Connect direct and fallback

[Brian Candler]

On 18/02/2022 12:15, Darren Tucker wrote:
> Other than the ProxyUseFdpass part you can do that with a shell one
> liner in ProxyCommand and netcat:
>
> ProxyCommand sh -c 'nc %h %p || nc --proxy lsocksserver:1080
> --proxy-type=socks4 %h %p'

Just a quick follow-up to this: I found that macOS 12.2.1's "nc" command 
is broken when using a SOCKS5 proxy and the proxy returns an IPv6 bind 
address.

   X -----------> Y --------------> Z
macOS          SOCKS5   IPv6     target
  nc            server

$ nc -X 5 -x 1.2.3.4:1080 2001:db8::1 22
�ݐSSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
^^
(Notice the extra spurious bytes in response)

Checking with tcpdump I see the exchange as:

--> 05 01 00
<-- 05 00
--> 05 01 00 04 ZZ(x16) 00 16    [connect, ATYP 4 = IPv6 address/port]
<-- 05 00 00 04 YY(x16) PP PP    [success, ATYP 4 = IPv6 bind address/port]
<-- start of data

This is the case with two standalone SOCKS5 servers I tried: dante and 
Mikrotik.

Interestingly, the problem doesn't manifest when using ssh -D as the 
proxy server.

$ ssh -D 1080 Y
...

$ nc -X 5 -x localhost:1080 2001:db8::1 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4

--> 05 01 00
<-- 05 00
--> 05 01 00 04 ZZ(x16) 00 16        [connect, ATYP 4 = IPv6 address]
<-- 05 00 00 01 00 00 00 00 00 00    [success, ATYP 1 = IPv4 bind 
address 0.0.0.0:0]
<-- start of data

That is, ssh -D always returns IPv4 0.0.0.0:0 as the bind address/port, 
even if the target is reached via IPv6, and regardless of whether 
localhost is 127.0.0.1 or ::1.  It appears macOS's /usr/bin/nc is 
hard-coded to expect that.

Workaround is to switch to "ncat" (from the makers of "nmap") which 
works correctly.  Homebrew also has "netcat" and "netcat6" packages, but 
neither of those support SOCKS.  With ncat, the connection fallback works.

Anyway, I just thought I'd mention it in case it trips up anyone else.

Regards,

Brian.