[Patch] Unix Domain Socket Forwarding

William Ahern william at 25thandClement.com
Sun Apr 23 08:03:16 EST 2006


On Sat, Apr 22, 2006 at 11:07:57PM +0200, Joachim Schipper wrote:
> I don't want to be disrespectful or anything - this is a honest
> question. But: what's the point? Why would one want to forward UNIX
> domain sockets?

Fair enough ;) That's the first question I'd ask, too, considering how
large the patch is. So, I'll reply to the list as well.

> I can see it being useful in some theoretic cases, but almost all
> programs can either use internet sockets too (X), or netcat will do just
> fine.

In some circumstances binding to internet sockets can become unwieldly. If
you map a single service to a single port, it's easy. But try mapping a
single service from multiple remote machines to multiple ports. How do you
choose which ports to use, especially if the remote machines are dynamic?
(Don't forget you might have t deal w/ conflicts.) How you do you relay that
information to the clients so they know which dynamic port to use to reach
particular remote services? Using the filesystem namespace is _much_ cleaner
because, well, it's a more powerful _namespace_.

TUN doesn't always solve this problem as well as domain sockets. Dare I say
it's a less desirable solution altogether when anything less than full
network visibility is required. Domain sockets fill the gap between internet
addressing and filesystem naming.

netcat just doesn't work; it only allows you to open one connection at a
time, assuming you're tunneling through a channel. Using it to link a port
to a socket doesn't solve the naming issues at all.

Originally I wrote this for my job. We have at least two different
widely disparate uses for it.

But, I intend to use it outside of work for several other things as well
(which is why I'll make the effort to suit this patch to everybody's needs,
if it indeed might be accepted). Just keep in mind that being able to use
the filesystem namespace can make some tasks much, much simpler. Plus, it
just makes sense, IMHO. Also, on some platforms (like Linux and maybe all of
SysV-land) which obey socket file permissions it gives you free access
control (for better or worse; I don't necessarily agree or disagree that
socket file permissions should be obeyed).

- Bill




More information about the openssh-unix-dev mailing list