1socat(1)                                                              socat(1)
2
3
4

NAME

6       socat - Multipurpose relay (SOcket CAT)
7

SYNOPSIS

9       socat [options] <address> <address>
10       socat -V
11       socat -h[h[h]] | -?[?[?]]
12       filan
13       procan
14

DESCRIPTION

16       Socat  is  a  command  line based utility that establishes two bidirec‐
17       tional byte streams  and  transfers  data  between  them.  Because  the
18       streams  can be constructed from a large set of different types of data
19       sinks and sources (see address types),  and  because  lots  of  address
20       options  may be applied to the streams, socat can be used for many dif‐
21       ferent purposes.
22
23       Filan is a utility  that  prints  information  about  its  active  file
24       descriptors  to  stdout.  It  has been written for debugging socat, but
25       might be useful for other purposes too. Use the -h option to find  more
26       infos.
27
28       Procan is a utility that prints information about process parameters to
29       stdout. It has been written to  better  understand  some  UNIX  process
30       properties  and for debugging socat, but might be useful for other pur‐
31       poses too.
32
33       The life cycle of a socat instance typically consists of four phases.
34
35       In the init phase, the command line options are parsed and  logging  is
36       initialized.
37
38       During the open phase, socat opens the first address and afterwards the
39       second address. These steps are usually blocking; thus, especially  for
40       complex address types like socks, connection requests or authentication
41       dialogs must be completed before the next step is started.
42
43       In the transfer phase, socat watches both streams’ read and write  file
44       descriptors  via select() , and, when data is available on one side and
45       can be written to the other side,  socat  reads  it,  performs  newline
46       character  conversions  if  required,  and writes the data to the write
47       file descriptor of the other stream, then continues  waiting  for  more
48       data in both directions.
49
50       When  one  of  the  streams  effectively reaches EOF, the closing phase
51       begins. Socat transfers the EOF condition to  the  other  stream,  i.e.
52       tries  to  shutdown only its write stream, giving it a chance to termi‐
53       nate gracefully. For a defined time socat continues to transfer data in
54       the  other direction, but then closes all remaining channels and termi‐
55       nates.
56

OPTIONS

58       Socat provides some command line options that modify the  behaviour  of
59       the  program.  They  have  nothing to do with so called address options
60       that are used as parts of address specifications.
61
62       -V     Print version and available feature information to  stdout,  and
63              exit.
64
65       -h | -?
66              Print  a help text to stdout describing command line options and
67              available address types, and exit.
68
69       -hh | -??
70              Like -h, plus a list of the short names of all available address
71              options.  Some options are platform dependend, so this output is
72              helpful for checking the particular implementation.
73
74       -hhh | -???
75              Like -hh, plus a list of all available address option names.
76
77       -d     Without this option, only fatal and error  messages  are  gener‐
78              ated;  applying  this  option  also prints warning messages. See
79              DIAGNOSTICS for more information.
80
81       -d -d  Prints fatal, error, warning, and notice messages.
82
83       -d -d -d
84              Prints fatal, error, warning, notice, and info messages.
85
86       -d -d -d -d
87              Prints fatal, error, warning, notice, info, and debug messages.
88
89       -D     Logs information about  file  descriptors  before  starting  the
90              transfer phase.
91
92       -ly[<facility>]
93              Writes messages to syslog instead of stderr; severity as defined
94              with -d option. With optional <facility>, the syslog type can be
95              selected,  default  is "daemon". Third party libraries might not
96              obey this option.
97
98       -lf <logfile>
99              Writes messages to <logfile> [filename] instead of stderr.  Some
100              third  party  libraries,  in  particular libwrap, might not obey
101              this option.
102
103       -ls    Writes messages to stderr (this  is  the  default).  Some  third
104              party  libraries  might not obey this option, in particular lib‐
105              wrap appears to only log to syslog.
106
107       -lp<progname>
108              Overrides the program name printed in error  messages  and  used
109              for constructing environment variable names.
110
111       -lu    Extends  the  timestamp of error messages to microsecond resolu‐
112              tion. Does not work when logging to syslog.
113
114       -lm[<facility>]
115              Mixed log mode. During startup messages are printed  to  stderr;
116              when  socat  starts the transfer phase loop or daemon mode (i.e.
117              after opening all streams and before starting data transfer, or,
118              with listening sockets with fork option, before the first accept
119              call), it switches logging to syslog.  With optional <facility>,
120              the syslog type can be selected, default is "daemon".
121
122       -lh    Adds  hostname  to log messages. Uses the value from environment
123              variable HOSTNAME or the value retrieved with uname()  if  HOST‐
124              NAME is not set.
125
126       -v     Writes  the  transferred  data not only to their target streams,
127              but also to stderr. The output format is text with some  conver‐
128              sions for readability, and prefixed with "> " or "< " indicating
129              flow directions.
130
131       -x     Writes the transferred data not only to  their  target  streams,
132              but  also  to stderr. The output format is hexadecimal, prefixed
133              with "> " or "< " indicating flow directions.  Can  be  combined
134              with -v .
135
136       -r <file>
137              Dumps  the  raw (binary) data flowing from left to right address
138              to the given file.
139
140       -R <file>
141              Dumps the raw (binary) data flowing from right to  left  address
142              to the given file.
143
144       -b<size>
145              Sets  the  data  transfer block <size> [size_t].  At most <size>
146              bytes are transferred per step. Default is 8192 bytes.
147
148       -s     By default, socat terminates when an error occurred  to  prevent
149              the  process from running when some option could not be applied.
150              With this option, socat is sloppy with errors and tries to  con‐
151              tinue.  Even  with  this  option, socat will exit on fatals, and
152              will abort connection attempts when security checks failed.
153
154       -t<timeout>
155              When one channel has reached EOF, the write part  of  the  other
156              channel is shut down. Then, socat waits <timeout> [timeval] sec‐
157              onds before terminating. Default is 0.5  seconds.  This  timeout
158              only  applies  to  addresses  where  write  and read part can be
159              closed independently. When during the timeout interval the  read
160              part gives EOF, socat terminates without awaiting the timeout.
161
162       -T<timeout>
163              Total  inactivity timeout: when socat is already in the transfer
164              loop and nothing has happened for  <timeout>  [timeval]  seconds
165              (no  data arrived, no interrupt occurred...) then it terminates.
166              Useful with protocols like UDP that cannot transfer EOF.
167
168       -u     Uses unidirectional mode. The first address  is  only  used  for
169              reading,  and the second address is only used for writing (exam‐
170              ple).
171
172       -U     Uses unidirectional mode in reverse direction. The first address
173              is  only  used  for writing, and the second address is only used
174              for reading.
175
176       -g     During address option parsing, don’t check if the option is con‐
177              sidered  useful  in the given address environment. Use it if you
178              want to force, e.g., appliance of a socket option  to  a  serial
179              device.
180
181       -L<lockfile>
182              If  lockfile  exists,  exits  with  error.  If lockfile does not
183              exist, creates it and continues, unlinks lockfile on exit.
184
185       -W<lockfile>
186              If lockfile exists, waits until  it  disappears.  When  lockfile
187              does  not  exist,  creates it and continues, unlinks lockfile on
188              exit.
189
190       -4     Use IP version 4 in case that the addresses do not implicitly or
191              explicitly specify a version; this is the default.
192
193       -6     Use IP version 6 in case that the addresses do not implicitly or
194              explicitly specify a version.
195
196

ADDRESS SPECIFICATIONS

198       With the address command line arguments, the user gives socat  instruc‐
199       tions and the necessary information for establishing the byte streams.
200
201       An  address  specification usually consists of an address type keyword,
202       zero or more required address parameters separated by ’:’ from the key‐
203       word and from each other, and zero or more address options separated by
204       ’,’.
205
206       The keyword specifies the address type (e.g., TCP4,  OPEN,  EXEC).  For
207       some  keywords there exist synonyms (’-’ for STDIO, TCP for TCP4). Key‐
208       words are case insensitive.  For a few special address types, the  key‐
209       word  may be omitted: Address specifications starting with a number are
210       assumed to be FD (raw file descriptor) addresses; if  a  ’/’  is  found
211       before the first ’:’ or ’,’, GOPEN (generic file open) is assumed.
212
213       The  required  number  and  type  of  address  parameters depend on the
214       address type. E.g., TCP4  requires  a  server  specification  (name  or
215       address), and a port specification (number or service name).
216
217       Zero  or  more  address  options  may  be given with each address. They
218       influence the address in some ways.  Options consist of an option  key‐
219       word  or  an  option keyword and a value, separated by ’=’. Option key‐
220       words are case insensitive.  For filtering the options that are  useful
221       with  an  address  type, each option is member of one option group. For
222       each address type there is a set of option groups allowed. Only options
223       belonging  to  one  of  these  address  groups may be used (except with
224       option -g).
225
226       Address specifications following the above schema are also called  sin‐
227       gle  address specifications.  Two single addresses can be combined with
228       "!!" to form a dual type address  for  one  channel.  Here,  the  first
229       address  is  used by socat for reading data, and the second address for
230       writing data. There is no way to specify an option only once for  being
231       applied to both single addresses.
232
233       Usually,  addresses  are  opened in read/write mode. When an address is
234       part of a dual address specification, or when option -u or -U is  used,
235       an  address  might be used only for reading or for writing. Considering
236       this is important with some address types.
237
238       With socat version 1.5.0 and higher, the lexical analysis tries to han‐
239       dle  quotes and parenthesis meaningfully and allows escaping of special
240       characters.  If one of the characters ( { [ ’ is found, the correspond‐
241       ing  closing  character  -  )  }  ] ’ - is looked for; they may also be
242       nested. Within these constructs, socats special characters and  strings
243       :  , !! are not handled specially. All those characters and strings can
244       be escaped with \ or within ""
245

ADDRESS TYPES

247       This section describes the available address types with their keywords,
248       parameters, and semantics.
249
250       CREATE:<filename>
251              Opens  <filename>  with creat() and uses the file descriptor for
252              writing.  This address type requires write-only context, because
253              a file opened with creat cannot be read from.
254              Flags  like  O_LARGEFILE cannot be applied. If you need them use
255              OPEN with options create,create.
256              <filename> must be a valid existing or not  existing  path.   If
257              <filename>  is  a named pipe, creat() might block; if <filename>
258              refers to a socket, this is an error.
259              Option groups: FD,REG,NAMED
260              Useful options: mode, user,  group,  unlink-early,  unlink-late,
261              append
262              See also: OPEN, GOPEN
263
264       EXEC:<command-line>
265              Forks a sub process that establishes communication with its par‐
266              ent process and invokes the specified program  with  execvp()  .
