each accepted connection a new process is forked off, and more
359 connections are accepted on the parent socket. Without fork, only the first
360 connection is accepted.
361 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, LISTEN, RANGE, CHILD
364 SOCKS4:sockd:host:port
365 SOCKS:sockd:host:port
367 Use a socks server, socks protocol version 4, to build a TCP (IPv4) connection.
368 Sockd is the name or address of the socks server, host and port specify the
369 destination address. Use option socksport if the socks server does not listen
371 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, IP_SOCKS
372 Useful options: sp, socksport, socksuser
373 Note: If you do not specify option socksuser, xioopen tries to derive it from
374 environment: LOGNAME or USER, and might therefore undisclose your identity.
377 SOCKS4a:sockd:host:port
379 Like SOCKS4, but use the socks version 4a extension for destination name
380 resolution on the socks server.
381 Option groups: FD, SOCKET, SOCK_IP, IPAPP, IP_TCP, IP_SOCKS
386 Creates a pseudo terminal (pty) and uses its master side. Another process may
387 open the pty´s slave side using it like a serial line or terminal.
388 Option groups: FD,NAMED,PTY,TERMIOS
389 Useful options: link, openpty, mode, user, group
392 OPENSSL-CONNECT:host:port
395 Tries to establish a SSL connection to port on host using TCP/IPv4.
396 Note: this is currently only an experimental integration of openssl!
397 (it does not provide any trust between the peers because is does not check
399 Option groups: FD,SOCKET,SOCK_IP4,IP_TCP,OPENSSL,RETRY
400 Useful options: cipher, method, verify, cafile, capath, certificate, bind, sourceport, retry
405 Listens on tcp4 port. When a connection is accepted, this address behaves as
407 Option groups: FD,SOCKET,SOCK_IP4,TCP,LISTEN,CHILD,RANGE,OPENSSL,RETRY
408 Usefule options: cipher, method, verify, cafile, capath, certificate, retry
411 PROXY:proxy:host:port
412 PROXY-CONNECT:proxy:host:port
414 Connects to an HTTP proxy server on port 8080 using TCP/IPv4, and sends a
415 CONNECT request for host:port. If the proxy grants access and succeeds to
416 connect to the target, data transfer between socat and the target can
417 start. Note that the traffic need not be HTTP but can be an arbitrary
419 Option groups: FD,SOCKET,IP4,TCP,HTTP
420 Useful options: proxyport, ignorecr, proxyauth, crnl, bind, mss, sourceport
422 ===============================================================================
426 Each option is member of one option group. Address definitions specify which
427 option groups they support. This allows to reject unapplyable options in an
428 early stage of address processing.
430 Address groups are identified by single bit positions. Option definitions
431 specify to which group the option belongs (some options are member or more than
432 one group). Addresses use a bit pattern to specify which option groups they
435 Currently the following option groups are defined:
437 GROUP_FD: All addresses that result in one or more file descriptors. These
438 options are typically applied with fcntl() or some special calls like fchown()
439 or fchmod(). There is no documented restriction to apply these functions to any
440 file descriptor; but they are not always meaningful, and sometimes lead to OS
443 GROUP_APPL: All addresses. The options do not need file descriptors, because
444 they manipulate the data streams at application level (ignoreeof, line
445 terminator conversion).
447 GROUP_PROCESS: For options that change process related attributes, like user id
450 GROUP_FIFO: Options for pipes. Currently not used.
452 GROUP_CHR: Options for character devices. Currently not used.
454 GROUP_BLK: Options for block devices. Currently not used.
456 GROUP_REG, GROUP_FILE: Options for regular files. Currently not used.
458 GROUP_SOCKET: Options for arbitrary type sockets, e.g. so-sndbuf, so-linger.
460 GROUP_NAMED: Options for file system entries, e.g. user-early, unlink.
462 GROUP_OPEN: Options that are applied with the open() system call.
464 GROUP_EXEC: Options for program or script execution, e.g. path.
466 GROUP_FORK: Options for communication with children processes, e.g. fdin, pty.
468 GROUP_LISTEN: Options for listening sockets. Only backlog.
470 GROUP_DEVICE: not used
472 GROUP_CHILD: Options for addresses that may fork off independent child
473 processes. Currently only option fork.
475 GROUP_RETRY: Options for failure handling. Currently not used.
477 GROUP_TERMIOS: Options for terminal settings, e.g. echo, b38400, raw.
479 GROUP_READLINE: Options for readline (GNU line editing and history).
481 GROUP_RANGE: Options for checking peer address. Currently only range.
483 GROUP_SOCK_UNIX: Options for UNIX domain sockets. Currently not used.
485 GROUP_SOCK_IP4: Options for IP4 sockets. Currently not used.
487 GROUP_SOCK_IP6: Options for IP6 sockets. Currently not used.
489 GROUP_SOCK_IP: Options for IP sockets, e.g. mtu, ip-options, ttl.
491 GROUP_IP_UDP: Options for UDP sockets. Currently not used.
493 GROUP_IP_TCP: Options for TCP sockets, e.g. maxseg, nodelay.
495 GROUP_IPAPP: Options for UDP and TCP sockets. Currently only sourceport.
497 GROUP_IP_SOCKS4: Options for SOCKS client connections, e.g. socksuser.
499 GROUP_PROCESS: Options for process wide attributes, e.g. su, chroot.
501 GROUP_APPL: Options handled by application. Currently not used.
503 GROUP_PTY: Options for pseudo terminals. Used with addresses PTY, EXEC, and
506 GROUP_OPENSSL: Options for the OPENSSL address.
508 There are "combined" group definitions too:
509 #define GROUP_ANY (GROUP_PROCESS|GROUP_APPL)
510 #define GROUP_ALL 0xffffffff
512 ===============================================================================
516 Address options are identified by a case insensitive keyword. If the options
517 needs a parameter value, the option syntax is always:
519 Currently there do not exist options that take more than one argument;
520 sometimes, two values are combined to form one argument value, e.g. IP4 address
525 "Type" describes the type of data that may or must be given to the option and
526 that is passed to the system. There are some options with boolean semantics
527 (on/off or yes/no), but their values are passed to the system with an int
528 parameter. This situation is indicated as "Logical type: bool" and "Physical
529 type: int". In this case xioopen passes the physical value to the system,
530 giving the user one more hacking playground.
538 Platforms: all (UNIX98)
540 Sets the O_APPEND flag via a fcntl() call and F_SETFL; with OPEN type
541 addresses, this flag is applied with the open() call. All data written is
542 appended to the actual file end, even if other processes have written to or
543 truncated the file in the meantime.
551 Platforms: FreeBSD, Linux, SunOS
553 Sets the O_ASYNC (or FASYNC) flag via a fcntl() call and F_SETFL; with FILE
554 addresses, this flag is applied with the open() call. Consult your kernel
555 documentation for effects of this flag.
556 NOTE: socat does not handle the SIGIO signal.
566 Sets the FD_CLOEXEC (close-on-exec) flag on the file descriptor via a
567 fcntl()call with F_SETFD. Use with caution, because xioopen() makes use of this
568 flag to archieve what we consider the most reasonable behaviour; using this
569 option overrides xioopen's setting!
578 Platforms: FreeBSD, Linux
580 Applies the flock(fd, LOCK_EX) call to the file descriptor(s). This locks a file
581 exclusively (but only for processes also using flock() on this file - otherwise, they seem to have unrestricted access).
582 If the file is already locked with flock, our flock call blocks until the other
583 processes lock is released.
584 Note: the "lock" option name alias applies to this option only
585 if the fcntl locking mechanism is not available on a platform.
594 Platforms: FreeBSD, Linux
596 Applies the flock(fd, LOCK_EX|LOCK_NB) call to the file descriptor(s). This locks a file
597 exclusively (but only for processes also using flock() on this file -
598 otherwise, they seem to have unrestricted access).
599 If the file is already locked with flock, our flock call returns the error
600 "Resource temporarily unavailable".
608 Platforms: FreeBSD, Linux
610 Applies a shared advisory lock to the file using the flock(fd, LOCK_SH) call.
611 This prevents processes from locking the file exclusively.
612 If the file has already an exclusive lock, our flock call blocks until the
613 other processes lock is released.
621 Platforms: FreeBSD, Linux
623 Applies a shared advisory lock to the file using the flock(fd, LOCK_SH|LOCK_NB) call.
624 This prevents processes from locking the file exclusively.
625 If the file has already an exclusive lock, our flock call returns with error
626 "Resource temporarily unavailable".
637 Locks the complete file with fcntl(fd, F_SETLK, {F_RDLCK}) (complete means from its
638 start to its maximal length). This locks the file exclusively (but only if the
639 other processes accessing this file also use f-setlk or f-setlkw - otherwise,
640 they seem to have unrestricted access). If the file is already locked with
641 f-setlk or f-setlkw, the fcntl call blocks until release by the other process.
645 Aliases: f-setlk, setlk-wr, setlk
652 Locks the complete file with fcntl(fd, F_SETLK, {F_WRLCK}) (complete means from its
653 start to its maximal length). This locks the file exclusively (but only if the
654 other processes accessing this file also use f-setlk or f-setlkw - otherwise,
655 they seem to have unrestricted access). If the file is already locked with
656 f-setlk or f-setlkw, the fcntl call blocks until release by the other process.
667 Locks the complete file with fcntl(fd, F_SETLKW, {F_RDLCK}) (complete means from its
668 start to its maximal length). This locks the file exclusively (but only if the
669 other processes accessing this file also use f-setlk or f-setlkw - otherwise,
670 they seem to have unrestricted access). If the file is already locked with
671 f-setlk or f-setlkw, fcntl returns with EAGAIN.
675 Aliases: setlkw-wr, f-setlkw, setlkw, lockw, lock
682 Locks the complete file with fcntl(fd, F_SETLKW, {F_WRLCK}) (complete means from its
683 start to its maximal length). This locks the file exclusively (but only if the
684 other processes accessing this file also use f-setlk or f-setlkw - otherwise,
685 they seem to have unrestricted access). If the file is already locked with
686 f-setlk or f-setlkw, fcntl returns with EAGAIN.
696 Without fork (or fork=0), the listening process accepts exactly one
697 connections, and terminates afterwards. With fork set, it forks off a new socat
698 child process for each incoming connection.
699 It is very important to understand what socat does with this fork option:
700 The parent process remains in a loop of accept() and fork() calls until
701 terminated from outside. The child process leaves this loop and goes on with
702 the socat processing. If the fork occurs in the first address argument, the
703 child process continues with parsing and activating the second address
704 argument. This will in most cases be what you want or expect.
705 If the fork call occurs in socats second address argument, all children will
706 inherit and share the already activated first address.
712 Type: GIDT or unsigned int
717 Takes one argument, a UNIX group name or a numeric group id. The first
718 character of value is a digit for group ids.
719 With NAMED addresses this option is applied via a chown() call, with a
720 fchown() call otherwise.
721 If groupname is a name it must be a valid groupname from /etc/group and is
722 converted to a group id with a getgrnam(3) call.
723 On most modern operating systems, the owner of the process must be member of
724 the group being set; only root may set any group, even numbers without group
726 A Linux 2.2.10 kernel SIGSEGVs the process in the fchown() call when this
727 option is used with a socket or pipe. Is fixed with Linux 2.4.