267              <command-line>  is  a simple command with arguments separated by
268              single spaces. If the program name  contains  a  ’/’,  the  part
269              after the last ’/’ is taken as ARGV[0]. If the program name is a
270              relative path, the execvp() semantics for  finding  the  program
271              via  $PATH  apply.  After successful program start, socat writes
272              data to stdin of the process and reads from its stdout  using  a
273              UNIX domain socket generated by socketpair() per default. (exam‐
274              ple)
275              Option groups: FD,SOCKET,EXEC,FORK,TERMIOS
276              Useful options: path, fdin, fdout,  chroot,  su,  su-d,  nofork,
277              pty, stderr, ctty, setsid, pipes, login, sigint, sigquit
278              See also: SYSTEM
279
280       FD:<fdnum>
281              Uses the file descriptor <fdnum>. It must already exist as valid
282              UN*X file descriptor.
283              Option groups: FD (TERMIOS,REG,SOCKET)
284              See also: STDIO, STDIN, STDOUT, STDERR
285
286       GOPEN:<filename>
287              (Generic open) This address type tries to handle any file system
288              entry  except directories usefully. <filename> may be a relative
289              or absolute path. If it already exists, its type is checked.  In
290              case  of  a  UNIX  domain  socket, socat connects; if connecting
291              fails, socat assumes a datagram socket and uses sendto()  calls.
292              If  the  entry  is  not  a  socket,  socat opens it applying the
293              O_APPEND flag.  If it does not exist, it  is  opened  with  flag
294              O_CREAT as a regular file (example).
295              Option groups: FD,REG,SOCKET,NAMED,OPEN
296              See also: OPEN, CREATE, UNIX-CONNECT
297
298       IP-SENDTO:<host>:<protocol>
299              Opens a raw IP socket. Depending on host specification or option
300              pf, IP protocol version 4 or 6 is used. It  uses  <protocol>  to
301              send  packets  to  <host> [IP address] and receives packets from
302              host, ignores packets from other hosts.  Protocol 255  uses  the
303              raw socket with the IP header being part of the data.
304              Option groups: FD,SOCKET,IP4,IP6
305              Useful options: pf, ttl
306              See   also:   IP4-SENDTO,   IP6-SENDTO,   IP-RECVFROM,  IP-RECV,
307              UDP-SENDTO, UNIX-SENDTO
308
309       INTERFACE:<interface>
310              Communicates with a network connected on an interface using  raw
311              packets  including  link  level data. <interface> is the name of
312              the  network  interface.  Currently  only  available  on  Linux.
313              Option groups: FD,SOCKET
314              Useful options: pf, type
315              See also: ip-recv
316
317       IP4-SENDTO:<host>:<protocol>
318              Like IP-SENDTO, but always uses IPv4.
319              Option groups: FD,SOCKET,IP4
320
321       IP6-SENDTO:<host>:<protocol>
322              Like IP-SENDTO, but always uses IPv6.
323              Option groups: FD,SOCKET,IP6
324
325
326       IP-DATAGRAM:<address>:<protocol>
327              Sends  outgoing  data to the specified address which may in par‐
328              ticular be a broadcast or multicast address. Packets arriving on
329              the  local  socket  are  checked if their source addresses match
330              RANGE or TCPWRAP options. This address type can for  example  be
331              used  for implementing symmetric or asymmetric broadcast or mul‐
332              ticast communications.
333              Option groups: FD, SOCKET, IP4, IP6, RANGE
334              Useful  options:  bind,  range,  tcpwrap,  broadcast,  ip-multi‐
335              cast-loop, ip-multicast-ttl, ip-multicast-if, ip-add-membership,
336              ip-add-source-membership, ttl, tos, pf
337              See also: IP4-DATAGRAM,  IP6-DATAGRAM,  IP-SENDTO,  IP-RECVFROM,
338              IP-RECV, UDP-DATAGRAM
339
340       IP4-DATAGRAM:<host>:<protocol>
341              Like IP-DATAGRAM, but always uses IPv4.  (example)
342              Option groups: FD,SOCKET,IP4,RANGE
343
344       IP6-DATAGRAM:<host>:<protocol>
345              Like  IP-DATAGRAM,  but  always uses IPv6. Please note that IPv6
346              does not know broadcasts.
347              Option groups: FD,SOCKET,IP6,RANGE
348
349
350       IP-RECVFROM:<protocol>
351              Opens a raw IP socket of <protocol>. Depending on option pf,  IP
352              protocol  version 4 or 6 is used. It receives one packet from an
353              unspecified peer and may send one or more answer packets to that
354              peer.   This  mode is particularly useful with fork option where
355              each arriving packet - from arbitrary peers - is handled by  its
356              own sub process.  This allows a behaviour similar to typical UDP
357              based servers like ntpd or named.
358              Please note that the reply packets might be fetched as  incoming
359              traffic  when  sender  and  receiver  IP  address  are identical
360              because there is no port number to distinguish the sockets.
361              This address  works  well  with  IP-SENDTO  address  peers  (see
362              above).   Protocol  255  uses  the raw socket with the IP header
363              being part of the data.
364              See the note about RECVFROM addresses.
365              Option groups: FD,SOCKET,IP4,IP6,CHILD,RANGE
366              Useful options: pf, fork, range, ttl, broadcast
367              See  also:  IP4-RECVFROM,  IP6-RECVFROM,   IP-SENDTO,   IP-RECV,
368              UDP-RECVFROM, UNIX-RECVFROM
369
370       IP4-RECVFROM:<protocol>
371              Like IP-RECVFROM, but always uses IPv4.
372              Option groups: FD,SOCKET,IP4,CHILD,RANGE
373
374       IP6-RECVFROM:<protocol>
375              Like IP-RECVFROM, but always uses IPv6.
376              Option groups: FD,SOCKET,IP6,CHILD,RANGE
377
378
379       IP-RECV:<protocol>
380              Opens  a raw IP socket of <protocol>. Depending on option pf, IP
381              protocol version 4 or 6 is used. It receives packets from multi‐
382              ple  unspecified peers and merges the data.  No replies are pos‐
383              sible.  It can be, e.g., addressed by  socat  IP-SENDTO  address
384              peers.   Protocol  255  uses  the  raw socket with the IP header
385              being part of the data.
386              Option groups: FD,SOCKET,IP4,IP6,RANGE
387              Useful options: pf, range
388              See also: IP4-RECV, IP6-RECV, IP-SENDTO, IP-RECVFROM,  UDP-RECV,
389              UNIX-RECV
390
391       IP4-RECV:<protocol>
392              Like IP-RECV, but always uses IPv4.
393              Option groups: FD,SOCKET,IP4,RANGE
394
395       IP6-RECV:<protocol>
396              Like IP-RECV, but always uses IPv6.
397              Option groups: FD,SOCKET,IP6,RANGE
398
399
400       OPEN:<filename>
401              Opens  <filename>  using the open() system call (example).  This
402              operation fails on UNIX domain sockets.
403              Note: This address type is rarely useful in bidirectional mode.
404              Option groups: FD,REG,NAMED,OPEN
405              Useful options: creat, excl, noatime, nofollow, append,  rdonly,
406              wronly, lock, readbytes, ignoreeof
407              See also: CREATE, GOPEN, UNIX-CONNECT
408
409       OPENSSL:<host>:<port>
410              Tries  to  establish a SSL connection to <port> [TCP service] on
411              <host> [IP address] using TCP/IP version 4  or  6  depending  on
412              address specification, name resolution, or option pf.
413              NOTE:  Up  to  version  1.7.2.4  the server certificate was only
414              checked for validity against the  system  certificate  store  or
415              cafile  or  capath,  but not for match with the server’s name or
416              its IP address.  Since version 1.7.3.0  socat  checks  the  peer
417              certificate  for match with the <host> parameter or the value of
418              the openssl-commonname option.  Socat tries to match it  against
419              the certificates subject commonName, and the certificates exten‐
420              sion subjectAltName DNS names. Wildcards in the certificate  are
421              supported.
422              Option groups: FD,SOCKET,IP4,IP6,TCP,OPENSSL,RETRY
423              Useful options: cipher, verify, commonname, cafile, capath, cer‐
424              tificate, key, compress, bind, pf, connect-timeout,  sourceport,
425              retry
426              See also: OPENSSL-LISTEN, TCP
427
428       OPENSSL-LISTEN:<port>
429              Listens on tcp <port> [TCP service].  The IP version is 4 or the
430              one specified with pf.  When  a  connection  is  accepted,  this
431              address behaves as SSL server.
432              Note:  You probably want to use the certificate option with this
433              address.
434              NOTE: The  client  certificate  is  only  checked  for  validity
435              against  cafile  or  capath, but not for match with the client’s
436              name or its IP address!
437              Option            groups:             FD,SOCKET,IP4,IP6,TCP,LIS‐
438              TEN,OPENSSL,CHILD,RANGE,RETRY
439              Useful  options: pf, cipher, verify, commonname, cafile, capath,
440              certificate, key, compress,  fork,  bind,  range,  tcpwrap,  su,
441              reuseaddr, retry
442              See also: OPENSSL, TCP-LISTEN
443
444       OPENSSL-DTLS-CLIENT:<host>:<port>
445              Tries  to establish a DTLS connection to <port> [UDP service] on
446              <host> [IP address] using UDP/IP version 4  or  6  depending  on
447              address specification, name resolution, or option pf.
448              Socat  checks the peer certificates subjectAltName or commonName
449              against the addresses  option  openssl-commonname  or  the  host
450              name.  Wildcards in the certificate are supported.
451              Use  socat  option -b to make datagrams small enough to fit with
452              overhead on the network. Use option  -T  to  prevent  indefinite
453              hanging when peer went down quietly.
454              Option groups: FD,SOCKET,IP4,IP6,OPENSSL,RETRY
455              Useful options: cipher, verify, commonname, cafile, capath, cer‐
456              tificate, key, compress, bind, pf, sourceport, retry
457              See also: OPENSSL-DTLS-SERVER, OPENSSL-CONNECT, UDP-CONNECT
458
459       OPENSSL-DTLS-SERVER:<port>
460              Listens on UDP <port> [UDP service].  The IP version is 4 or the
461              one  specified  with  pf.  When  a  connection is accepted, this
462              address behaves as DTLS server.
463              Note: You probably want to use the certificate option with  this
464              address.
465              NOTE:  The  client  certificate  is  only  checked  for validity
466              against cafile or capath, but not for match  with  the  client’s
467              name  or  its IP address!  Use socat option -b to make datagrams
468              small enough to fit with overhead on the network.  Use option -T
469              to prevent indefinite hanging when peer went down quietly.
470              Option               groups:              FD,SOCKET,IP4,IP6,LIS‐
471              TEN,OPENSSL,CHILD,RANGE,RETRY
472              Useful options: pf, cipher, verify, commonname, cafile,  capath,
473              certificate,  key,  compress,  fork,  bind,  range, tcpwrap, su,
474              reuseaddr, retry
475              See also: OPENSSL-DTLS-CLIENT, OPENSSL-LISTEN, UDP-LISTEN
476
477       PIPE:<filename>
478              If <filename> already exists, it is  opened.   If  it  does  not
479              exist,  a named pipe is created and opened. Beginning with socat
480              version 1.4.3, the named pipe is removed  when  the  address  is
481              closed (but see option unlink-close
482              Note: When a pipe is used for both reading and writing, it works
483              as echo service.
484              Note: When a pipe is used for  both  reading  and  writing,  and
485              socat  tries to write more bytes than the pipe can buffer (Linux
486              2.4: 2048  bytes),  socat  might  block.  Consider  using  socat
487              option, e.g., -b 2048
488              Option groups: FD,NAMED,OPEN
489              Useful   options:   rdonly,   nonblock,   group,   user,   mode,
490              unlink-early
491              See also: unnamed pipe
492
493       PIPE   Creates an unnamed pipe and uses it for reading and writing.  It
494              works  as  an  echo,  because  everything written to it appeares
495              immediately as read data.
496              Note: When socat tries to write more bytes  than  the  pipe  can
497              queue  (Linux  2.4:  2048  bytes),  socat might block. Consider,
498              e.g., using option -b 2048
499              Option groups: FD
500              See also: named pipe
501
502       PROXY:<proxy>:<hostname>:<port>
503              Connects to an HTTP proxy server on port 8080 using TCP/IP  ver‐
504              sion 4 or 6 depending on address specification, name resolution,
505              or option pf, and sends a CONNECT request for hostname:port.  If
506              the  proxy  grants access and succeeds to connect to the target,
507              data transfer between socat and the target can start. Note  that
508              the traffic need not be HTTP but can be an arbitrary protocol.
509              Option groups: FD,SOCKET,IP4,IP6,TCP,HTTP,RETRY
510              Useful  options:  proxyport, ignorecr, proxyauth, resolve, crnl,
511              bind, connect-timeout, mss, sourceport, retry
512              See also: SOCKS, TCP
513
514       PTY    Generates a pseudo terminal (pty)  and  uses  its  master  side.
515              Another  process  may  open the pty’s slave side using it like a
516              serial line or terminal.  (example). If both the  ptmx  and  the
517              openpty mechanisms are available, ptmx is used (POSIX).
518              Option groups: FD,NAMED,PTY,TERMIOS
519              Useful options: link, openpty, wait-slave, mode, user, group
520              See also: UNIX-LISTEN, PIPE, EXEC, SYSTEM
521
522       READLINE
523              Uses  GNU  readline  and  history  on stdio to allow editing and
524              reusing input lines (example). This requires  the  GNU  readline
525              and history libraries. Note that stdio should be a (pseudo) ter‐
526              minal device, otherwise readline does not seem to work.
527              Option groups: FD,READLINE,TERMIOS
528              Useful options: history, noecho
529              See also: STDIO
530
531       SCTP-CONNECT:<host>:<port>
532              Establishes an SCTP stream connection to  the  specified  <host>
533              [IP  address]  and  <port> [TCP service] using IP version 4 or 6
534              depending on address specification, name resolution,  or  option
535              pf.
536              Option groups: FD,SOCKET,IP4,IP6,SCTP,CHILD,RETRY
537              Useful  options:  bind,  pf,  connect-timeout, tos, mtudiscover,
538              sctp-maxseg, sctp-nodelay, nonblock,  sourceport,  retry,  read‐
539              bytes
540              See also: SCTP4-CONNECT, SCTP6-CONNECT, SCTP-LISTEN, TCP-CONNECT
541
542       SCTP4-CONNECT:<host>:<port>
543              Like SCTP-CONNECT, but only supports IPv4 protocol.
544              Option groups: FD,SOCKET,IP4,SCTP,CHILD,RETRY
545
546       SCTP6-CONNECT:<host>:<port>
547              Like SCTP-CONNECT, but only supports IPv6 protocol.
548              Option groups: FD,SOCKET,IP6,SCTP,CHILD,RETRY
549
550       SCTP-LISTEN:<port>
551              Listens  on <port> [TCP service] and accepts an SCTP connection.
552              The IP version is 4 or the one specified with address option pf,
553              socat    option    (-4,    -6),    or    environment    variable
554              SOCAT_DEFAULT_LISTEN_IP.  Note that opening this address usually
555              blocks until a client connects.
556              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,SCTP,RETRY
557              Useful  options: crnl, fork, bind, range, tcpwrap, pf, max-chil‐
558              dren, backlog, accept-timeout,  sctp-maxseg,  sctp-nodelay,  su,
559              reuseaddr, retry, cool-write
560              See also: SCTP4-LISTEN, SCTP6-LISTEN, TCP-LISTEN, SCTP-CONNECT
561
562       SCTP4-LISTEN:<port>
563              Like SCTP-LISTEN, but only supports IPv4 protocol.
564              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,SCTP,RETRY
565
566       SCTP6-LISTEN:<port>
567              Like SCTP-LISTEN, but only supports IPv6 protocol.
568              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP6,SCTP,RETRY
569
570       SOCKET-CONNECT:<domain>:<protocol>:<remote-address>
571              Creates  a stream socket using the first and second given socket
572              parameters and SOCK_STREAM (see man socket(2)) and  connects  to
573              the remote-address.  The two socket parameters have to be speci‐
574              fied by int numbers. Consult your OS documentation  and  include
575              files to find the appropriate values. The remote-address must be
576              the data representation of a sockaddr structure without  sa_fam‐
577              ily and (BSD) sa_len components.
578              Please  note  that you can - beyond the options of the specified
579              groups - also use options of higher  level  protocols  when  you
580              apply socat option -g.
581              Option groups: FD,SOCKET,CHILD,RETRY
582              Useful options: bind, setsockopt,
583              See   also:   TCP,   UDP-CONNECT,  UNIX-CONNECT,  SOCKET-LISTEN,
584              SOCKET-SENDTO
585
586       SOCKET-DATAGRAM:<domain>:<type>:<protocol>:<remote-address>
587              Creates a datagram socket using the  first  three  given  socket
588              parameters  (see  man  socket(2)) and sends outgoing data to the
589              remote-address. The three socket parameters have to be specified
590              by  int numbers. Consult your OS documentation and include files
591              to find the appropriate values. The remote-address must  be  the
592              data  representation  of  a sockaddr structure without sa_family
593              and (BSD) sa_len components.
594              Please note that you can - beyond the options of  the  specified
595              groups  -  also  use  options of higher level protocols when you
596              apply socat option -g.
597              Option groups: FD,SOCKET,RANGE
598              Useful options: bind, range, setsockopt,
599              See also: UDP-DATAGRAM, IP-DATAGRAM, SOCKET-SENDTO, SOCKET-RECV,
600              SOCKET-RECVFROM
601
602       SOCKET-LISTEN:<domain>:<protocol>:<local-address>
603              Creates  a stream socket using the first and second given socket
604              parameters and SOCK_STREAM (see man  socket(2))  and  waits  for
605              incoming connections on local-address. The two socket parameters
606              have to be specified by int numbers. Consult your OS  documenta‐
607              tion  and  include  files  to  find  the appropriate values. The
608              local-address must be the  data  representation  of  a  sockaddr
609              structure without sa_family and (BSD) sa_len components.
610              Please  note  that you can - beyond the options of the specified
611              groups - also use options of higher  level  protocols  when  you
612              apply socat option -g.
613              Option groups: FD,SOCKET,LISTEN,RANGE,CHILD,RETRY
614              Useful options: setsockopt, setsockopt-listen,
615              See   also:   TCP,   UDP-CONNECT,  UNIX-CONNECT,  SOCKET-LISTEN,
616              SOCKET-SENDTO, SOCKET-SENDTO
617
618       SOCKET-RECV:<domain>:<type>:<protocol>:<local-address>
619              Creates a socket using the three given  socket  parameters  (see
620              man  socket(2)) and binds it to <local-address>. Receives arriv‐
621              ing data. The three parameters have to be specified by int  num‐
622              bers.  Consult  your  OS documentation and include files to find
623              the appropriate values. The local-address must be the data  rep‐
624              resentation  of a sockaddr structure without sa_family and (BSD)
625              sa_len components.
626              Option groups: FD,SOCKET,RANGE
627              Useful options: range, setsockopt, setsockopt-listen
628              See  also:  UDP-RECV,   IP-RECV,   UNIX-RECV,   SOCKET-DATAGRAM,
629              SOCKET-SENDTO, SOCKET-RECVFROM
630
631       SOCKET-RECVFROM:<domain>:<type>:<protocol>:<local-address>
632              Creates  a  socket  using the three given socket parameters (see
633              man socket(2)) and binds it to <local-address>. Receives  arriv‐
634              ing  data  and sends replies back to the sender. The first three
635              parameters have to be specified as int numbers. Consult your  OS
636              documentation  and include files to find the appropriate values.
637              The local-address must be the data representation of a  sockaddr
638              structure without sa_family and (BSD) sa_len components.
639              See the note about RECVFROM addresses.
640              Option groups: FD,SOCKET,CHILD,RANGE
641              Useful options: fork, range, setsockopt, setsockopt-listen
642              See also: UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, SOCKET-DATA‐
643              GRAM, SOCKET-SENDTO, SOCKET-RECV
644
645       SOCKET-SENDTO:<domain>:<type>:<protocol>:<remote-address>
646              Creates a socket using the three given  socket  parameters  (see
647              man  socket(2)).  Sends  outgoing  data to the given address and
648              receives replies.  The three parameters have to be specified  as
649              int  numbers. Consult your OS documentation and include files to
650              find the appropriate values. The remote-address must be the data
651              representation  of  a  sockaddr  structure without sa_family and
652              (BSD) sa_len components.
653              Option groups: FD,SOCKET
654              Useful options: bind, setsockopt, setsockopt-listen
655              See also: UDP-SENDTO, IP-SENDTO,  UNIX-SENDTO,  SOCKET-DATAGRAM,
656              SOCKET-RECV SOCKET-RECVFROM
657
658       SOCKS4:<socks-server>:<host>:<port>
659              Connects   via  <socks-server>  [IP  address]  to  <host>  [IPv4
660              address] on <port> [TCP service], using socks version 4 protocol
661              over  IP version 4 or 6 depending on address specification, name
662              resolution, or option pf (example).
663              Option groups: FD,SOCKET,IP4,IP6,TCP,SOCKS4,RETRY
664              Useful options: socksuser, socksport, sourceport, pf, retry
665              See also: SOCKS4A, PROXY, TCP
666
667       SOCKS4A:<socks-server>:<host>:<port>
668              like SOCKS4, but uses socks protocol version  4a,  thus  leaving
669              host name resolution to the socks server.