729 SH1: socat -D - unix-l:/tmp/socket,unlink-early
730 SH2: socat -d -d -d -d -D gopen:/tmp/socket,group=floppy -
733 Option: group-late=value
740 Takes one argument, a UNIX group name or a numeric group id. The first
741 character of value is a digit for group ids.
742 This option is applied via a fchown(2) call.
743 If groupname is a name it must be a valid groupname from /etc/group and is
744 converted to a group id with a getgrnam(3) call.
745 On most modern operating systems, the owner of the process must be member of
746 the group being set; only root may set any group, even numberic group ids
756 Platforms: all (UNIX98)
758 Sets the O_NONBLOCK flag of a file descriptor via a fcntl(2) call and F_SETFL;
759 with OPEN type addresses, this flag is applied with the open() call.
760 It does not change the behaviour of socat's data transfer loop because socat
761 uses select() which blocks nevertheless.
762 Currently is has only two documented uses:
763 1) With address TCP, the connect() call
764 does not block; instead, it continues through the open step. The channel is
765 passed to the select() call. If something is written to the channel before it
766 is connected, this is an error. If connection fails, a read condition occurs
767 and read() returns the error.
768 2) Opening a named pipe does not block with this option.
777 Platforms: HP-UX, SunOS (UNIX98)
779 Under Solaris it sets the O_NDELAY of the file descriptor via a fcntl(2) call
780 and F_SETFL; with OPEN type addresses, this flag is applied with the open()
782 With all other operating systems, this is just another name for the nonblock option.
793 Sets the O_NOATIME flag of a file descriptor via a fcntl(2) call and F_SETFL;
794 with OPEN type addresses, this flag is applied with the open() call.
795 It prevents the access time from being updated during read operations.
806 This option changes the mode (permissions) of an addresses inode. xioopen
807 tries to apply this option already during open phase. If the address does not
808 have a open phase or if the option cannot be applied there, the value is
809 applied directly on the file descriptor afterwards.
810 It is up to you to (1) have the permission to change the permissions, and (2)
811 not to set permissions that prevent you from performing your transactions :-)
812 NOTE: At least with some Linux 2.2, setting permissions on an existing file or
813 device with fchmod() does not change the permissions of its inode on disk. See
814 perm-early which uses chmod() instead.
815 NOTE: At least with some Linux 2.2, restricting mode on file descriptors does
816 not restrict this file descriptors data transfer capabilities.
819 Option: perm-late=value
826 This option changes the mode (permissions) of a file descriptor with fchmod()
827 in the last phase of address processing.
830 Option: seek-set=offset
831 Aliases: lseek=offset, seek=offset
836 Platforms: HP-UX, Linux, SunOS
838 Positions the file at the given absolute offset, using lseek() (or lseek64() if
839 available) with SEEK_SET.
842 Option: seek-cur=offset
847 Platforms: HP-UX, Linux, SunOS
849 Positions the file at the given offset from the current position,
850 using lseek() (or lseek64() if available) with SEEK_SET.
853 Option: seek-end=offset
858 Platforms: HP-UX, Linux, SunOS
860 Positions the file at the given offset from the file end,
861 using lseek() (or lseek64() if available) with SEEK_END.
864 Option: lseek32-set=offset
865 Aliases: lseek32=offset
870 Platforms: HP-UX, Linux, SunOS
872 Positions the file at the given absolute offset using lseek() with SEEK_SET.
873 This call might fail for non
874 random access data objects like character devices or sockets.
875 NOTE: this option seems to be useless on files with O_APPEND set.
878 Option: lseek32-cur=offset
880 Type: OFF32 (instead of off_t)
883 Platforms: HP-UX, Linux, SunOS
885 Positions the file at the given offset from the current position using lseek()
886 with SEEK_CUR. This call
887 might fail for non random access data objects like character devices.
888 On Linux, the seek() call fails on pipes, sockets and ttys but works on files
890 NOTE: this option seems to be useless on files with O_APPEND set.
893 Option: lseek32-end=offset
898 Platforms: HP-UX, Linux, SunOS
900 Positions the file at the given offset from the file end using lseek() with
901 SEEK_END. This call might fail
902 for non random access data objects like character devices.
903 NOTE: this option seems to be useless on files with O_APPEND set.
906 Option: lseek64-set=offset
907 Aliases: lseek64=offset
914 Positions the file at the given absolute offset using lseek64() with SEEK_SET.
915 This call might fail for non
916 random access data objects like character devices or sockets.
917 NOTE: this option seems to be useless on files with O_APPEND set.
920 Option: lseek64-cur=offset
927 Positions the file at the given offset from the current position using
928 lseek64() with SEEK_CUR. This call
929 might fail for non random access data objects like character devices.
930 NOTE: this option seems to be useless on files with O_APPEND set.
933 Option: lseek64-end=offset
940 Positions the file at the given offset from the file end using lseek64() with
941 SEEK_END. This call might fail
942 for non random access data objects like character devices.
943 NOTE: this option seems to be useless on files with O_APPEND set.
949 Option group: PROCESS
953 Invokes the chroot() system call with the given path after the address
954 resolution, so the path names of the address must be specified with absolute
956 Note: when you combine chroot with substuser, with substuser applied within the
957 chroot environment, usually the etc/passwd and etc/group files in the chroot
958 environment are used for group set etc.
959 See appendix "generating a sandbox"
962 Option: chroot-early=path
965 Option group: PROCESS
969 Invokes the chroot() system call with the given path before the address is
970 resolved, this means before file opening in OPEN, GOPEN and before program
971 execution in EXEC and SYSTEM, so their pathes must be specified related to
972 their chroot directory.
973 See appendix "generating a sandbox"
978 Type: GIDT (gid_t or string)
979 Option group: PROCESS
983 Invokes setgid() with the group id. For EXEC and SYSTEM this call is performed
984 for the child process after the fork and therefore does not affect the socat
985 process directly. For LISTEN group addresses with fork option, this call is
986 performed only on the child processes. For all other addresses, it is performed
987 in the late phase of address processing, so it does not affect the address
988 where it is used, but for the next address (if any), and for the data loop.
989 Note: setgid() does not remove any groups from the current process group set.
994 Type: UIDT (uid_t or string)
995 Option group: PROCESS
999 Invokes setuid() with the user id. For EXEC and SYSTEM this call is performed
1000 for the child process after the fork and therefore does not affect the socat
1001 process directly. For LISTEN group addresses with fork option, this call is
1002 performed only on the child processes. For all other addresses, it is performed
1003 in the late phase of address processing, so it does not affect the address
1004 where it is used, but the next address (if any), and the data loop.
1005 Note: setuid() is invoked AFTER setgid(), if both are applied.
1006 Note: setuid() does not influence the processes group set; in most cases, you
1007 want to prefer substuser option.
1010 Option: substuser=user
1013 Type: UIDT (uid_t or string)
1014 Option group: PROCESS
1018 Tries to switch the process to the given user and its group set.
1019 To make sure that the groups are set correctly for the new process owner, the
1020 system calls initgroups(), setgid(), and setuid() are invoked with the
1021 appropriate arguments.
1022 On sane operating system, this option requires root privileges.
1023 Note: this option sets the user and group ids of the process, but does not
1024 change the environment; therefore, all variables including $USER, $HOME,
1025 $LOGNAME, $SHELL etc. are inherited from the old users environment.
1026 Note: starting a SETUID program after applying substuser or setuid gives the
1027 process the SETUID owner, which might give root privileges again.
1030 Option: substuser-delayed=user
1033 Type: UIDT (unsigned int or string)
1034 Option group: PROCESS
1038 Like substuser, but reads the user and group information in an early phase of
1039 address processing, but applies the appropriate system calls in a late
1040 phase. This allows to use user information from the host in a chroot
1041 environment, without exposing this data within the sandbox.
1052 Sets the O_TRUNC flag of the open() call, thus truncating the file to zero
1057 Option: ftruncate=value
1058 Aliases: truncate=value
1060 Type: OFF32 or OFF64
1063 Platforms: HP-UX, Linux, SunOS
1065 Invokes the ftruncate() (or ftruncate64() if available) call for the file descriptor with the given value,
1066 thus reducing the length of the file to the given length.
1067 On Linux, ftruncate() fails on sockets and devices but works on regular files
1070 Note: AIX docu says: for regular files only
1073 Option: ftruncate32=value
1078 Platforms: HP-UX, Linux, SunOS
1080 Invokes the ftruncate() call (even if ftruncate64() is available) call for the file descriptor with the given value,
1081 thus reducing the length of the file to the given length.
1084 Option: ftruncate64=value
1091 Invokes the ftruncate64() call if available, for the file descriptor with the given value,
1092 thus reducing the length of the file to the given length.
1096 Aliases: binary, bin
1101 Platforms: none; Cygwin
1103 Sets the O_BINARY flag with open() or fcntl() to avoid implicit line terminator conversions.
1112 Platforms: none; Cygwin
1114 Sets the O_TEXT flag with open() or fcntl() to force implicit line terminator conversions.
1123 Platforms: none; Cygwin
1125 Sets the O_NOINHERIT flag with open() or fcntl() to not keep this file open in a spawned process.
1136 Takes it easy when write fails with EPIPE or ECONNRESET and logs the message
1137 with notice level instead of error.
1138 This prevents the log file from being filled with useless error messages
1139 when socat is used as a high volume server or proxy where clients often
1140 abort the connection.
1141 This option is experimental.
1152 Changes the (address dependent) method to close a connection to just close
1153 the file descriptors. This is useful when the connection is to be reused by
1154 or shared with other processes.
1155 Normally, socket connections will be ended with shutdown(2) which
1156 terminates the socket even if it is shared by multiple processes.
1157 close(2) "unlinks" the socket from the process but keeps it active as
1158 long as there are still links from other processes.
1159 Similarly, when an address of type EXEC or SYSTEM is ended, socat usually
1160 will explicitely kill the sub process. With this option, it will just close
1161 the file descriptors.
1165 Aliases: owner=value, uid=value
1167 Type: UIDT (unsigned int or string)
1172 Takes one argument, a UNIX user name or a numeric user id. The first
1173 character of value is a digit for user ids.
1174 For NAMED addresses, if the file already exists, this option is applied via a
1175 chown() call, with fchown() for all other cases.
1176 If username is a name it must be a valid username from /etc/passwd and is
1177 converted to a user id with a getpwnam() call.
1178 On sane operating systems, the owner of the process must be root to change
1179 the owner of a file descriptor; root may even apply undefined (unnamed) user
1181 My Linux 2.2 kernel SIGSEGVs the process in the fchown() call when this
1182 option is used with a (UNIX, unconnected or connected) socket or pipe. Linux
1183 2.4.0 handles this call correctly.
1184 TESTCASE: ./socat -d -d -d -d - tcp:loopback:21,user=root
1187 Option: user-late=value
1188 Aliases: uid-l=value
1190 Type: UIDT (unsigned int or string)
1195 Takes one argument, a UNIX user name or a numeric user id. The first
1196 character of value is a digit for user ids.
1197 This option is applied via a fchown() call just before xioopen_single()
1199 If username is a name it must be a valid username from /etc/passwd and is
1200 converted to a user id with a getpwnam() call.