670              Option groups: FD,SOCKET,IP4,IP6,TCP,SOCKS4,RETRY
671
672       STDERR Uses file descriptor 2.
673              Option groups: FD (TERMIOS,REG,SOCKET)
674              See also: FD
675
676       STDIN  Uses file descriptor 0.
677              Option groups: FD (TERMIOS,REG,SOCKET)
678              Useful options: readbytes
679              See also: FD
680
681       STDIO  Uses file descriptor 0 for reading, and 1 for writing.
682              Option groups: FD (TERMIOS,REG,SOCKET)
683              Useful options: readbytes
684              See also: FD
685
686       STDOUT Uses file descriptor 1.
687              Option groups: FD (TERMIOS,REG,SOCKET)
688              See also: FD
689
690       SYSTEM:<shell-command>
691              Forks a sub process that establishes communication with its par‐
692              ent process and invokes the specified program  with  system()  .
693              Please  note  that <shell-command> [string] must not contain ’,’
694              or "!!", and that shell meta characters  may  have  to  be  pro‐
695              tected.   After  successful  program start, socat writes data to
696              stdin of the process and reads from its stdout.
697              Option groups: FD,SOCKET,EXEC,FORK,TERMIOS
698              Useful options: path, fdin, fdout,  chroot,  su,  su-d,  nofork,
699              pty, stderr, ctty, setsid, pipes, sigint, sigquit
700              See also: EXEC
701
702       TCP:<host>:<port>
703              Connects  to  <port>  [TCP service] on <host> [IP address] using
704              TCP/IP version 4 or 6 depending on address  specification,  name
705              resolution, or option pf.
706              Option groups: FD,SOCKET,IP4,IP6,TCP,RETRY
707              Useful  options:  crnl,  bind, pf, connect-timeout, tos, mtudis‐
708              cover, mss, nodelay, nonblock, sourceport, retry, readbytes
709              See also: TCP4, TCP6, TCP-LISTEN, UDP,  SCTP-CONNECT,  UNIX-CON‐
710              NECT
711
712       TCP4:<host>:<port>
713              Like TCP, but only supports IPv4 protocol (example).
714              Option groups: FD,SOCKET,IP4,TCP,RETRY
715
716       TCP6:<host>:<port>
717              Like TCP, but only supports IPv6 protocol.
718              Option groups: FD,SOCKET,IP6,TCP,RETRY
719
720       TCP-LISTEN:<port>
721              Listens on <port> [TCP service] and accepts a TCP/IP connection.
722              The IP version is 4 or the one specified with address option pf,
723              socat    option    (-4,    -6),    or    environment    variable
724              SOCAT_DEFAULT_LISTEN_IP.  Note that opening this address usually
725              blocks until a client connects.
726              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,TCP,RETRY
727              Useful  options: crnl, fork, bind, range, tcpwrap, pf, max-chil‐
728              dren,  backlog,  accept-timeout,  mss,  su,  reuseaddr,   retry,
729              cool-write
730              See  also:  TCP4-LISTEN,  TCP6-LISTEN,  UDP-LISTEN, SCTP-LISTEN,
731              UNIX-LISTEN, OPENSSL-LISTEN, TCP-CONNECT
732
733       TCP4-LISTEN:<port>
734              Like TCP-LISTEN, but only supports IPv4 protocol (example).
735              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,TCP,RETRY
736
737       TCP6-LISTEN:<port>
738              Like TCP-LISTEN, but only supports IPv6 protocol.
739              Additional useful option: ipv6only
740              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP6,TCP,RETRY
741
742       TUN[:<if-addr>/<bits>]
743              Creates a Linux TUN/TAP device and optionally  assignes  it  the
744              address  and netmask given by the parameters. The resulting net‐
745              work interface is almost ready for use by other processes; socat
746              serves  its  "wire  side".  This address requires read and write
747              access to the tunnel cloning device, usually /dev/net/tun  ,  as
748              well  as  permission  to  set  some  ioctl()s.  Option iff-up is
749              required to immediately activate the interface!
750              Note: If you intend to transfer packets between two Socat  "wire
751              sides"  you  need  a  protocol  that  keeps  packet  boundaries,
752              e.g.UDP; TCP might work with option nodelay.
753              Option groups: FD,NAMED,OPEN,TUN
754              Useful  options:   iff-up,   tun-device,   tun-name,   tun-type,
755              iff-no-pi
756              See also: ip-recv
757
758       UDP:<host>:<port>
759              Connects  to  <port>  [UDP service] on <host> [IP address] using
760              UDP/IP version 4 or 6 depending on address  specification,  name
761              resolution, or option pf.
762              Please  note  that, due to UDP protocol properties, no real con‐
763              nection is established; data has to be sent for `connecting’  to
764              the server, and no end-of-file condition can be transported.
765              Option groups: FD,SOCKET,IP4,IP6
766              Useful options: ttl, tos, bind, sourceport, pf
767              See also: UDP4, UDP6, UDP-LISTEN, TCP, IP
768
769       UDP4:<host>:<port>
770              Like UDP, but only supports IPv4 protocol.
771              Option groups: FD,SOCKET,IP4
772
773       UDP6:<host>:<port>
774              Like UDP, but only supports IPv6 protocol.
775              Option groups: FD,SOCKET,IP6
776
777       UDP-DATAGRAM:<address>:<port>
778              Sends  outgoing  data to the specified address which may in par‐
779              ticular be a broadcast or multicast address. Packets arriving on
780              the  local  socket  are checked for the correct remote port only
781              when option sourceport is used (this is a change with Socat ver‐
782              sion  1.7.4.0) and if their source addresses match RANGE or TCP‐
783              WRAP options. This address type can  for  example  be  used  for
784              implementing symmetric or asymmetric broadcast or multicast com‐
785              munications.
786              Option groups: FD,SOCKET,IP4,IP6,RANGE
787              Useful  options:  bind,  range,  tcpwrap,  broadcast,  ip-multi‐
788              cast-loop, ip-multicast-ttl, ip-multicast-if, ip-add-membership,
789              ip-add-source-membership, ttl, tos, sourceport, pf
790              See    also:    UDP4-DATAGRAM,    UDP6-DATAGRAM,     UDP-SENDTO,
791              UDP-RECVFROM, UDP-RECV, UDP-CONNECT, UDP-LISTEN, IP-DATAGRAM
792
793       UDP4-DATAGRAM:<address>:<port>
794              Like  UDP-DATAGRAM,  but  only supports IPv4 protocol (example1,
795              example2).
796              Option groups: FD,SOCKET,IP4, RANGE
797
798       UDP6-DATAGRAM:<address>:<port>
799              Like UDP-DATAGRAM, but only supports IPv6 protocol.
800              Option groups: FD,SOCKET,IP6,RANGE
801
802       UDP-LISTEN:<port>
803              Waits for a UDP/IP packet arriving on <port> [UDP  service]  and
804              `connects’  back to sender.  The accepted IP version is 4 or the
805              one specified with option pf.  Please note that, due to UDP pro‐
806              tocol properties, no real connection is established; data has to
807              arrive from the peer first, and no end-of-file condition can  be
808              transported. Note that opening this address usually blocks until
809              a client connects.
810              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6
811              Useful options: fork, bind, range, pf
812              See also: UDP, UDP4-LISTEN, UDP6-LISTEN, TCP-LISTEN
813
814       UDP4-LISTEN:<port>
815              Like UDP-LISTEN, but only support IPv4 protocol.
816              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4
817
818       UDP6-LISTEN:<port>
819              Like UDP-LISTEN, but only support IPv6 protocol.
820              Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP6
821
822       UDP-SENDTO:<host>:<port>
823              Communicates with the specified peer socket, defined  by  <port>
824              [UDP  service] on <host> [IP address], using UDP/IP version 4 or
825              6 depending on address specification, name resolution, or option
826              pf.  It  sends  packets  to  and receives packets from that peer
827              socket only.  This address  effectively  implements  a  datagram
828              client.   It  works  well  with  socat UDP-RECVFROM and UDP-RECV
829              address peers.
830              Option groups: FD,SOCKET,IP4,IP6
831              Useful options: ttl, tos, bind, sourceport, pf
832              See  also:  UDP4-SENDTO,  UDP6-SENDTO,  UDP-RECVFROM,  UDP-RECV,
833              UDP-CONNECT, UDP-LISTEN, IP-SENDTO
834
835       UDP4-SENDTO:<host>:<port>
836              Like UDP-SENDTO, but only supports IPv4 protocol.
837              Option groups: FD,SOCKET,IP4
838
839       UDP6-SENDTO:<host>:<port>
840              Like UDP-SENDTO, but only supports IPv6 protocol.
841              Option groups: FD,SOCKET,IP6
842
843       UDP-RECVFROM:<port>
844              Creates  a  UDP socket on <port> [UDP service] using UDP/IP ver‐
845              sion 4 or 6 depending on option pf.  It receives one packet from
846              an  unspecified  peer and may send one or more answer packets to
847              that peer. This mode is particularly  useful  with  fork  option
848              where  each  arriving packet - from arbitrary peers - is handled
849              by its own sub process. This allows a behaviour similar to typi‐
850              cal  UDP  based  servers  like ntpd or named. This address works
851              well with socat UDP-SENDTO address peers.
852              Note: When the second address fails before entering the transfer
853              loop  the  packet is dropped. Use option retry or forever on the
854              second address to avoid data loss.
855              Option groups: FD,SOCKET,IP4,IP6,CHILD,RANGE
856              Useful options: fork, ttl, tos, bind, sourceport, pf
857              See also: UDP4-RECVFROM,  UDP6-RECVFROM,  UDP-SENDTO,  UDP-RECV,
858              UDP-CONNECT, UDP-LISTEN, IP-RECVFROM, UNIX-RECVFROM
859
860       UDP4-RECVFROM:<port>
861              Like UDP-RECVFROM, but only supports IPv4 protocol.
862              Option groups: FD,SOCKET,IP4,CHILD,RANGE
863
864       UDP6-RECVFROM:<port>
865              Like UDP-RECVFROM, but only supports IPv6 protocol.
866              Option groups: FD,SOCKET,IP6,CHILD,RANGE
867
868       UDP-RECV:<port>
869              Creates  a  UDP socket on <port> [UDP service] using UDP/IP ver‐
870              sion 4 or 6 depending on option pf.  It  receives  packets  from
871              multiple  unspecified peers and merges the data.  No replies are
872              possible. It works well with,  e.g.,  socat  UDP-SENDTO  address
873              peers; it behaves similar to a syslog server.