1201 On sane operating systems, the owner of the process must be root to change
1202 the owner of a file descriptor; root may even apply undefined (unnamed) user
1204 My Linux 2.2 kernel SIGSEGVs the process in the fchown() call when this
1205 option is used with a socket or pipe.
1208 ===============================================================================
1210 Options of this group may be used with all addresses that support OPEN group
1217 Type: BOOL (inherent - no value)
1222 Use O_RDONLY with the open() call instead of the position dependend default.
1223 Take care not to block later write operations.
1229 Type: BOOL (inherent - no value)
1234 Use O_WRONLY with the open() call instead of the position dependend default.
1235 Take care not to block later write operations.
1241 Type: BOOL (inherent - no value)
1246 Use O_RDWR with the open() call instead of the position dependend default.
1250 Aliases: create, creat
1257 Sets the O_CREAT flag of the open() call. This means that it is not an error if
1258 the file does not exist.
1269 Sets the O_DEFER flag of the open() call. This means that write data is stored
1270 in paging space until an fsync() call.
1281 Sets the O_DELAY flag of the open() call. This lets open block until the share
1282 conditions are fulfilled (see nshare, rshare)
1291 Platforms: FreeBSD, HP-UX, Linux
1293 Sets the O_DIRECT flag of the open() call.
1304 Sets the O_DIRECTORY flag of the open() call. This lets open fail if the given
1305 path is not a directory. This does not seem to be useful with socat.
1314 Platforms: HP-UX, Linux, SunOS (UNIX98)
1316 Sets the O_DSYNC flag with the open() call. This lets write() calls wait until
1317 modification metainfo is physically written to media.
1328 Sets the O_EXCL flag of the open() call.
1337 Platforms: HP-UX, Linux, SunOS
1339 Sets the O_LARGEFILE flag of the open() flag.
1350 Sets the O_NOCTTY flag of the open() call, so the opened device does not become
1351 the controlling tty of the process.
1360 Platforms: FreeBSD, Linux
1362 Sets the O_NOFOLLOW flag of the open() call. This means that the last component
1363 of the open path must no be a symlink.
1372 Platforms: all (UNIX98)
1374 Sets the O_SYNC flag with the open() call. This lets write() calls wait until
1375 data is physically written to media.
1386 Sets the O_RSHARE flag of the open() call. This means that the file must not be
1387 opened for writing by other processes ("read sharing").
1398 Sets the O_NSHARE flag of the open() call. This means that the file must not be
1399 shared with other processes ("no sharing").
1408 Platforms: HP-UX, Linux, SunOS (UNIX98)
1410 Sets the O_RSYNC flag with the open() call. This lets write() calls wait until
1411 read metainfo is physically written to media.
1420 Platforms: none (Solaris)
1422 Sets the O_PRIV flag with the open() call.
1424 ===============================================================================
1426 This group is valid for all addresses that refer to a file system entry like
1427 file, device, named pipe, or named UNIX domain socket.
1430 Option: unlink-early
1438 This options tries to remove the filesystem entry given in the address before
1439 starting any other processing (even before user-early, perm-early, or
1440 group-early). unlink() is called; note that this call, in contrast to rm(1),
1441 removes entries regardless of their permissions. Instead, ownership or root
1442 privileges and write permissions in the directory are required and sufficient.
1452 This options tries to remove the filesystem entry given in the address before
1453 it is tried to open, but past user-early, perm-early, or group-early).
1454 unlink() is called; note that this call, in contrast to rm(1), removes entries
1455 regardless of their permissions. Instead, ownership or root privileges and
1456 write permissions in the directory are required and sufficient.
1466 This option tries to remove the filesystem entry after it has been opened.
1467 Options can still be applied to the file descriptor, and
1468 the node or files data can be used, but it can no longer be accessed by other
1469 processes (except by tricks?), and after closing the stream the data or node is
1471 unlink() is called; note that this call, in contrast to rm(1), removes entries
1472 regardless of their permissions. Instead, ownership or root privileges and
1473 write permissions in the directory are required and sufficient.
1476 Option: perm-early=value
1478 Type: MODET (mode_t)
1483 This option changes the mode (permissions) of an already existing filesystem
1484 entry with chmod() before the file is opened or after the UNIX domain socket is
1485 bound, but before it listens/connects.
1488 Option: user-early=value
1489 Aliases: uid-e=value
1491 Type: UIDT (unsigned int or string)
1496 Takes one argument, a UNIX user name or a numeric user id. The first
1497 character of value is a digit for user ids.
1498 This option is applied via a chown() call before the file system entry is
1499 opened or after the UNIX domain socket is bound, but before it starts to
1501 If username is a name it must be a valid username from /etc/passwd and is
1502 converted to a user id with a getpwnam() call.
1503 On sane operating systems, the owner of the process must be root to change
1504 the owner of a file descriptor; root may even apply undefined (unnamed) user
1508 Option: group-early=value
1509 Aliases: gid-e=value
1511 Type: GIDT (unsigned int or string)
1516 Takes one argument, a UNIX group name or a numeric group id. The first
1517 character of value is a digit for group ids.
1518 This option is applied via a chown() call before the file system entry is
1519 opened or after the UNIX domain socket is bound, but before it
1521 If groupname is a name it must be a valid groupname from /etc/group and is
1522 converted to a group id with a getgrnam() call.
1523 On most modern operating systems, the owner of the process must be member of
1524 the group being set; only root may set any group, even numbers without group
1535 Sets the umask before opening a file or creating a UNIX domain socket. This is
1536 especially useful for these sockets, because there interface does not provide a
1540 Option: unlink-close
1547 Remove the addresses file system entry when closing the address.
1548 For named pipes, listening unix domain sockets, and the symbolic links of pty
1549 addresses, the default is 1; for created files, opened files, generic opened
1550 files, and client unix domain sockets the default is 0.
1553 ===============================================================================
1554 FORK and EXEC options
1563 Changes the PATH environment variable in the child process before the exec() or
1574 Does not fork a subprocess for executing the program, instead calls execvp()
1575 directly from the actual socat instance. This avoids the overhead of another process
1576 between the program and the communication peer, but introduces lots of
1578 * this option can only be applied to the second socat() address.
1579 * the first socat address cannot be OPENSSL or READLINE
1580 * socat options -b, -t, -D, -l, -v, -x, -t become useless
1581 * for both addresses, options ignoreeof, cr and crnl become useless
1582 * for the second address (the one with option nofork), options
1583 append, async, cloexec, flock, user, group, mode, nonblock,
1584 perm-late, setlk, and setpgid cannot be applied, and should be used on the
1585 first address instead.
1595 For communication between the exec() or system() subprocess with socat, use two
1596 unnamed pipes instead of creating a socket pair.
1606 For communication between the exec() or system() subprocess with socat, use a
1607 pseudo terminal instead of a socket pair. The executed program gets the slave
1608 side, and socat the controlling side of the pseudo terminal.
1609 This is especially useful if you want to use, e.g., chat with socat (see
1610 EXAMPLES). Plus, ptys do not buffer I/O.
1611 Note: implementation of pseudo terminals are differing between platforms, so
1612 extra porting struggles might be required for porting this feature.
1622 After forking the child process, assign the stream where the child
1623 receives data from socat, to file descriptor num instead of stdin.
1633 After forking the child process, assign the stream where the child
1634 writes data to socat, to file descriptor num instead of stdout.
1644 Normally, the stderr filedescriptor of the forked program is a clone of socat's
1645 stderr fd. If this option is used, the programs stderr filedescriptor is a copy
1646 of the "normal" data output of the program, i.e. of its stdout or fdout.
1653 Option group: PROCESS
1657 Invokes setsid() to make the forked off subprocess the leader of a new
1658 session. This also generates a new process group with this process as leader.
1659 This is useful, e.g., when exec'ing ssh to get the password prompt into the I/O
1660 channel (see EXAMPLES)
1671 Invokes setpgid(0, val) from the child process.
1678 Option group: TERMIOS
1682 Applies only in combination with the pty option or its variants. Tries to make
1683 the pty the controlling terminal. May require option setsid to work correctly.
1694 Prefixes argv[0] for the execvp() call with '-', thus making a shell behave as
1701 Option group: PARENT
1705 Has socat pass an eventual SIGHUP signal to the sub process.
1706 If no address has this option, socat terminates on SIGHUP.
1712 Option group: PARENT
1716 Has socat pass an eventual SIGINT signal to the sub process.
1717 If no address has this option, socat terminates on SIGINT.
1723 Option group: PARENT
1727 Has socat pass an eventual SIGQUIT signal to the sub process.
1728 If no address has this option, socat dumps core and terminates on SIGQUIT.
1731 ===============================================================================
1733 These options may be used with addresses that create a pseudo terminal (pty).
1734 In particular, these are addresses EXEC, SYSTEM, and PTY.
1742 Platforms: FreeBSD, Linux
1744 Like pty, but only use the openpty mechanism, not any other way for pty
1753 Platforms: HP-UX, Linux, SunOS
1755 Like pty, but only use the /dev/ptmx (/dev/ptc on AIX) mechanism, not any other
1756 way for pty generation.
1759 Option: symbolic-link=filename
1766 Generates a symbolic link that points to the actual pseudo terminal (pty). This
1767 might help to solve the problem that ptys are generated with more or less
1768 unpredictable names, making it difficult to directly access the socat generated
1769 pty automatically. With this option, the user can specify a "fix" point in the
1770 file hierarchy that helps him to access the actual pty.
1773 Option: pty-wait-slave
1774 Aliases: wait-slave, waitslave
1781 Blocks the open phase until a process opens the slave side of the pty.
1782 Usually, socat continues after generating the pty with opening the next
1783 address or with entering the transfer engine. With the wait-slave option,
1784 socat waits until some process opens the slave side of the pty before
1786 This option only works if the operating system provides the tt(poll())
1787 system call. And it depends on an undocumented behaviour of pty's, so it
1788 does not work on all operating systems. It has successfully been tested on
1789 Linux, FreeBSD, NetBSD, and on Tru64 with openpty.
1792 Option: pty-interval
1799 When the wait-slave option is set, socat periodically checks the HUP
1800 condition using poll() to find if the pty's slave side has been
1802 polling interval is 1s. Use the pty-interval option to change this value.
1805 ===============================================================================
1807 These are options that may be applied to all socket type addresses: UNIX
1808 (LOCAL) domain sockets (even with EXEC type addresses if not pipes), IP, and
1817 Option group: SOCKET
1819 Platforms: all (UNIX98)
1821 Sets the SO_DEBUG socket option. Requires root.
1824 Option: so-acceptconn
1829 Option group: SOCKET
1831 Platforms: all (UNIX98)
1833 Tries to set the SO_ACCEPTCONN socket option. Read-only!
1836 Option: so-broadcast
1841 Option group: SOCKET
1843 Platforms: all (UNIX98)
1845 Sets the SO_BROADCAST socket option.
1848 Option: so-reuseaddr
1853 Option group: SOCKET
1855 Platforms: all (UNIX98)
1857 Sets the SO_REUSEADDR socket option. Allows to bind to a port even if this
1858 port is already used for a connection.