874              Note: if you need the fork option, use UDP-RECVFROM in unidirec‐
875              tional mode (with option -u) instead.
876              Option groups: FD,SOCKET,IP4,IP6,RANGE
877              Useful options: pf, bind, sourceport, ttl, tos
878              See  also:  UDP4-RECV,  UDP6-RECV,   UDP-SENDTO,   UDP-RECVFROM,
879              UDP-CONNECT, UDP-LISTEN, IP-RECV, UNIX-RECV
880
881       UDP4-RECV:<port>
882              Like UDP-RECV, but only supports IPv4 protocol.
883              Option groups: FD,SOCKET,IP4,RANGE
884
885       UDP6-RECV:<port>
886              Like UDP-RECV, but only supports IPv6 protocol.
887              Option groups: FD,SOCKET,IP6,RANGE
888
889       UNIX-CONNECT:<filename>
890              Connects  to <filename> assuming it is a UNIX domain socket.  If
891              <filename> does not exist, this is an error;  if  <filename>  is
892              not  a  UNIX domain socket, this is an error; if <filename> is a
893              UNIX domain socket, but no process  is  listening,  this  is  an
894              error.
895              Option groups: FD,SOCKET,NAMED,RETRY,UNIX
896              ) Useful options: bind
897              See also: UNIX-LISTEN, UNIX-SENDTO, TCP
898
899       UNIX-LISTEN:<filename>
900              Listens  on  <filename>  using  a  UNIX domain stream socket and
901              accepts a connection.  If <filename> exists and is not a socket,
902              this  is  an  error.   If <filename> exists and is a UNIX domain
903              socket, binding to the address fails (use option unlink-early!).
904              Note  that  opening  this  address usually blocks until a client
905              connects.  Beginning with socat version 1.4.3, the  file  system
906              entry  is  removed  when  this address is closed (but see option
907              unlink-close) (example).
908              Option groups: FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
909              Useful options: fork, umask, mode, user, group, unlink-early
910              See also: UNIX-CONNECT, UNIX-RECVFROM, UNIX-RECV, TCP-LISTEN
911
912       UNIX-SENDTO:<filename>
913              Communicates with the specified peer socket, defined by  [<file‐
914              name>]  assuming  it is a UNIX domain datagram socket.  It sends
915              packets to and receives packets  from  that  peer  socket  only.
916              Please  note that it might be necessary to bind the local socket
917              to an address (e.g. /tmp/sock1, which must  not  exist  before).
918              This  address  type  works  well  with  socat  UNIX-RECVFROM and
919              UNIX-RECV address peers.
920              Option groups: FD,SOCKET,NAMED,UNIX
921              Useful options: bind
922              See also: UNIX-RECVFROM,  UNIX-RECV,  UNIX-CONNECT,  UDP-SENDTO,
923              IP-SENDTO
924
925       UNIX-RECVFROM:<filename>
926              Creates  a  UNIX  domain datagram socket [<filename>].  Receives
927              one packet and may send one or more answer packets to that peer.
928              This  mode  is  particularly  useful with fork option where each
929              arriving packet - from arbitrary peers - is handled by  its  own
930              sub  process.   This  address  works well with socat UNIX-SENDTO
931              address peers.
932              Option groups: FD,SOCKET,NAMED,CHILD,UNIX
933              See the note about RECVFROM addresses.
934              Useful options: fork
935              See also:  UNIX-SENDTO,  UNIX-RECV,  UNIX-LISTEN,  UDP-RECVFROM,
936              IP-RECVFROM
937
938       UNIX-RECV:<filename>
939              Creates  a  UNIX  domain datagram socket [<filename>].  Receives
940              packets from multiple unspecified peers and merges the data.  No
941              replies  are  possible.  It  can  be,  e.g.,  addressed by socat
942              UNIX-SENDTO address peers.   It  behaves  similar  to  a  syslog
943              server.
944              Option groups: FD,SOCKET,NAMED,UNIX
945              See  also:  UNIX-SENDTO,  UNIX-RECVFROM,  UNIX-LISTEN, UDP-RECV,
946              IP-RECV
947
948       UNIX-CLIENT:<filename>
949              Communicates with the specified peer socket, defined by  [<file‐
950              name>]  assuming  it is a UNIX domain socket.  It first tries to
951              connect and, if that fails, assumes it  is  a  datagram  socket,
952              thus supporting both types.
953              Option groups: FD,SOCKET,NAMED,UNIX
954              Useful options: bind
955              See also: UNIX-CONNECT, UNIX-SENDTO, GOPEN
956
957       VSOCK-CONNECT:<cid>:<port>
958              Establishes  a  VSOCK  stream  connection to the specified <cid>
959              [VSOCK cid] and <port> [VSOCK port].
960              Option groups: FD,SOCKET,CHILD,RETRY
961              Useful options: bind, pf, connect-timeout, retry, readbytes
962              See also: VSOCK-LISTEN,
963
964       VSOCK-LISTEN:<port>
965              Listens on <port> [VSOCK port] and accepts a  VSOCK  connection.
966              Note  that  opening  this  address usually blocks until a client
967              connects.
968              Option groups: FD,SOCKET,LISTEN,CHILD,RETRY
969              Useful options:  fork,  bind,  pf,  max-children,  backlog,  su,
970              reuseaddr, retry, cool-write
971              See also: VSOCK-CONNECT
972
973       ABSTRACT-CONNECT:<string>
974
975       ABSTRACT-LISTEN:<string>
976
977       ABSTRACT-SENDTO:<string>
978
979       ABSTRACT-RECVFROM:<string>
980
981       ABSTRACT-RECV:<string>
982
983       ABSTRACT-CLIENT:<string>
984              The  ABSTRACT addresses are almost identical to the related UNIX
985              addresses except that they do  not  address  file  system  based
986              sockets  but  an alternate UNIX domain address space. To achieve
987              this the socket address strings are prefixed  with  "\0"  inter‐
988              nally.  This  feature  is  available  (only?)  on Linux.  Option
989              groups are the same as with the related UNIX  addresses,  except
990              that the ABSTRACT addresses are not member of the NAMED group.
991
992

ADDRESS OPTIONS

994       Address  options  can be applied to address specifications to influence
995       the process of opening the addresses and the properties of the  result‐
996       ing data channels.
997
998       For  technical reasons not every option can be applied to every address
999       type; e.g., applying a socket option to a regular file  will  fail.  To
1000       catch most useless combinations as early as in the open phase, the con‐
1001       cept of option groups was introduced. Each option  belongs  to  one  or
1002       more  option  groups.  Options can be used only with address types that
1003       support at least one of their option groups (but see option -g).
1004
1005       Address options have data types that  their  values  must  conform  to.
1006       Every  address  option consists of just a keyword or a keyword followed
1007       by "=value", where value  must  conform  to  the  options  type.   Some
1008       address  options  manipulate  parameters  of system calls; e.g., option
1009       sync sets the O_SYNC flag with the open() call.  Other options cause  a
1010       system  or  library  call;  e.g.,  with option `ttl=value’ the setsock‐
1011       opt(fd, SOL_IP, IP_TTL, value, sizeof(int))  call  is  applied.   Other
1012       options  set  internal socat variables that are used during data trans‐
1013       fer; e.g., `crnl’ causes explicit character conversions.  A few options
1014       have  more  complex  implementations;  e.g.,  su-d  (substuser-delayed)
1015       inquires some user and group infos, stores them, and applies them later
1016       after a possible chroot() call.
1017
1018       If  multiple  options  are  given  to an address, their sequence in the
1019       address specification has (almost) no effect on the sequence  of  their
1020       execution/application.  Instead,  socat  has  built  in an option phase
1021       model that tries to bring the options in a useful order.  Some  options
1022       exist  in  different forms (e.g., unlink, unlink-early, unlink-late) to
1023       control the time of their execution.
1024
1025       If the same option is specified more than once within one address spec‐
1026       ification,  with  equal  or different values, the effect depends on the
1027       kind of option. Options resulting in function calls  like  setsockopt()
1028       cause  multiple  invocations.  With  options  that set parameters for a
1029       required call like open() or set internal flags, the value of the  last
1030       option occurrence is effective.
1031
1032       The  existence or semantics of many options are system dependent. Socat
1033       usually does NOT try to emulate missing libc  or  kernel  features,  it
1034       just  provides an interface to the underlying system. So, if an operat‐
1035       ing system lacks a feature, the related option is simply not  available
1036       on this platform.
1037
1038       The  following  paragraphs  introduce  just  the  more  common  address
1039       options. For a more comprehensive reference  and  to  find  information
1040       about canonical option names, alias names, option phases, and platforms
1041       see file xio.help.
1042
1043
1044       FD option group
1045
1046       This option group contains options that are applied  to  a  UN*X  style
1047       file  descriptor,  no matter how it was generated.  Because all current
1048       socat address types are file descriptor based,  these  options  may  be
1049       applied to any address.
1050       Note:  Some  of  these options are also member of another option group,
1051       that provides another, non-fd based mechanism.  For these  options,  it
1052       depends  on  the actual address type and its option groups which mecha‐
1053       nism is used. The second, non-fd based mechanism is prioritized.
1054
1055       cloexec=<bool>
1056              Sets the FD_CLOEXEC flag with the fcntl() system call  to  value
1057              <bool>.  If  set, the file descriptor is closed on exec() family
1058              function calls. Socat internally handles this flag for  the  fds
1059              it  controls,  so  in  most cases there will be no need to apply
1060              this option.
1061
1062       setlk  Tries to set a discretionary write lock to the whole file  using
1063              the fcntl(fd, F_SETLK, ...)  system call. If the file is already
1064              locked, this call results in an error.  On Linux, when the  file
1065              permissions  for group are "S" (g-x,g+s), and the file system is
1066              locally mounted with the "mand" option, the lock  is  mandatory,
1067              i.e. prevents other processes from opening the file.
1068
1069       setlkw Tries  to  set  a  discretionary waiting write lock to the whole
1070              file using the fcntl(fd, F_SETLKW, ...)   system  call.  If  the
1071              file  is already locked, this call blocks.  See option setlk for
1072              information about making this lock mandatory.
1073
1074       setlk-rd
1075              Tries to set a discretionary read lock to the whole  file  using
1076              the fcntl(fd, F_SETLK, ...)  system call. If the file is already
1077              write locked, this call results in an error.  See  option  setlk
1078              for information about making this lock mandatory.
1079
1080       setlkw-rd
1081              Tries to set a discretionary waiting read lock to the whole file
1082              using the fcntl(fd, F_SETLKW, ...)  system call. If the file  is
1083              already  write  locked,  this call blocks.  See option setlk for
1084              information about making this lock mandatory.