1861 Option: so-keepalive
1866 Option group: SOCKET
1868 Platforms: all (UNIX98)
1870 Sets the SO_KEEPALIVE socket option.
1873 Option: so-linger=value
1874 Aliases: linger=value
1877 Option group: SOCKET
1879 Platforms: all (UNIX98)
1881 Activates the SO_LINGER option and sets a value (seconds) for it.
1882 This lets shutdown() or close() block until data transfers have finished or the
1883 given value timed out.
1884 Note: on some systems, the type for setsockopt() is struct { int; int; }
1885 In this case, xioopen() sets {1,value}.
1888 Option: so-oobinline
1893 Option group: SOCKET
1895 Platforms: all (UNIX98)
1897 Sets the SO_OOBINLINE socket option.
1900 Option: so-sndbuf=value
1901 Aliases: sndbuf=value
1904 Option group: SOCKET
1906 Platforms: all (UNIX98)
1908 Sets the SO_SNDBUF option of the socket to the given value. This option is
1909 applied after the socket() (or socketpair()) call.
1910 NOTE: The kernel might change the effective value:
1911 My Linux 2.2 with TCP doubles the value, but uses at least 2048.
1914 Option: so-sndbuf-late=value
1915 Aliases: sndbuf-late=value
1918 Option group: SOCKET
1920 Platforms: all (UNIX98)
1922 Sets the SO_SNDBUF option of the socket to the given value. This option is
1923 applied after the connect() or accept() (or socketpair) call.
1924 NOTE: The kernel might change the effective value:
1925 My Linux 2.2 with TCP doubles the value, but uses at least 2048, and a
1926 maximum of 131070 (system limit?).
1929 Option: so-rcvbuf=value
1930 Aliases: rcvbuf=value
1933 Option group: SOCKET
1935 Platforms: all (UNIX98)
1937 Sets the SO_RCVBUF option of the socket to the given value. This option is
1938 applied after the socket() call.
1939 NOTE: The kernel might change the effective value:
1940 My Linux 2.2 with TCP connect doubles the value, but uses at least 256 and
1942 My Linux 2.2 with TCP listen doubles the value but uses at least 11772.
1943 NOTE: For applying the SO_RCVBUF options after the connect() or accept() calls
1947 Option: so-rcvbuf-late=value
1948 Aliases: rcvbuf-late=value
1951 Option group: SOCKET
1953 Platforms: all (UNIX98)
1955 Sets the SO_RCVBUF option of the socket to the given value. This option is
1956 applied after the connect() or listen() call.
1957 NOTE: The kernel might change the effective value:
1958 My Linux 2.2 with TCP doubles the value, but uses at least 256 and maximal
1960 NOTE: sequence of this call may be relevant for the effecting value (AIX
1961 4.3.3). For applying the SO_RCVBUF option immediately after the socket() call
1970 Option group: SOCKET
1972 Platforms: all (UNIX98)
1974 Tries to set the SO_ERROR socket option which is a read-only option.
1975 On my Linux 2.2 it gives "protocol not available".
1978 Option: so-type=value
1982 Option group: SOCKET
1986 Set the sockettype argument of the socket() or socketpair() call. This
1988 protocol default (e.g., TCP: SOCK_STREAM). Most values might
1989 not be supported by a given protocol.
1990 The following combinations are known to work at least under one OS:
1991 TCP SOCK_STREAM (system default)
1992 UDP SOCK_DGRAM (system default)
1993 IP SOCK_RAW (socat default)
1994 UNIX SOCK_STREAM (system default)
1998 Option: so-dontroute
2003 Option group: SOCKET
2005 Platforms: all (UNIX98)
2007 Sets the SO_DONTROUTE socket option.
2010 Option: so-rcvlowat=value
2011 Aliases: rcvlowat=value
2014 Option group: SOCKET
2016 Platforms: all (UNIX98)
2018 Sets the SO_RCVLOWAT socket option. Cannot be changed in Linux (always
2019 gives "protocol not available").
2022 Option: so-rcvtimeo=value
2023 Aliases: rcvtimeo=value
2025 Provided type: double
2026 Physical type: TIMEVAL (long[2])
2027 Option group: SOCKET
2029 Platforms: all (UNIX98)
2031 Sets the SO_RCVTIMOE socket option. Cannot be changed in Linux (always
2032 gives "protocol not available").
2035 Option: so-sndlowat=value
2036 Aliases: sndlowat=value
2039 Option group: SOCKET
2041 Platforms: all (UNIX98)
2043 Sets the SO_SNDLOWAT socket option. Cannot be changed in Linux (always
2044 gives "protocol not available").
2047 Option: so-sndtimeo=value
2048 Aliases: sndtimeo=value
2050 Provided type: double
2051 Physical type: TIMEVAL (long[2])
2052 Option group: SOCKET
2054 Platforms: all (UNIX98)
2056 Sets the SO_SNDTIMEO socket option. Cannot be changed in Linux (always
2057 gives "protocol not available").
2064 Option group: SOCKET
2068 Sets the SO_AUDIT socket option.
2071 Option: so-attach-filter
2072 Aliases: attach-filter, attachfilter
2075 Option group: SOCKET
2079 Linux docu recommends to use libpcap for this feature.
2080 "protocol not available", need kernel CONFIG_FILTER!
2083 Option: so-detach-filter
2084 Aliases: detach-filter, detachfilter
2087 Option group: SOCKET
2091 See Linux "man 7 socket".
2092 "protocol not available", need kernel CONFIG_FILTER!
2095 Option: so-bindtodevice=string
2096 Aliases: bindtodevice, interface, if
2099 Option group: SOCKET
2103 Binds the socket to a net interface, e.g. lo0 or eth0 (interface names depend
2104 on operating system). Might require root privilege.
2107 Option: so-bsdcompat
2112 Option group: SOCKET
2116 Sets the SO_BSDCOMPAT socket option. See Linux "man 7 socket".
2119 Option: so-cksumrecv
2124 Option group: SOCKET
2128 Sets the SO_CKSUMRECV socket option.
2131 Option: so-kernaccept
2136 Option group: SOCKET
2140 Sets the SO_KERNACCEPT socket option.
2144 Aliases: no-check, nocheck
2148 Option group: SOCKET
2152 Sets the SO_NO_CHECK socket option." Intentionally undocumented" under
2153 Linux (see "man 7 socket"), don't know what it does....
2156 Option: so-noreuseaddr
2157 Aliases: noreuseaddr
2160 Option group: SOCKET
2164 Sets the SO_NOREUSEADDR socket option.
2168 Aliases: so-passcred
2171 Option group: SOCKET
2175 Sets the SO_PASSCRED option of a socket.
2181 Type: INT3 or int[3]?
2182 Option group: SOCKET
2186 Enables receiving of credentials. Read only.
2187 Not really implemented yet.
2188 Nevertheless, Gives "Protocol not available".
2191 Option: so-priority=value
2192 Aliases: priority=value
2195 Option group: SOCKET
2199 Sets the protocol defined priority for all packets to be sent on this socket.
2200 Docu says it requires root privileges. Normal user may set 0..6 for UNIX domain
2201 and TCP client sockets on Linux 2.2. root may send any int value.
2204 Option: so-reuseport
2208 Option group: SOCKET
2210 Platforms: FreeBSD, HP-UX
2212 Sets the SO_REUSEPORT socket option.
2215 Option: so-security-authentication
2216 Aliases: security-authentication, securityauthentication
2219 Option group: SOCKET
2223 Sets the SO_SECURITY_AUTHENTICATION socket option. Gives "protocol not
2225 In Linux 2.2.16 source, only exists in asm-*/socket.h
2228 Option: so-security-encryption-network
2229 Aliases: security-encryption-network, securityencryptionnetwork
2232 Option group: SOCKET
2236 Sets the SO_SECURITY_ENCRYPTION_NETWORK option of the socket. Gives "protocol
2237 not available" error.
2238 In Linux 2.2.16 source, only exists in asm-*/socket.h
2241 Option: so-security-encryption-transport
2242 Aliases: security-encryption-transport, securityencryptiontransport
2245 Option group: SOCKET
2249 Sets the SO_SECURITY_ENCRYPTION_TRANSPORT option of the socket. Gives "protocol
2250 not available" error.
2251 In Linux 2.2.16 source, only exists in asm-*/socket.h
2254 Option: so-use-ifbufs
2255 Aliases: use-ifbufs, useifbufs
2258 Option group: SOCKET
2262 Sets the SO_USE_IFBUFS socket option.
2265 Option: so-useloopback
2266 Aliases: useloopback
2269 Option group: SOCKET
2271 Platforms: FreeBSD, HP-UX, SunOS
2273 Sets the SO_USELOOPBACK socket option.
2276 Option: so-dgram-errind
2277 Aliases: dgram-errind, dgramerrind
2281 Option group: SOCKET
2285 Sets the SO_DGRAM_ERRIND flag.
2288 Option: so-dontlinger
2292 Option group: SOCKET
2296 Sets the SO_DONTLINGER socket option.
2299 Option: so-prototype
2303 Option group: SOCKET
2305 Platforms: HP-UX, SunOS
2307 Sets the SO_PROTOTYPE socket option.
2313 Option group: SOCKET
2317 Sets the type of the socket, usually as argument to the socket() or
2318 socketpair() call, to <type>. Under Linux, 1 means stream oriented socket, 2
2319 means datagram socket, and 3 means raw socket.
2322 Option: protocol-family
2326 Option group: SOCKET
2330 Forces the use of the specified IP version. <string> can be something like
2338 Option group: SOCKET
2340 Platforms: FreeBSD, Linux
2342 Sets the FIOSETOWN ioctl (in "man 7 socket" called FIOCSETOWN).
2347 #Allowed in addresses: SOCKET
2351 #Sets the CIOCSPGRP ioctl.
2356 #Allowed in addresses: SOCKET
2357 #Type: socket-address
2359 #For client socket, sets the local (bind) address. Not yet implemented.
2362 Option: bind=socketaddress
2365 Option group: SOCKET
2369 Gives the address to be used in the bind(2) system call. The format of the
2370 socketaddress depends on the socket type (see below). For "client" sockets this
2371 option inserts a bind(2) call between socket(2) and connect(2) calls. For
2372 "server" sockets this option is ignored! For datagram sockets behaviour of this
2373 option is currently unspecified.
2374 Note: for client sockets in the UNIX domain this option is not useful: with the
2375 same address as connect it will conflict with the bind call of the server
2376 socket; another address for bind is ignored (with Linux 2.2).
2377 For TCP sockets these formats are currently implemented:
2386 Option: connect-timeout=seconds
2389 Option group: SOCKET
2393 Abort the connection attempt after the given time with error status.
2396 Option: backlog=value
2399 Option group: LISTEN
2403 Sets the value to be used with the listen(2) system call. The default is 5.
2404 It does not seem to work for Linux 2.2; Linux seems to allow much more
2405 established connections, but then they stay even after server process
2409 Option: range=address:mask, range=address/bits
2415 Implementation status: only for INET (IP4) addresses
2417 Defines a subnet where clients may connect from. If other clients connect the
2418 accepted connection is shut down immediately after examination of the client
2419 address. If this option is not used, the default is 0.0.0.0:0.0.0.0, allowing
2420 arbitrary client addresses. bits is the number of high order bits that must
2421 match between the range value and the clients address.