1085
1086       flock-ex
1087              Tries to set a blocking exclusive  advisory  lock  to  the  file
1088              using  the  flock(fd,  LOCK_EX) system call. Socat hangs in this
1089              call if the file is locked by another process.
1090
1091       flock-ex-nb
1092              Tries to set a nonblocking exclusive advisory lock to  the  file
1093              using the flock(fd, LOCK_EX|LOCK_NB) system call. If the file is
1094              already locked, this option results in an error.
1095
1096       flock-sh
1097              Tries to set a blocking shared advisory lock to the  file  using
1098              the  flock(fd, LOCK_SH) system call. Socat hangs in this call if
1099              the file is locked by another process.
1100
1101       flock-sh-nb
1102              Tries to set a nonblocking shared  advisory  lock  to  the  file
1103              using the flock(fd, LOCK_SH|LOCK_NB) system call. If the file is
1104              already locked, this option results in an error.
1105
1106       lock   Sets a blocking lock on the file. Uses the setlk or flock mecha‐
1107              nism  depending  on  availability on the particular platform. If
1108              both are available, the POSIX variant (setlkw) is used.
1109
1110       user=<user>
1111              Sets the <user> (owner) of the stream.  If the address is member
1112              of  the  NAMED  option group, socat uses the chown() system call
1113              after opening the file or binding  to  the  UNIX  domain  socket
1114              (race  condition!).   Without  filesystem  entry, socat sets the
1115              user of the stream using the fchown() system call.  These  calls
1116              might require root privilege.
1117
1118       user-late=<user>
1119              Sets the owner of the fd to <user> with the fchown() system call
1120              after opening or connecting the channel.  This is useful only on
1121              file system entries.
1122
1123       group=<group>
1124              Sets the <group> of the stream.  If the address is member of the
1125              NAMED option group, socat uses the  chown()  system  call  after
1126              opening the file or binding to the UNIX domain socket (race con‐
1127              dition!).  Without filesystem entry, socat sets the group of the
1128              stream with the fchown() system call.  These calls might require
1129              group membership or root privilege.
1130
1131       group-late=<group>
1132              Sets the group of the fd to <group>  with  the  fchown()  system
1133              call  after  opening  or connecting the channel.  This is useful
1134              only on file system entries.
1135
1136       mode=<mode>
1137              Sets the <mode> [mode_t] (permissions) of the  stream.   If  the
1138              address  is member of the NAMED option group and uses the open()
1139              or creat() call, the mode is applied with these.  If the address
1140              is  member  of the NAMED option group without using these system
1141              calls, socat uses the chmod()  system  call  after  opening  the
1142              filesystem entry or binding to the UNIX domain socket (race con‐
1143              dition!).  Otherwise, socat sets the mode of  the  stream  using
1144              fchmod()  .   These calls might require ownership or root privi‐
1145              lege.
1146
1147       perm-late=<mode>
1148              Sets the permissions of the fd to value  <mode>  [mode_t]  using
1149              the  fchmod()  system call after opening or connecting the chan‐
1150              nel.  This is useful only on file system entries.
1151
1152       append=<bool>
1153              Always writes data to the actual end of file.  If the address is
1154              member  of  the  OPEN option group, socat uses the O_APPEND flag
1155              with the open() system call (example).  Otherwise, socat applies
1156              the fcntl(fd, F_SETFL, O_APPEND) call.
1157
1158       nonblock=<bool>
1159              Tries  to open or use file in nonblocking mode. Its only effects
1160              are that the connect() call of TCP addresses does not block, and
1161              that  opening  a  named pipe for reading does not block.  If the
1162              address is member of the  OPEN  option  group,  socat  uses  the
1163              O_NONBLOCK  flag  with the open() system call.  Otherwise, socat
1164              applies the fcntl(fd, F_SETFL, O_NONBLOCK) call.
1165
1166       binary Opens the file in binary mode to avoid implicit line  terminator
1167              conversions (Cygwin).
1168
1169       text   Opens  the  file  in text mode to force implicit line terminator
1170              conversions (Cygwin).
1171
1172       noinherit
1173              Does not keep this file open in a spawned process (Cygwin).
1174
1175       cool-write
1176              Takes it easy when write fails with EPIPE or ECONNRESET and logs
1177              the  message  with notice level instead of error.  This prevents
1178              the log file from being filled with useless error messages  when
1179              socat  is  used  as  a high volume server or proxy where clients
1180              often abort the connection.
1181              This option is experimental.
1182
1183       end-close
1184              Changes the (address dependent) method of ending a connection to
1185              just close the file descriptors. This is useful when the connec‐
1186              tion is to be reused by or shared with  other  processes  (exam‐
1187              ple).
1188              Normally,  socket  connections  will  be  ended with shutdown(2)
1189              which terminates the socket even if it  is  shared  by  multiple
1190              processes.   close(2)  "unlinks" the socket from the process but
1191              keeps it active as long as there are still links from other pro‐
1192              cesses.
1193              Similarly,  when  an  address  of  type EXEC or SYSTEM is ended,
1194              socat usually will explicitly kill the sub  process.  With  this
1195              option, it will just close the file descriptors.
1196
1197       shut-none
1198              Changes  the  (address  dependent)  method  of shutting down the
1199              write part of a connection to not do anything.
1200
1201       shut-down
1202              Changes the (address dependent)  method  of  shutting  down  the
1203              write  part  of  a  connection to shutdown(fd, SHUT_WR). Is only
1204              useful with sockets.
1205
1206       shut-close
1207              Changes the (address dependent)  method  of  shutting  down  the
1208              write part of a connection to close(fd).
1209
1210       shut-null
1211              When  one  address  indicates  EOF, socat will send a zero sized
1212              packet to the write channel of the other address to transfer the
1213              EOF condition. This is useful with UDP and other datagram proto‐
1214              cols. Has been tested  against  netcat  and  socat  with  option
1215              null-eof.
1216
1217       null-eof
1218              Normally  socat  will  ignore  empty (zero size payload) packets
1219              arriving on datagram sockets, so it survives  port  scans.  With
1220              this option socat interprets empty datagram packets as EOF indi‐
1221              cator (see shut-null).
1222
1223       ioctl-void=<request>
1224              Calls ioctl() with the request value as second argument and NULL
1225              as  third argument. This option allows utilizing ioctls that are
1226              not explicitly implemented in socat.
1227
1228       ioctl-int=<request>:<value>
1229              Calls ioctl() with the request value as second argument and  the
1230              integer value as third argument.
1231
1232       ioctl-intp=<request>:<value>
1233              Calls  ioctl()  with  the request value as second argument and a
1234              pointer to the integer value as third argument.
1235
1236       ioctl-bin=<request>:<value>
1237              Calls ioctl() with the request value as second  argument  and  a
1238              pointer  to  the  given  data value as third argument. This data
1239              must be specified in <dalan> form.
1240
1241       ioctl-string=<request>:<value>
1242              Calls ioctl() with the request value as second  argument  and  a
1243              pointer to the given string as third argument.  <dalan> form.
1244
1245
1246       NAMED option group
1247
1248       These options work on file system entries.
1249       Please  note  that,  with  UNIX domain client addresses, this means the
1250       bind entry, not the target/peer entry.
1251       See also options user, group, and mode.
1252
1253       user-early=<user>
1254              Changes the <user> (owner)  of  the  file  system  entry  before
1255              accessing  it,  using  the  chown() system call. This call might
1256              require root privilege.
1257
1258       group-early=<group>
1259              Changes the <group> of the file system  entry  before  accessing
1260              it, using the chown() system call. This call might require group
1261              membership or root privilege.
1262
1263       perm-early=<mode>
1264              Changes the <mode> [mode_t] of  the  file  system  entry  before
1265              accessing  it,  using  the  chmod() system call. This call might
1266              require ownership or root privilege.
1267
1268       umask=<mode>
1269              Sets the umask of the process to <mode> [mode_t] before  access‐
1270              ing  the  file  system entry (useful with UNIX domain sockets!).
1271              This call might affect  all  further  operations  of  the  socat
1272              process!
1273
1274       unlink-early
1275              Unlinks  (removes)  the  file  before opening it and even before
1276              applying user-early etc.
1277
1278       unlink Unlinks (removes)  the  file  before  accessing  it,  but  after
1279              user-early etc.
1280
1281       unlink-late
1282              Unlinks  (removes) the file after opening it to make it inacces‐
1283              sible for other processes after a short race condition.
1284
1285       unlink-close
1286              Removes  the  addresses  file  system  entry  when  closing  the
1287              address.  For named pipes, UNIX domain sockets, and the symbolic
1288              links of pty addresses, the default is  1;  for  created  files,
1289              opened files, and generic opened files the default is 0.
1290
1291
1292       OPEN option group
1293
1294       The OPEN group options allow setting flags with the open() system call.
1295       E.g., option `creat’ sets the O_CREAT flag.
1296       See also options append and nonblock.
1297
1298       creat=<bool>
1299              Creates the file if it does not exist (example).
1300
1301       dsync=<bool>
1302              Blocks write() calls until metainfo  is  physically  written  to
1303              media.
1304
1305       excl=<bool>
1306              With option creat, if file exists this is an error.
1307
1308       largefile=<bool>
1309              On 32 bit systems, allows a file larger than 2^31 bytes.
1310
1311       noatime
1312              Sets  the  O_NOATIME  options, so reads do not change the access
1313              timestamp.
1314
1315       noctty=<bool>
1316              Does not make this file the controlling terminal.
1317
1318       nofollow=<bool>
1319              Does not follow symbolic links.
1320
1321       nshare=<bool>
1322              Does not allow sharing this file with other processes.
1323
1324       rshare=<bool>
1325              Does not allow other processes to open this file for writing.
1326
1327       rsync=<bool>
1328              Blocks write() until metainfo is physically written to media.
1329
1330       sync=<bool>
1331              Blocks write() until data is physically written to media.
1332
1333       rdonly=<bool>
1334              Opens the file for reading only.
1335
1336       wronly=<bool>
1337              Opens the file for writing only.
1338
1339       trunc  Truncates the file to size 0 during opening it.
1340
1341
1342       REG and BLK option group
1343
1344       These options are usually applied to a UN*X file descriptor, but  their
1345       semantics make sense only on a file supporting random access.
1346
1347       seek=<offset>
1348              Applies  the  lseek(fd, <offset>, SEEK_SET) (or lseek64 ) system
1349              call, thus positioning the file pointer absolutely  to  <offset>
1350              [off_t or off64_t]. Please note that a missing value defaults to
1351              1, not 0.
1352
1353       seek-cur=<offset>
1354              Applies the lseek(fd, <offset>, SEEK_CUR) (or lseek64  )  system
1355              call,  thus  positioning  the  file  pointer  <offset> [off_t or
1356              off64_t] bytes relatively to its current position (which is usu‐
1357              ally 0). Please note that a missing value defaults to 1, not 0.