2424 Option: tcpwrap, tcpwrap=name
2429 Platforms: (depends on libwrap installation)
2431 Uses the rules introduced by Wietse Venema's libwrap (tcpd) library to check
2432 if the client is allowed to connect. The configuration files are
2433 /etc/hosts.allow and /etc/hosts.deny. See "man 5 hosts_access" for
2434 more information. <name> is passed to the wrapper functions as daemon
2435 process name. If omitted, the basename of socats invokation (argv[0]) is
2437 If both tcpwrap and and range options are applied to an address, both
2438 conditions must be fulfilled to allow the connection.
2441 Option: hosts-allow, tcpwrap-hosts-allow-table
2446 Platforms: (depends on libwrap installation)
2448 Takes the specified file instead of /etc/hosts.allow.
2451 Option: hosts-deny, tcpwrap-hosts-deny-table
2456 Platforms: (depends on libwrap installation)
2458 Takes the specified file instead of /etc/hosts.deny.
2461 Option: tcpwrap-etc, tcpwrap-dir
2466 Platforms: (depends on libwrap installation)
2468 Looks for hosts.allow and hosts.deny in the specified directory. Is
2469 overriden by options hosts-allow and hosts-deny.
2472 -------------------------------------------------------------------------------
2476 Option: ip-options=values
2480 Option group: SOCK_IP
2484 Sets the IP_OPTIONS values of the IP socket. For example, to send packets to
2485 destination D.D.D.D via a router G.G.G.G you have to specify G.G.G.G as the
2486 "normal" destination, and D.D.D.D in the source route:
2487 TCP:G.G.G.G:25,ip-options=x890704dddddddd
2488 Note that the destination will see G.G.G.G as sender of the packets, and
2489 therefore might not return the answers correctly.
2490 See RFC791 for detailed specification of IP option fields.
2493 x8307040a000001 ... loose source route
2494 x890b040a000001c0c1c2c3 ... strict source route
2495 Note: with source routes, you should not specifiy destination address and
2496 hops as defined in RFC791 (first hop as IP header destination address,
2497 further hops and final destination in source route) because the (Linux?) kernel changes
2498 them to a more intuitive form (final destination as destination in IP header,
2499 gateways in source route). So, in destination address give the final
2500 destination, and in the source route the gateways!
2501 Note: this option may be mulitply applied per socket but the (Linux?) kernel
2502 pads each setting with 0' to align the options end to 4 octets. So you should
2503 better pad the options data with nops (01) yourself.
2507 Aliases: ippktinfo, pktinfo
2509 Type: INT (should be struct in_pktinfo)
2510 Option group: SOCK_IP
2513 Status: Not completely implemented (ancillary messages are not supported by
2516 Pass an IP_PKTINFO ancillary message.
2520 Aliases: iprecvtos, recvtos
2524 Option group: SOCK_IP
2527 Status: Not completely implemented (ancillary messages are not supported by
2530 Set the IP_RECVTOS socket option which enables IP_TOS ancillary message
2535 Aliases: iprecvttl, recvttl
2539 Option group: SOCK_IP
2542 Implementation status: No results.
2544 Set the IP_RECVTTL socket option.
2548 Aliases: iprecvopts, recvopts
2552 Option group: SOCK_IP
2555 Implementation status: No results.
2557 Set the IP_RECVOPTS socket option.
2561 Aliases: ipretopts, retopts
2565 Option group: SOCK_IP
2568 Implementation status: No results.
2570 Set the IP_RETOPTS socket option.
2573 Option: ip-tos=value
2574 Aliases: iptos=value, tos=value
2578 Option group: SOCK_IP
2582 Sets the TOS (type of service) flags for the outgoing IP headers of the
2583 socket. My Linux 2.2 does not allow to set values other than 0 (probably
2584 needs some optional kernel features).
2587 Option: ip-ttl=value
2588 Aliases: ipttl=value, ttl=value
2592 Option group: SOCK_IP
2596 Sets the TTL (time to live) field for the outgoing IP headers of the socket.
2597 0 does not seem to be useful and gives "invalid argument" error in Linux.
2598 This option can be used to implement a "poor mans traceroute" in conjunction
2603 Aliases: iphdrincl, hdrincl
2607 Option group: SOCK_IP
2611 Set the IP_HDRINCL socket option. User will supply IP header before user
2612 data. For raw IP sockets only. Not tested.
2616 Aliases: iprecverr, recverr
2619 Option group: SOCK_IP
2623 Set the IP_RECVERR socket option.
2624 Implementation status: No results.
2627 Option: ip-mtu-discover=value
2628 Aliases: ipmtudiscover=value, mtudiscover=value
2631 Option group: SOCK_IP
2635 Sets the IP_MTU_DISCOVER flag of the IP socket. In Linux there are three values
2636 defined: 0..dont(never), 1..want(per route), 2..do(always)
2643 Option group: SOCK_IP
2647 Sets the MTU (maximal transfer unit) of the socket. In Linux this is a
2648 read-only parameter and results in a "protocol not available" error.
2652 Aliases: ipfreebind, freebind
2656 Option group: SOCK_IP
2660 Allows the socket to locally bind to any address, even those that are
2661 not covered by an interface address, alias address or a local subnet. Even
2662 broadcast and multicast addresses are possible.
2663 Note: this option has been found on Linux 2.4 in <linux/in.h>. This file might
2664 not be included per default, because it creates errors.
2665 To make this option available, "make" socat with the CCOPT environment
2666 variable set to "-DIP_FREEBIND=15"
2669 Option: ip-router-alert=value
2670 Aliases: iprouteralert, routeralert
2673 Option group: SOCK_IP
2677 Sets the IP_ROUTER_ALERT socket option. Only works with raw sockets.
2681 Option: ip-add-membership=multicast-address:interface-address
2682 ip-add-membership=multicast-address:interface-name
2683 ip-add-membership=multicast-address:interface-index
2684 ip-add-membership=multicast-address:interface-address:interface-name
2685 ip-add-membership=multicast-address:interface-address:interface-index
2686 Aliases: add-membership
2690 Option group: SOCK_IP
2694 Makes the socket member of the specified multicast group. This is currently
2695 only implemented for IPv4. The option takes the IP address of the multicast
2696 group and info about the desired network interface. The most common syntax
2697 is the first one, while the others are only available on systems that
2698 provide tt(struct mreqn) (Linux).nl()
2699 The indices of active network interfaces can be shown using the utility
2703 Option: ip-drop-membership
2708 #! Option: ipv6-join-group
2711 Option: ip-multicast-ttl=byte
2712 Aliases: ipmulticastttl, multicastttl
2715 Option group: SOCK_IP
2719 Sets the TTL used for outgoing multicast traffic. Default is 1.
2722 Option: ip-multicast-loop
2723 Aliases: ipmulticastloop, multicastloop
2727 Option group: SOCK_IP
2731 Specifies if outgoing multicast traffic should loop back to the interface.
2734 Option: ip-multicast-if=hostname
2735 Aliases: multicast-if
2738 Option group: SOCK_IP
2742 Specifies hostname or address of the network interface to be used for
2746 Option: ip-pktoptions
2747 Aliases: ippktoptions, pktoptions, pktopts
2750 Option group: SOCK_IP
2754 Set the IP_PKTOPTIONS socket option. No docu found.
2755 Implementation status: "Protocol not available".
2761 Option group: SOCK_IP
2765 Apply the debug resolver option to all queries of this XIO address.
2772 Option group: SOCK_IP
2776 Apply the aaonly resolver option to all queries of this XIO address.
2783 Option group: SOCK_IP
2787 Apply the usevc resolver option to all queries of this XIO address.
2794 Option group: SOCK_IP
2798 Apply the primary resolver option to all queries of this XIO address.
2805 Option group: SOCK_IP
2809 Apply the igntc resolver option to all queries of this XIO address.
2816 Option group: SOCK_IP
2820 Apply the recurse resolver option to all queries of this XIO address.
2823 Option: res-defnames
2827 Option group: SOCK_IP
2831 Apply the defnames resolver option to all queries of this XIO address.
2834 Option: res-stayopen
2838 Option group: SOCK_IP
2842 Apply the stayopen resolver option to all queries of this XIO address.
2849 Option group: SOCK_IP
2853 Apply the dnsrch resolver option to all queries of this XIO address.
2856 -------------------------------------------------------------------------------
2860 Option: ipv6-v6only=value
2861 Alias: ipv6only, v6only
2864 Option group: SOCK_IP6
2866 Platforms: FreeBSD, Linux
2868 Apply the IPV6_V6ONLY socket option to the file descriptor. This controls if
2869 the socket listens only on the IPv6 protocol or also on IPv4.
2872 -------------------------------------------------------------------------------
2873 IPAPP (TCP and UDP) options
2876 Option: sourceport=value
2880 Option group: IPAPP (IP_TCP and IP_UDP)
2884 For outgoing (client) TCP and UDP connections, it sets the source port (local port, client side port) of
2885 the socket connection. For server type addresses, requires the client to use
2886 this sourceport, otherwise socat immediately shuts down the connection.
2887 On UNIX class operating systems root privilege are required to set a source
2888 port between 1 and 1023 incl. 0 gives a "random" port number >= 1024, which is
2895 Option group: IPAPP (IP_TCP and IP_UDP)
2899 For outgoing (client) TCP and UDP connections, it sets the source
2900 to an unused random port between 640 and 1023 incl. On UN*X type operating
2901 systems, this requires root privilege, and thus guaranties the peer to be
2903 With TCP or UDP listen addresses, socat immediately shuts down the
2904 connection if the client does not use a sourceport <= 1023.
2905 This mechanism can provide limited authorization under some circumstances.
2907 -------------------------------------------------------------------------------
2916 Option group: IP_TCP
2920 Sets the TCP_NODELAY flag of the TCP socket. This turns off Nagles algorithm.
2924 Aliases: maxseg, mss
2927 Option group: IP_TCP
2931 Limits the MAXSEG (MSS) value of the TCP socket. This option is applied before
2932 the connect or listen call, so it is transferred in the SYN packet to the peer
2934 Linux client: 0 gives "invalid argument", higher values are used in SYN
2935 negotiation, but effective MSS is n-12, at least 8.
2936 On AIX, this is a read-only option.
2939 Option: tcp-maxseg-late
2940 Aliases: maxseg-late, mss-late
2943 Option group: IP_TCP
2947 Limits the MAXSEG (MSS) value of the TCP socket. This option is applied past
2948 the connect or accept call, so it is not transferred as MSS to the peer socket.
2949 Observation with Linux 2.2: does not influence the size of packets generated
2950 by the local socket.
2958 Option group: IP_TCP
2962 Sets the TCP_CORK option.
2970 Option group: IP_TCP
2974 Applies the TCP_STDURG option with setsockopt. This enables RFC 1122 compliant
2975 urgent point handling.
2983 Option group: IP_TCP
2987 Applies the TCP_RFC1323 option with setsockopt. This enables RFC1323 TCP
2988 enhancements (window scale, timestamp).
2991 Option: tcp-keepidle
2995 Option group: IP_TCP
2999 Sets the TCP_KEEPIDLE value of the socket with setsockopt(). Starts keepalive
3000 after this period (in seconds?)
3003 Option: tcp-keepintvl
3007 Option group: IP_TCP
3011 Sets the TCP_KEEPINTVL value of the socket with setsockopt(). Interval between
3012 keepalives (in seconds?)
3019 Option group: IP_TCP
3023 Sets the TCP_KEEPCNT value of the socket with setsockopt(). Number of
3024 keepalives before death.
3031 Option group: IP_TCP
3035 Sets the TCP_SYNCNT value of the socket with setsockopt(). Number of SYN
3043 Option group: IP_TCP
3047 Sets the TCP_LINGER2 value of the socket with setsockopt(). Life time of
3048 orphaned FIN-WAIT-2 state.
3051 Option: tcp-defer-accept
3052 Aliases: defer-accept
3055 Option group: IP_TCP
3059 Sets the TCP_DEFER_ACCEPT value of the socket with setsockopt(). accept() of
3060 the listener will only return when data arrived at the new connection. The
3061 value is converted to seconds by some algorithm.
3064 Option: tcp-window-clamp
3065 Aliases: window-clamp
3068 Option group: IP_TCP
3072 Sets the TCP_WINDOW_CLAMP value of the socket with setsockopt(). "Bound advertised
3080 Option group: IP_TCP
3082 Platforms: FreeBSD, Linux
3084 Sets the TCP_INFO value of the socket with setsockopt(). Is a read only option,
3085 so it always generates an error.
3088 Option: tcp-quickack
3092 Option group: IP_TCP
3096 Sets the TCP_QUICKACK option with setsockopt().
3103 Option group: IP_TCP
3107 Enables generation of MD5 digests on the packets.
3114 Option: group: IP_TCP
3118 Disables use of TCP options.
3125 Option: group: IP_TCP
3129 Sets the TCP_NOPUSH option.
3132 Option: tcp-sack-disable
3133 Aliases: sack-disable
3136 Option: group: IP_TCP
3140 Disables use the selective acknowledge feature.
3143 Option: tcp-signature-enable
3144 Aliases: signature-enable
3147 Option: group: IP_TCP
3151 Enables generation of MD5 digests on the packets.
3154 Option: tcp-abort-threshold
3155 Aliases: abort-threshold
3158 Option group: IP_TCP
3160 Platforms: HP-UX, SunOS
3162 Sets the time to wait for an answer of the peer on an established connection.
3165 Option: tcp-conn-abort-threshold
3166 Aliases: conn-abort-threshold
3169 Option group: IP_TCP
3171 Platforms: HP-UX, SunOS
3173 Sets the time to wait for an answer of the server during the initial connect.
3176 Option: tcp-keepinit
3180 Option group: IP_TCP
3184 Sets the time to wait for an answer of the server during connect() before
3185 giving up. Value in half seconds, default is 150 (75s).
3192 Option group: IP_TCP
3196 Enables the "protect against wrapped sequence numbers" feature.
3203 Option group: IP_TCP
3207 Enables selective acknowledge.
3210 Option: tcp-tsoptena
3214 Option group: IP_TCP
3218 Enables the time stamp option that allows RTT recalculation on existing
3222 ===============================================================================
3229 Option group: IP_SOCKS4
3233 Overrides the default socks server port 1080
3239 Option group: IP_SOCKS4
3243 Overrides the system derived socks user name ($USER or $LOGNAME or "anonymous")
3246 ===============================================================================
3257 Overrides the default HTTP proxy port 8080.
3267 The HTTP protocol requires the use of CR+NL as line terminator. When a proxy
3268 server violates this standard, socat might not understand its answer.
3269 This option directs socat to interprete NL as line terminator and
3270 to ignore CR in the answer. Nevertheless, socat sends CR+NL to the proxy.
3280 Provide "basic" authentication to the proxy server. The argument to the option
3281 must be the username followed by ':' followed by the password. This string is
3282 used with a "Proxy-Authorize: Base" header in base64 encoded form.
3292 Per default, socat sends to the proxy a CONNECT request containing the target
3293 hostname. With this option, socat resolves the hostname locally and sends the
3297 ===============================================================================
3300 These options are applied with tcsetattr calls with a struct termios.
3301 Attention: Applying these options to stdin/stdout when they refer to your
3302 terminal might directly effect your terminal!
3303 See Linux:"man 3 termios" and Linux:"man 2 stty"
3305 -------------------------------------------------------------------------------
3306 TERMIOS combined modes
3312 Option group: TERMIOS
3317 ignbrk=0,brkint=0,ignpar=0,parmrk=0,inpck=0,istrip=0,inlcr=0,igncr=0,icrnl=0,ixon=0,ixoff=0,iuclc=0,ixany=0,imaxbel=0,opost=0,isig=0,icanon=0,xcase=0,vmin=1,vtime=0
3323 Option group: TERMIOS
3328 cread,ignbrk=0,brkint,inlcr=0,igncr=0,icrnl,ixoff=0,iuclc=0,-ixany=0,imaxbel,opost,olcuc=0,ocrnl=0,onlcr,onocr=0,onlret=0,ofill=0,ofdel=0,nl0,cr0,tab0,bs0,vt0,ff0,isig,icanon,iexten,echo,echoe,echok,echonl=0,noflsh=0,xcase=0,tostop=0,echoprt=0,echoctl,echoke
3330 -------------------------------------------------------------------------------
3331 TERMIOS input mode flags
3337 Option group: TERMIOS
3341 Sets the IGNBRK flag of the terminal driver.
3347 Option group: TERMIOS
3351 Sets the BRKINT flag of the terminal driver.
3357 Option group: TERMIOS
3361 Sets the IGNPAR flag of the terminal driver.
3367 Option group: TERMIOS
3371 Sets the PARMRK flag of the terminal driver.
3377 Option group: TERMIOS
3381 Sets the INPCK flag of the terminal driver. Enables input parity checking.
3387 Option group: TERMIOS
3391 Sets the ISTRIP flag of the terminal driver. Strips off the eighth bit.
3397 Option group: TERMIOS
3401 Sets the INLCR flag of the terminal driver. Translates NL to CR on input.
3407 Option group: TERMIOS
3411 Sets the IGNCR flag of the terminal driver. Ignores CR character on input.
3417 Option group: TERMIOS
3421 Sets the ICRNL flag of the terminal driver. Translates CR to NL on input. This
3422 option is ignored when IGNCR is set.
3428 Option group: TERMIOS
3430 Platforms: HP-UX, Linux, SunOS
3432 Sets the IUCLC flag of the terminal driver. Changes characters in input from
3433 uppercase to lowercase.
3439 Option group: TERMIOS
3443 Sets the IXON flag of the terminal driver. Enables XON/XOFF flow control on
3450 Option group: TERMIOS
3454 Sets the IXANY flag of the terminal driver. Enables any character to restart
3462 Option group: TERMIOS
3466 Sets the IXOFF flag of the terminal driver. Enables XON/XOFF flow control on
3473 Option group: TERMIOS
3477 Sets the IMAXBEL flag of the terminal driver. Rings the bell when the input
3480 -------------------------------------------------------------------------------