1358
1359       seek-end=<offset>
1360              Applies  the  lseek(fd, <offset>, SEEK_END) (or lseek64 ) system
1361              call, thus positioning  the  file  pointer  <offset>  [off_t  or
1362              off64_t]  bytes relatively to the files current end. Please note
1363              that a missing value defaults to 1, not 0.
1364
1365       ftruncate=<offset>
1366              Applies the ftruncate(fd, <offset>) (or  ftruncate64  if  avail‐
1367              able)  system  call,  thus  truncating  the file at the position
1368              <offset> [off_t or off64_t]. Please note that  a  missing  value
1369              defaults to 1, not 0.
1370
1371       secrm=<bool>
1372
1373       unrm=<bool>
1374
1375       compr=<bool>
1376
1377       fs-sync=<bool>
1378
1379       immutable=<bool>
1380
1381       fs-append=<bool>
1382
1383       nodump=<bool>
1384
1385       fs-noatime=<bool>
1386
1387       journal-data=<bool>
1388
1389       notail=<bool>
1390
1391       dirsync=<bool>
1392              These  options  change non standard file attributes on operating
1393              systems and file systems that support these features, like Linux
1394              with  ext2fs  and successors, xfs, or reiserfs. See man 1 chattr
1395              for information on these options. Please note that  there  might
1396              be a race condition between creating the file and applying these
1397              options.
1398
1399
1400       PROCESS option group
1401
1402       Options of this group change the process  properties  instead  of  just
1403       affecting one data channel.  For EXEC and SYSTEM addresses and for LIS‐
1404       TEN and CONNECT type addresses with option FORK, these options apply to
1405       the child processes instead of the main socat process.
1406
1407       chroot=<directory>
1408              Performs  a  chroot()  operation to <directory> after processing
1409              the address (example). This call might require root privilege.
1410
1411       chroot-early=<directory>
1412              Performs a chroot() operation to <directory> before opening  the
1413              address. This call might require root privilege.
1414
1415       setgid=<group>
1416              Changes  the primary <group> of the process after processing the
1417              address. This call might require  root  privilege.  Please  note
1418              that this option does not drop other group related privileges.
1419
1420       setgid-early=<group>
1421              Like setgit but is performed before opening the address.
1422
1423       setuid=<user>
1424              Changes  the  <user> (owner) of the process after processing the
1425              address. This call might require  root  privilege.  Please  note
1426              that  this  option does not drop group related privileges. Check
1427              if option su better fits your needs.
1428
1429       setuid-early=<user>
1430              Like setuid but is performed before opening the address.
1431
1432       su=<user>
1433              Changes the <user> (owner) and groups of the process after  pro‐
1434              cessing  the  address  (example).  This  call might require root
1435              privilege.
1436
1437       su-d=<user>
1438              Short name for substuser-delayed.  Changes  the  <user>  (owner)
1439              and  groups  of  the process after processing the address (exam‐
1440              ple).  The user and his groups are retrieved before  a  possible
1441              chroot() . This call might require root privilege.
1442
1443       setpgid=<pid_t>
1444              Makes  the  process  a  member  of  the  specified process group
1445              <pid_t>. If no value is given, or if the value is 0  or  1,  the
1446              process becomes leader of a new process group.
1447
1448       setsid Makes the process the leader of a new session (example).
1449
1450
1451       READLINE option group
1452
1453       These options apply to the readline address type.
1454
1455       history=<filename>
1456              Reads and writes history from/to <filename> (example).
1457
1458       noprompt
1459              Since  version  1.4.0,  socat  per  default tries to determine a
1460              prompt - that is then passed to the readline call - by remember‐
1461              ing  the  last  incomplete line of the output. With this option,
1462              socat does not pass a prompt to  readline,  so  it  begins  line
1463              editing in the first column of the terminal.
1464
1465       noecho=<pattern>
1466              Specifies  a regular pattern for a prompt that prevents the fol‐
1467              lowing input line from being displayed on the  screen  and  from
1468              being  added  to the history.  The prompt is defined as the text
1469              that was output to the readline address after the  lastest  new‐
1470              line character and before an input character was typed. The pat‐
1471              tern  is  a  regular  expression,  e.g.   "^[Pp]assword:.*$"  or
1472              "([Uu]ser:|[Pp]assword:)". See regex(7) for details.  (example)
1473
1474       prompt=<string>
1475              Passes  the  string as prompt to the readline function. readline
1476              prints this prompt when stepping through the  history.  If  this
1477              string  matches  a constant prompt issued by an interactive pro‐
1478              gram on the other socat address, consistent look and feel can be
1479              achieved.
1480
1481
1482       APPLICATION option group
1483
1484       This  group  contains options that work at data level.  Note that these
1485       options only apply to the "raw" data transferred by socat, but  not  to
1486       protocol data used by addresses like PROXY.
1487
1488       cr     Converts  the default line termination character NL (’\n’, 0x0a)
1489              to/from CR (’\r’, 0x0d) when writing/reading on this channel.
1490
1491       crnl   Converts the default line termination character NL (’\n’,  0x0a)
1492              to/from CRNL ("\r\n", 0x0d0a) when writing/reading on this chan‐
1493              nel (example).  Note: socat simply strips all CR characters.
1494
1495       ignoreeof
1496              When EOF occurs on this channel, socat ignores it and  tries  to
1497              read more data (like "tail -f") (example).
1498
1499       readbytes=<bytes>
1500              socat  reads  only  so many bytes from this address (the address
1501              provides only so many bytes for transfer and pretends to  be  at
1502              EOF afterwards).  Must be greater than 0.
1503
1504       lockfile=<filename>
1505              If  lockfile  exists,  exits  with  error.  If lockfile does not
1506              exist, creates it and continues, unlinks lockfile on exit.
1507
1508       waitlock=<filename>
1509              If lockfile exists, waits until  it  disappears.  When  lockfile
1510              does  not  exist,  creates it and continues, unlinks lockfile on
1511              exit.
1512
1513       escape=<int>
1514              Specifies the numeric code of a character that triggers  EOF  on
1515              the  input  stream.  It  is  useful  with a terminal in raw mode
1516              (example).
1517
1518
1519       SOCKET option group
1520
1521       These options are intended for all kinds of sockets, e.g.  IP  or  UNIX
1522       domain. Most are applied with a setsockopt() call.
1523
1524       bind=<sockname>
1525              Binds  the  socket  to the given socket address using the bind()
1526              system call. The form of <sockname> is socket domain  dependent:
1527              IP4   and   IP6  allow  the  form  [hostname|hostaddress][:(ser‐
1528              vice|port)] (example), UNIX domain sockets  require  <filename>,
1529              VSOCK allow the form [cid][:(port)].
1530
1531       connect-timeout=<seconds>
1532              Abort  the  connection  attempt  after  <seconds> [timeval] with
1533              error status.
1534
1535       so-bindtodevice=<interface>
1536              Binds the socket to the given <interface>.   This  option  might
1537              require root privilege.
1538
1539       broadcast
1540              For  datagram sockets, allows sending to broadcast addresses and
1541              receiving packets addressed to broadcast addresses.
1542
1543       debug  Enables socket debugging.
1544
1545       dontroute
1546              Only communicates with directly connected peers,  does  not  use
1547              routers.
1548
1549       keepalive
1550              Enables sending keepalives on the socket.
1551
1552       linger=<seconds>
1553              Blocks  shutdown() or close() until data transfers have finished
1554              or the given timeout [int] expired.
1555
1556       oobinline
1557              Places out-of-band data in the input data stream.
1558
1559       priority=<priority>
1560              Sets the protocol defined <priority> [<int>] for outgoing  pack‐
1561              ets.
1562
1563       rcvbuf=<bytes>
1564              Sets  the  size of the receive buffer after the socket() call to
1565              <bytes> [int].  With TCP sockets, this value corresponds to  the
1566              socket’s maximal window size.
1567
1568       rcvbuf-late=<bytes>
1569              Sets  the  size of the receive buffer when the socket is already
1570              connected to <bytes> [int].  With TCP sockets, this value corre‐
1571              sponds to the socket’s maximal window size.
1572
1573       rcvlowat=<bytes>
1574              Specifies  the  minimum number of received bytes [int] until the
1575              socket layer will pass the buffered data to socat.
1576
1577       reuseaddr
1578              Allows other sockets to bind to an address even if parts  of  it
1579              (e.g. the local port) are already in use by socat (example).
1580
1581       sndbuf=<bytes>
1582              Sets  the  size  of  the  send buffer after the socket() call to
1583              <bytes> [int].
1584
1585       sndbuf-late=<bytes>
1586              Sets the size of the send buffer when the socket is connected to
1587              <bytes> [int].
1588
1589       sndlowat=<bytes>
1590              Specifies  the  minimum number of bytes in the send buffer until
1591              the socket layer will send the data to <bytes> [int].
1592
1593       pf=<string>
1594              Forces the use of the specified IP version or protocol. <string>
1595              can  be  something  like  "ip4" or "ip6". The resulting value is
1596              used as first argument to the socket()  or  socketpair()  calls.
1597              This  option  affects address resolution and the required syntax
1598              of bind and range options.
1599
1600       type=<type>
1601              Sets the type of the socket, specified as second argument to the
1602              socket() or socketpair() calls, to <type> [int]. Address resolu‐
1603              tion is not affected by  this  option.   Under  Linux,  1  means
1604              stream oriented socket, 2 means datagram socket, and 3 means raw
1605              socket.
1606
1607       protocol
1608              Sets the protocol of the socket, specified as third argument  to
1609              the socket() or socketpair() calls, to <protocol> [int]. Address
1610              resolution is not affected by this  option.   6  means  TCP,  17
1611              means UDP.
1612
1613       reuseport
1614              Set the SO_REUSEPORT socket option.
1615
1616       so-timestamp
1617              Sets  the SO_TIMESTAMP socket option. This enables receiving and
1618              logging of timestamp ancillary messages.
1619
1620       setsockopt=<level>:<optname>:<optval>
1621              Invokes setsockopt() for the socket with the  given  parameters.
1622              level [int] is used as second argument to setsockopt() and spec‐
1623              ifies  the  layer,  e.g.  SOL_TCP  for  TCP  (6  on  Linux),  or
1624              SOL_SOCKET  for  the socket layer (1 on Linux). optname [int] is
1625              the third argument to setsockopt() and tells which socket option
1626              is  to  be set. For the actual numbers you might have to look up
1627              the appropriate include files of your system. For  the  4th  and
1628              5th  setsockopt()  parameters,  value [dalan] specifies an arbi‐
1629              trary sequence of bytes that are  passed  to  the  function  per
1630              pointer, with the automatically derived length parameter.