3481 TERMIOS output mode flags
3487 Option group: TERMIOS
3491 Sets the OPOST flag of the terminal driver.
3497 Option group: TERMIOS
3499 Platforms: HP-UX, Linux, SunOS
3501 Sets the OLCUC flag of the terminal driver.
3507 Option group: TERMIOS
3511 Sets the ONLCR flag of the terminal driver.
3517 Option group: TERMIOS
3521 Sets the OCRNL flag of the terminal driver.
3527 Option group: TERMIOS
3531 Sets the ONOCR flag of the terminal driver.
3537 Option group: TERMIOS
3541 Sets the ONLRET flag of the terminal driver.
3547 Option group: TERMIOS
3549 Platforms: HP-UX, Linux, SunOS
3551 Sets the OFILL flag of the terminal driver.
3557 Option group: TERMIOS
3559 Platforms: HP-UX, Linux, SunOS
3561 Sets the OFDEL flag of the terminal driver.
3567 Option group: TERMIOS
3569 Platforms: HP-UX, Linux, SunOS
3571 Sets the NLDLY flag of the terminal driver. 0 sets the value to NL0, and 1 to
3577 Type: CONST (const bool, always sets 0)
3578 Option group: TERMIOS
3580 Platforms: HP-UX, Linux, SunOS
3582 Sets the field NLDLY to the value NL0.
3587 Type: CONST (const bool, always sets 1)
3588 Option group: TERMIOS
3590 Platforms: HP-UX, Linux, SunOS
3592 Sets the field NLDLY to the value NL1.
3598 Option group: TERMIOS
3600 Platforms: HP-UX, Linux, SunOS
3602 Sets the field CRDLY to the given value.
3603 See cr0, cr1, cr2, cr3.
3609 Option group: TERMIOS
3611 Platforms: HP-UX, Linux, SunOS
3613 Sets the CRDLY field to the value CR0.
3620 Option group: TERMIOS
3622 Platforms: HP-UX, Linux, SunOS
3624 Sets the CRDLY field to the value CR1.
3631 Option group: TERMIOS
3633 Platforms: HP-UX, Linux, SunOS
3635 Sets the CRDLY field to the value CR2.
3642 Option group: TERMIOS
3644 Platforms: HP-UX, Linux, SunOS
3646 Sets the CRDLY field to the value CR3.
3653 Option group: TERMIOS
3655 Platforms: HP-UX, Linux, SunOS
3657 Sets the horizontal tab delay mask to TAB0.
3664 Option group: TERMIOS
3666 Platforms: HP-UX, Linux, SunOS
3668 Sets the horizontal tab delay mask to TAB1.
3675 Option group: TERMIOS
3677 Platforms: HP-UX, Linux, SunOS
3679 Sets the horizontal tab delay mask to TAB2.
3686 Option group: TERMIOS
3688 Platforms: HP-UX, Linux, SunOS
3690 Sets the horizontal tab delay mask to TAB3.
3694 Option: tabdly=value
3697 Option group: TERMIOS
3699 Platforms: HP-UX, Linux, SunOS
3701 Sets the field TABDLY to the given value.
3702 See tab0, tab1, tab2, and tab3.
3708 Option group: TERMIOS
3710 Platforms: HP-UX, Linux, SunOS
3712 Sets the horizontal tab delay mask to XTABS.
3718 Option group: TERMIOS
3720 Platforms: HP-UX, Linux, SunOS
3722 Sets the field BSDLY to the value BS0
3728 Option group: TERMIOS
3730 Platforms: HP-UX, Linux, SunOS
3732 Sets the field BSDLY to the value BS1
3738 Option group: TERMIOS
3740 Platforms: HP-UX, Linux, SunOS
3742 Sets the BSDLY flag of the terminal driver. 0 sets the value to BS0, and 1 to
3749 Option group: TERMIOS
3751 Platforms: HP-UX, Linux, SunOS
3753 Sets the field VTDLY to the value VT0
3759 Option group: TERMIOS
3761 Platforms: HP-UX, Linux, SunOS
3763 Sets the field VTDLY to the value VT1
3769 Option group: TERMIOS
3771 Platforms: HP-UX, Linux, SunOS
3773 Sets the VTDLY flag of the terminal driver. 0 sets the value to VT0, and 1 to
3780 Option group: TERMIOS
3782 Platforms: HP-UX, Linux, SunOS
3784 Sets the field FFDLY to the value FF0
3791 Option group: TERMIOS
3793 Platforms: HP-UX, Linux, SunOS
3795 Sets the field FFDLY to the value FF1
3802 Option group: TERMIOS
3804 Platforms: HP-UX, Linux, SunOS
3806 Sets the FFDLY flag of the terminal driver. 0 sets the value to FF0, and 1 to
3811 -------------------------------------------------------------------------------
3812 TERMIOS control mode flags
3818 Option group: TERMIOS
3822 Sets the field CSIZE to the value CS5
3828 Option group: TERMIOS
3832 Sets the field CSIZE to the value CS6
3838 Option group: TERMIOS
3842 Sets the field CSIZE to the value CS7
3848 Option group: TERMIOS
3852 Sets the field CSIZE to the value CS8
3858 Option group: TERMIOS
3862 Sets the field CSIZE. 0..CS5, 1..CS6, 2..CS7, 3..CS8
3868 Option group: TERMIOS
3872 Sets the flag CSTOPB.
3878 Option group: TERMIOS
3882 Sets the value of the CREAD flag.
3888 Option group: TERMIOS
3892 Sets the PARENB flag of the terminal driver.
3898 Option group: TERMIOS
3902 Sets the PARODD flag of the terminal driver.
3909 Option group: TERMIOS
3913 Sets the HUPCL flag of the terminal driver.
3919 Option group: TERMIOS
3923 Sets the CLOCAL flag of the terminal driver.
3929 Option group: TERMIOS
3931 Platforms: FreeBSD, Linux, SunOS
3933 Sets the CRTSCTS flag of the terminal driver.
3936 Option: b0 (HP-UX, Linux, SunOS)
3937 Option: b50 (HP-UX, Linux, SunOS)
3938 Option: b75 (HP-UX, Linux, SunOS)
3939 Option: b110 (HP-UX, Linux, SunOS)
3940 Option: b134 (HP-UX, Linux, SunOS)
3941 Option: b150 (HP-UX, Linux, SunOS)
3942 Option: b200 (HP-UX, Linux, SunOS)
3943 Option: b300 (HP-UX, Linux, SunOS)
3944 Option: b600 (HP-UX, Linux, SunOS)
3945 Option: b900 (HP-UX)
3946 Option: b1200 (HP-UX, Linux, SunOS)
3947 Option: b1800 (HP-UX, Linux, SunOS)
3948 Option: b2400 (HP-UX, Linux, SunOS)
3949 Option: b3600 (HP-UX)
3950 Option: b4800 (HP-UX, Linux, SunOS)
3951 Option: b7200 (HP-UX)
3952 Option: b9600 (HP-UX, Linux, SunOS)
3953 Option: b19200 (HP-UX, Linux, SunOS)
3954 Option: b38400 (HP-UX, Linux, SunOS)
3955 Option: b57600 (HP-UX, Linux, SunOS)
3956 Option: b115200 (HP-UX, Linux, SunOS)
3957 Option: b230400 (HP-UX, Linux, SunOS)
3958 Option: b460800 (HP-UX, Linux, SunOS)
3959 Option: b500000 (Linux)
3960 Option: b576000 (Linux)
3961 Option: b921600 (Linux)
3962 Option: b1000000 (Linux)
3963 Option: b1152000 (Linux)
3964 Option: b1500000 (Linux)
3965 Option: b2000000 (Linux)
3966 Option: b2500000 (Linux)
3967 Option: b3000000 (Linux)
3968 Option: b3500000 (Linux)
3969 Option: b4000000 (Linux)
3972 Option group: TERMIOS
3975 Sets the baud rate to the implied value. b0 "hangs up" the connection.
3981 Option group: TERMIOS
3983 Platforms: FreeBSD, Linux
3985 Sets the input baud rate to the specified value. This works on systems where
3986 struct termios has a special c_ispeed field.
3992 Option group: TERMIOS
3994 Platforms: FreeBSD, Linux
3996 Sets the input baud rate to the specified value. This works on systems where
3997 struct termios has a special c_ospeed field.
4002 -------------------------------------------------------------------------------
4003 TERMIOS local mode flags
4009 Option group: TERMIOS
4013 Sets the ISIG flag of the terminal driver.
4019 Option group: TERMIOS
4023 Sets the ICANON flag of the terminal driver.
4029 Option group: TERMIOS
4031 Platforms: HP-UX, Linux, SunOS
4033 Sets the XCASE flag of the terminal driver.
4039 Option group: TERMIOS
4043 Sets the ECHO flag of the terminal driver.
4050 Option group: TERMIOS
4054 Sets the ECHOE flag of the terminal driver.
4060 Option group: TERMIOS
4064 Sets the ECHOK flag of the terminal driver.
4070 Option group: TERMIOS
4074 Sets the ECHONL flag of the terminal driver.
4081 Option group: TERMIOS
4085 Sets the ECHOCTL flag of the terminal driver.
4092 Option group: TERMIOS
4096 Sets the ECHOPRT flag of the terminal driver.
4103 Option group: TERMIOS
4107 Sets the ECHOKE flag of the terminal driver.
4113 Option group: TERMIOS
4117 Sets the FLUSHO flag of the terminal driver.
4123 Option group: TERMIOS
4127 Sets the NOFLSH flag of the terminal driver.
4133 Option group: TERMIOS
4137 Sets the TOSTOP flag of the terminal driver.
4143 Option group: TERMIOS
4147 Sets the PENDIN flag of the terminal driver.
4153 Option group: TERMIOS
4157 Sets the IEXTEN flag of the terminal driver.
4160 -------------------------------------------------------------------------------
4161 TERMIOS options for functional characters
4167 Option group: TERMIOS
4172 Sets the value for the VINTR character that interrupts the current process.
4173 On UNIX systems the preset value usually is 3 (^C).
4180 Option group: TERMIOS
4185 Sets the value for the VQUIT character that quits the current process.
4186 On my Linux 2.2 system the preset value is 0x1c (^\).
4189 Option: verase=value
4190 Aliases: erase=value
4193 Option group: TERMIOS
4198 Sets the value for the VERASE character that erases the last character.
4199 On many UNIX systems the preset value is 0x7f.
4206 Option group: TERMIOS
4211 Sets the value for the VKILL character that kills (erases) the current line.
4212 On my Linux 2.2 system systems the preset value is 0x15 (^U).
4219 Option group: TERMIOS
4224 Sets the value for the VEOF character that kills indicate end of file.
4225 On most UNIX systems the preset value is 0x04 (^D).
4232 Option group: TERMIOS
4237 Sets the value of VTIME. See "man 1 stty" / time.
4238 On my Linux 2.2 system the preset value is 0.
4245 Option group: TERMIOS
4250 Sets the value of VMIN. See "man 1 stty" / time.
4251 On my Linux 2.2 system the preset value is 1.
4255 Aliases: swtc=value, swtch=value
4258 Option group: TERMIOS
4263 Sets the value of VSWTC. "Switches to a different shell layer".
4264 On my Linux 2.2 system the preset value is 0.
4267 Option: vstart=value
4268 Aliases: start=value
4271 Option group: TERMIOS
4276 Sets the value for the VSTART character that resumes data flow after a stop.
4277 Usually the preset value is 0x11 (^Q).
4284 Option group: TERMIOS
4289 Sets the value for the VSTOP character that stops output.
4290 Usually the preset value is 0x13 (^S)
4297 Option group: TERMIOS
4302 Sets the value for the VSUSP character that suspends the current foreground
4303 process and reactivates the shell.
4304 Usually the preset value is 0x1a (^Z)
4307 Option: vdsusp=value
4308 Aliases: dsusp=value
4311 Option group: TERMIOS
4313 Platforms: FreeBSD, HP-UX, SunOS
4316 Sets the value for the VDSUSP character that suspends the current foreground
4317 process and reactivates the shell.
4324 Option group: TERMIOS
4327 Status: tested with awkward results
4329 Sets the value for the VEOL character that should indicate end of line.
4330 Not clear what differentiates it from the return key; xterm window put "xterm"
4331 into the input buffer.
4332 On my Linux 2.2 system the preset value is 0 (disabled)
4335 Option: vreprint=value
4336 Aliases: reprint=value, rprnt=value
4339 Option group: TERMIOS
4341 Platforms: FreeBSD, Linux, SunOS
4344 Sets the value for the VREPRINT character that should reprint the current line.
4345 On my Linux 2.2 system the preset value is 0x12 (^R). Nevertheless, bash
4346 enters backward search mode.
4349 Option: vdiscard=value
4350 Aliases: discard=value
4353 Option group: TERMIOS
4355 Platforms: FreeBSD, Linux, SunOS
4358 Sets the value for the VDISCARD character.
4359 On my Linux 2.2 system the preset value is 0x0f (^O)
4362 Option: vwerase=value
4363 Aliases: werase=value
4366 Option group: TERMIOS
4371 Sets the value for the VWERASE character that erases the last word.
4372 On my Linux 2.2 system the preset value is 0x17 (^W)
4375 Option: vlnext=value
4376 Aliases: lnext=value
4379 Option group: TERMIOS
4384 Sets the value for the VLNEXT character that lets the next input character raw
4386 On my Linux 2.2 system the preset value is 0x16 (^V)
4393 Option group: TERMIOS
4398 Sets the value for the VEOL2 character.
4399 On my Linux 2.2 system the preset value is 0 (disabled).
4402 ===============================================================================
4405 Option: history-file=filename
4406 Aliases: history=filename
4409 Option group: READLINE
4411 Platforms: (depends on libreadline installation)
4413 Without this option, the readline address uses only a per process history
4414 list. With this option, socat tries to read history lines during initialization
4415 from the given file, and on termination writes the old and new lines to the
4417 NOTE: currently, no mechanism is implemented for limiting the length of the
4419 NOTE: filename must be a valid relativ or absolute path; "~" is not supported!
4425 Option group: READLINE
4429 Since version 1.3.3, socat per default tries to determine a prompt -
4430 that is then passed to the readline call - by remembering the last
4431 incomplete line of the output. With this option, socat does not pass a
4432 prompt to the readline call, so it might set the cursor to the first column
4439 Option group: READLINE
4443 Specifies a regular pattern for a prompt that prevents the following input
4444 line from being displayed on the screen and from being added to the history.
4445 The prompt is defined as the text that was output to the readline address
4446 after the lastest newline character and before an input character was
4447 typed. The pattern is a regular expression, e.g.
4448 "^[Pp]assword:.*$" or "([Uu]ser:|[Pp]assword:)". See regex(7) for details.
4454 Option group: READLINE
4458 Passes the string as prompt to the readline function. readline prints this
4459 prompt when stepping through the history. If this string matches a constant
4460 prompt issued by an interactive program on the other socat address,
4461 consistent look and feel can be archieved.
4463 ===============================================================================
4466 Option: openssl-cipherlist=string
4467 Aliases: cipherlist=string, ciphers=string, cipher=string
4470 Option group: OPENSSL
4472 Platforms: (depends on openssl installation)
4474 Selects the list of ciphers that may be used for the connection.
4475 See the man page ciphers(1), section CIPHER LIST FORMAT, for
4476 detailed information about syntax, values, and default of the cipherlist
4478 Several cipher strings may be given, separated by ':'.
4479 Some simple cipher strings:
4480 3DES Uses a cipher suite with triple DES.
4481 MD5 Uses a cipher suite with MD5.
4482 aNULL Uses a cipher suite without authentication.
4483 NULL Does not use encryption.
4484 HIGH Uses a cipher suite with "high" encryption.
4485 Note that the peer must support the selected property, or the negotiation
4489 Option: openssl-method=string
4490 Aliases: method=string
4493 Option group: OPENSSL
4495 Platforms: (depends on openssl installation)
4497 Sets the protocol version to be used. Valid strings (not case sensitive) are:
4498 SSLv2 Select SSL protocol version 2.
4499 SSLv3 Select SSL protocol version 3.
4500 SSLv23 Select SSL protocol version 2 or 3. This is the default when
4501 this option is not provided.
4502 TLSv1 Select TLS protocol version 1.
4505 Option: openssl-verify=bool
4506 Aliases: verify=bool
4509 Option group: OPENSSL
4511 Platforms: (depends on openssl installation)
4513 Controls check of the peer's certificate. Default is 1 (true). Disabling
4514 verify might open your socket for everyone!
4517 Option: openssl-certificate=file
4521 Option group: OPENSSL
4523 Platforms: (depends on openssl installation)
4525 Specifies the file with the certificate. The certificate must be
4526 in OpenSSL format (*.pem). With openssl-listen, this option is strongly
4527 recommended: except with cipher aNULL, "no shared ciphers" error might
4528 occur when no certificate is given.
4531 Option: openssl-key=file
4535 Option group: OPENSSL
4537 Platforms: (depends on openssl installation)
4539 Specifies the file with the private key. The private key may be in this
4540 file or in the file given with the ref(cert) option. The party that has
4541 to proof that it is the owner of a certificate needs the private key.
4544 Option: openssl-cafile=file
4548 Option group: OPENSSL
4550 Platforms: (depends on openssl installation)
4552 Specifies the file with the trusted (root) authority certificates. The file
4553 must be in PEM format and should contain one or more certificates.
4556 Option: openssl-capath=directory
4560 Option group: OPENSSL
4562 Platforms: (depends on openssl installation)
4564 Specify the directory with the trusted (root) certificates. The directory
4565 must contain certificates in PEM format and their hashes (see OpenSSL
4569 Option: openssl-egd=file
4573 Option group: OPENSSL
4575 Platforms: (depends on openssl installation)
4577 On some systems, openssl requires an explicit source of random data. Specify
4578 the socket name where an entropy gathering daemon like egd provides random
4579 data, e.g. /dev/egd-pool.
4582 Option: openssl-pseudo
4586 Option group: OPENSSL
4588 Platforms: (depends on openssl installation)
4590 On systems where openssl cannot find an entropy source and where no entropy
4591 gathering daemon can be utilized, this option activates a mechanism for
4592 providing pseudo entropy. This is archieved by taking the current time in
4593 microseconds for feeding the libc pseudo random number generator with an
4594 initial value. openssl is then feeded with output from random calls.
4595 NOTE:This mechanism is not sufficient for generation of secure keys!
4598 Option: openssl-fips
4604 Platforms: (depends on OpenSSL installation and FIPS implementation)
4606 Enables FIPS mode if compiled in. For info about the FIPS encryption
4607 implementation standard see http://oss-institute.org/fips-faq.html.
4608 This mode might require that the involved certificates are generated with a
4609 FIPS enabled version of openssl. Setting or clearing this option on one
4610 socat address affects all OpenSSL addresses of this process.
4613 Option: openssl-compress
4617 Option group: OPENSSL
4619 Platforms: (depends on openssl installation)
4621 Enable or disable the use of compression for a connection. Setting this to
4622 "none" disables compression, setting it to "auto" lets OpenSSL choose the best
4623 available algorithm supported by both parties. The default is to not touch any
4624 compression-related settings.
4625 NOTE: Requires OpenSSL 0.9.8 or higher.
4626 NOTE: Disabling compression with OpenSSL 0.9.8 affects all new connections in
4630 ===============================================================================
4631 Application specific address options
4642 This option has to be supported by the application. For socat it means that an
4643 EOF condition on this data source does not trigger termination procedures, but
4644 instead the read/write loop waits for one second and then tries to read more
4645 input data. This behaviour emulates "tail -f" and might not be useful for all
4646 kinds of input devices, but regular files and /dev/null are good candidates.
4647 Termination of socat then can only occur by EOF condition of the other input
4648 device, an error, or by external events.
4658 The appropriate data endpoint uses CR ('\r', 0x0d) as line terminator
4659 character. Convert data to and from this stream appropriately.
4660 This is useful for, e.g., modems.
4671 The appropriate data endpoint uses CR+LF ("\r\n", 0x0d0a ) as line terminator
4672 string. Convert data to and from this stream appropriately.
4673 This is useful for, e.g., TCP protocols like SMTP and FTP.
4676 Option: readbytes=num
4684 socat reads only so many bytes from this address (the address provides
4685 only so many bytes for transfer and pretends to be at EOF afterwards).
4688 Option: lockfile=filename
4695 If lockfile exists, exits with error. If lockfile does not exist, creates it
4696 and continues; removes lockfile on exit.
4699 Option: waitlock=filename
4706 If lockfile exists, waits until it disappears. When lockfile does not exist,
4707 creates it and continues; removes lockfile on exit.
4709 ===============================================================================
4719 Number of retries before the connection or listen attempt is aborted.
4720 Default is 0, which means just one attempt.
4723 Option: interval=<double>
4730 Time between consecutive attempts (seconds). Default is 1 second.
4740 Performs an unlimited number of retry attempts.
4742 ===============================================================================
4745 Option: ext2-secrm=<bool>
4746 Aliases: secrm=<bool>
4753 Sets the secrm file attribute on the file.
4756 Option: ext2-unrm=<bool>
4757 Aliases: unrm=<bool>
4764 Sets the unrm file attribute on the file.
4767 Option: ext2-compr=<bool>
4768 Aliases: compr=<bool>
4775 Sets the compr file attribute on the file.
4778 Option: ext2-sync=<bool>
4785 Sets the sync file attribute on the file.
4788 Option: ext2-immutable=<bool>
4789 Aliases: immutable=<bool>
4796 Sets the immutable file attribute on the file.
4799 Option: ext2-append=<bool>
4806 Sets the append file attribute on the file.
4809 Option: ext2-nodump=<bool>
4810 Aliases: nodump=<bool>
4817 Sets the nodump file attribute on the file.
4820 Option: ext2-noatime=<bool>
4827 Sets the noatime file attribute on the file.
4830 Option: ext2-journal-data=<bool>
4831 Aliases: journal-data=<bool>
4838 Sets the journal-data file attribute on the file.
4841 Option: ext2-notail=<bool>
4842 Aliases: notail=<bool>
4849 Sets the notail file attribute on the file.
4852 Option: ext2-dirsync=<bool>
4853 Aliases: dirsync=<bool>
4860 Sets the dirsync file attribute on the file.
4863 Option: ext2-topdir=<bool>
4864 Aliases: topdir=<bool>
4871 Sets the topdir file attribute on the file.
4874 ===============================================================================
4876 Appendix: generating a sandbox (chroot environment)
4878 While it is possible to generate a sandbox almost anywhere in the file system,
4879 I recommend to use a file system that has been mounted with restrictions,
4880 especially nosuid and maybe nodev, or even ro.
4882 You may mount a dedicated file system for the sandbox, so it gets a little
4883 harder for the guests to determine for sure if they are within a sandbox when
4886 The following desribes typical steps for generating a sandbox. Depending on
4887 your operating system, application, and security requirements, your mileage may
4888 vary. With the below steps, you will be able to run some check programs to play
4889 around with the sandbox.
4892 1) Create a sandbox group - but give it and all following "sandbox" ids a more
4894 2) Create a sandbox user, only in sandbox group. If this user must never login,
4895 give it a useless shell like /bin/false
4896 3) Check the sandbox home directory (e.g. /home/sandbox) and save and remove
4897 all .profile, public_html/ etc.
4898 4) Optionally mount a new file system over the new home directory
4899 5) Generate subdirectories bin, lib, etc, usr, usr/bin, usr/lib.
4900 Set their permissions and ownership equal to the original directories (or use
4902 6) Generate subdirectory home/sandbox (or similarly; like sandbox home)
4903 7) Generate etc/passwd with users sandbox and root, but do not store original
4904 password hashes there!
4905 8) Generate etc/group with only groups sandbox and root (or system on AIX)
4906 9) Copy test programs and utilities to bin, e.g. su, id, ls, mount, strace (but
4908 10) Copy the required shared libraries and the shared library loader to their
4910 On Linux, e.g. /lib/ld-linux.so.2, /lib/libnss_compat.so.2
4911 Note: it is often difficult to find out what shared libraries are (still) not
4912 installed in the sandbox. The programs invoked in the sandbox typically do not
4913 give useful error messages. If chroot's exec call gives an error like "no such
4914 file or directory", and you do not know if it even found the program itself,
4915 then remove the test programs execute permission; the error message should
4916 change to "execute permission denied" or so. Redo the execute permissions and
4917 look for the shared libraries...
4918 List required libraries of a program:
4919 Linux: ldd <program>
4923 11) For testing purposes, install id, ls, su, mount, strace, and maybe sh in
4924 the sandbox. Test it.
4927 12) Copy your applications, configuration files, and data to the appropriate
4928 directories within the sandbox.
4929 Test function of the application in the sandbox, and add missing files and
4930 libraries. If an application program gets killed immediately after start, it
4931 might miss a shared library.
4934 13) Implement your own tricks how to improve security of the sandbox
4935 14) Remove test programs like bin/sh, id, ls, mount, strace
4938 ===============================================================================
4939 socket types, modes and their security features:
4941 IP.v4.TCP.listen range tcpwrap srcport lowport
4943 IP.v4.UDP.listen range tcpwrap srcport lowport
4945 IP.v4.UDP.recvfrom range tcpwrap srcport lowport
4946 IP.v4.UDP.recv range tcpwrap srcport lowport
4948 IP.v4.raw.recvfrom range tcpwrap
4949 IP.v4.raw.recv range tcpwrap
4951 IP.v6.TCP.listen range tcpwrap srcport lowport
4953 IP.v6.UDP.listen range tcpwrap srcport lowport
4955 IP.v6.UDP.recvfrom range tcpwrap srcport lowport
4956 IP.v6.UDP.recv range tcpwrap srcport lowport
4958 IP.v6.raw.recvfrom range tcpwrap
4959 IP.v6.raw.recv srcport lowport
4966 OPENSSL.TCP4.listen range tcpwrap srcport lowport
4967 OPENSSL.TCP6.listen range tcpwrap srcport lowport
4969 ===============================================================================
4970 Missing features and Caveats:
4972 . no support for SIGIO mechanism
4973 . no support for socket ancillary messages
4974 . Probably many ioctls not implemented due to missing documentation
4975 . only limited implementation of raw sockets and interfaces,
4976 . no support for high level sockets beyond UNIX, INET, and INET6 domains