1631
1632       setsockopt-int=<level>:<optname>:<optval>
1633              Like setsockopt, but <optval> is a pointer to int [int]
1634
1635       setsockopt-listen=<level>:<optname>:<optval>
1636              Like  setsockopt, but for listen type addresses it is applied to
1637              the listening socket instead of the connected socket.
1638
1639       setsockopt-string=<level>:<optname>:<optval>
1640              Like setsockopt, but <optval>  is  a  string.   This  string  is
1641              passed  to  the  function  with trailing null character, and the
1642              length parameter is automatically derived from the data.
1643
1644
1645       UNIX option group
1646
1647       These options apply to UNIX domain based addresses.
1648
1649       unix-tightsocklen=[0|1]
1650              On socket operations, pass a socket address length that does not
1651              include  the  whole struct sockaddr_un record but (besides other
1652              components) only the relevant part of the filename  or  abstract
1653              string. Default is 1.
1654
1655
1656       IP4 and IP6 option groups
1657
1658       These options can be used with IPv4 and IPv6 based sockets.
1659
1660       tos=<tos>
1661              Sets  the  TOS  (type  of  service) field of outgoing packets to
1662              <tos> [byte] (see RFC 791).
1663
1664       ttl=<ttl>
1665              Sets the TTL (time to live) field of outgoing packets  to  <ttl>
1666              [byte].
1667
1668       ip-options=<data>
1669              Sets  IP  options  like  source routing. Must be given in binary
1670              form, recommended format is a leading "x" followed  by  an  even
1671              number  of  hex  digits. This option may be used multiple times,
1672              data are appended.  E.g., to connect to host 10.0.0.1  via  some
1673              gateway  using  a loose source route, use the gateway as address
1674              parameter  and  set  a  loose  source  route  using  the  option
1675              ip-options=x8307040a000001 .
1676              IP options are defined in RFC 791.
1677
1678       mtudiscover=<0|1|2>
1679              Takes 0, 1, 2 to never, want, or always use path MTU discover on
1680              this socket.
1681
1682       ip-pktinfo
1683              Sets the IP_PKTINFO socket option. This  enables  receiving  and
1684              logging of ancillary messages containing destination address and
1685              interface (Linux) (example).
1686
1687       ip-recverr
1688              Sets the IP_RECVERR socket option. This  enables  receiving  and
1689              logging of ancillary messages containing detailed error informa‐
1690              tion.
1691
1692       ip-recvopts
1693              Sets the IP_RECVOPTS socket option. This enables  receiving  and
1694              logging of IP options ancillary messages (Linux, *BSD).
1695
1696       ip-recvtos
1697              Sets  the  IP_RECVTOS  socket option. This enables receiving and
1698              logging of TOS (type of service) ancillary messages (Linux).
1699
1700       ip-recvttl
1701              Sets the IP_RECVTTL socket option. This  enables  receiving  and
1702              logging of TTL (time to live) ancillary messages (Linux, *BSD).
1703
1704       ip-recvdstaddr
1705              Sets  the  IP_RECVDSTADDR  socket option. This enables receiving
1706              and logging of ancillary messages containing destination address
1707              (*BSD) (example).
1708
1709       ip-recvif
1710              Sets  the  IP_RECVIF  socket  option. This enables receiving and
1711              logging of interface ancillary messages (*BSD) (example).
1712
1713       ip-add-membership=<multicast-address:interface-address>
1714
1715       ip-add-membership=<multicast-address:interface-name>
1716
1717       ip-add-membership=<multicast-address:interface-index>
1718
1719       ip-add-membership=<multicast-address:interface-address:interface-name>
1720
1721       ip-add-membership=<multicast-address:interface-address:interface-index>
1722              Makes the socket member of the specified multicast  group.  This
1723              is  currently only implemented for IPv4. The option takes the IP
1724              address of the multicast group and info about the  desired  net‐
1725              work  interface.  The most common syntax is the first one, while
1726              the others are only available on  systems  that  provide  struct
1727              mreqn (Linux).
1728              The  indices of active network interfaces can be shown using the
1729              utility procan.
1730
1731       ip-add-source-membership=<multicast-address:inter‐
1732       face-address:source-address>
1733              Makes the socket member of the specified multicast group for the
1734              specified source, i.e. only multicast traffic from this  address
1735              is  to  be  delivered.   This  is currently only implemented for
1736              IPv4.
1737
1738       ip-multicast-if=<hostname>
1739              Specifies hostname or address of the  network  interface  to  be
1740              used for multicast traffic.
1741
1742       ip-multicast-loop=<bool>
1743              Specifies  if outgoing multicast traffic should loop back to the
1744              interface.
1745
1746       ip-multicast-ttl=<byte>
1747              Sets the TTL used for outgoing multicast traffic. Default is 1.
1748
1749       ip-transparent
1750              Sets  the  IP_TRANSPARENT  socket  option.   This  option  might
1751              require root privilege.
1752
1753       res-debug
1754
1755       res-aaonly
1756
1757       res-usevc
1758
1759       res-primary
1760
1761       res-igntc
1762
1763       res-recurse
1764
1765       res-defnames
1766
1767       res-stayopen
1768
1769       res-dnsrch
1770              These  options  set the corresponding resolver (name resolution)
1771              option flags.  Append "=0" to clear a default  option.  See  man
1772              resolver(5)  for  more information on these options. Note: these
1773              options are valid only for the address they are applied to.
1774
1775       IP6 option group
1776
1777       These options can only be used on IPv6 based sockets.  See  IP  options
1778       for options that can be applied to both IPv4 and IPv6 sockets.
1779
1780       ipv6only=<bool>
1781              Sets  the  IPV6_V6ONLY  socket  option. If 0, the TCP stack will
1782              also accept connections using IPv4 protocol on  the  same  port.
1783              The default is system dependent.
1784
1785       ipv6-recvdstopts
1786              Sets  the IPV6_RECVDSTOPTS socket option. This enables receiving
1787              and logging of ancillary  messages  containing  the  destination
1788              options.
1789
1790       ipv6-recvhoplimit
1791              Sets the IPV6_RECVHOPLIMIT socket option. This enables receiving
1792              and logging of ancillary messages containing the hoplimit.
1793
1794       ipv6-recvhopopts
1795              Sets the IPV6_RECVHOPOPTS socket option. This enables  receiving
1796              and logging of ancillary messages containing the hop options.
1797
1798       ipv6-recvpktinfo
1799              Sets  the IPV6_RECVPKTINFO socket option. This enables receiving
1800              and logging of ancillary messages containing destination address
1801              and interface.
1802
1803       ipv6-unicast-hops=link(TYPE_INT)(<int>)
1804              Sets  the  IPV6_UNICAST_HOPS  socket  option.  This sets the hop
1805              count limit (TTL) for outgoing unicast packets.
1806
1807       ipv6-recvrthdr
1808              Sets the IPV6_RECVRTHDR socket option.  This  enables  receiving
1809              and  logging  of  ancillary messages containing routing informa‐
1810              tion.
1811
1812       ipv6-tclass
1813              Sets the IPV6_TCLASS socket option. This sets the transfer class
1814              of outgoing packets.
1815
1816       ipv6-recvtclass
1817              Sets  the  IPV6_RECVTCLASS socket option. This enables receiving
1818              and logging of ancillary messages containing the transfer class.
1819
1820
1821       TCP option group
1822
1823       These options may be applied to TCP sockets. They work by invoking set‐
1824       sockopt() with the appropriate parameters.
1825
1826       cork   Doesn’t send packets smaller than MSS (maximal segment size).
1827
1828       defer-accept
1829              While  listening,  accepts  connections  only when data from the
1830              peer arrived.
1831
1832       keepcnt=<count>
1833              Sets the number of keepalives before shutting down the socket to
1834              <count> [int].
1835
1836       keepidle=<seconds>
1837              Sets  the  idle time before sending the first keepalive to <sec‐
1838              onds> [int].
1839
1840       keepintvl=<seconds>
1841              Sets the interval between two keepalives to <seconds> [int].
1842
1843       linger2=<seconds>
1844              Sets the time to keep the socket in FIN-WAIT-2  state  to  <sec‐
1845              onds> [int].
1846
1847       mss=<bytes>
1848              Sets  the  MSS (maximum segment size) after the socket() call to
1849              <bytes> [int]. This value is then proposed to the peer with  the
1850              SYN or SYN/ACK packet (example).
1851
1852       mss-late=<bytes>
1853              Sets the MSS of the socket after connection has been established
1854              to <bytes> [int].
1855
1856       nodelay
1857              Turns off the Nagle algorithm for measuring the RTT (round  trip
1858              time).
1859
1860       rfc1323
1861              Enables  RFC1323  TCP options: TCP window scale, round-trip time
1862              measurement (RTTM), and protect against wrapped sequence numbers
1863              (PAWS) (AIX).
1864
1865       stdurg Enables RFC1122 compliant urgent pointer handling (AIX).
1866
1867       syncnt=<count>
1868              Sets  the  maximal  number  of SYN retransmits during connect to
1869              <count> [int].
1870
1871       md5sig Enables generation of MD5 digests on the packets (FreeBSD).
1872
1873       noopt  Disables use of TCP options (FreeBSD, MacOSX).
1874
1875       nopush sets the TCP_NOPUSH socket option (FreeBSD, MacOSX).
1876
1877       sack-disable
1878              Disables use the selective acknowledge feature (OpenBSD).
1879
1880       signature-enable
1881              Enables generation of MD5 digests on the packets (OpenBSD).
1882
1883       abort-threshold=<milliseconds>
1884              Sets the time to wait for an answer of the  peer  on  an  estab‐
1885              lished connection (HP-UX).
1886
1887       conn-abort-threshold=<milliseconds>
1888              Sets  the  time  to  wait for an answer of the server during the
1889              initial connect (HP-UX).
1890
1891       keepinit
1892              Sets the time to wait for an answer of the  server  during  con‐
1893              nect()  before  giving up. Value in half seconds, default is 150
1894              (75s) (Tru64).
1895
1896       paws   Enables the "protect against wrapped sequence  numbers"  feature
1897              (Tru64).
1898
1899       sackena
1900              Enables selective acknowledge (Tru64).
1901
1902       tsoptena
1903              Enables  the  time stamp option that allows RTT recalculation on
1904              existing connections (Tru64).
1905
1906
1907       UDP option group
1908
1909       This option may be applied to UDP datagram sockets.
1910
1911       udp-ignore-peerport>
1912              Address UDP-DATAGRAM expects incoming responses to come from the
1913              port  specified  in  its  second parameter. With this option, it
1914              accepts packets coming from any port.
1915
1916
1917       SCTP option group
1918
1919       These options may be applied to SCTP stream sockets.
1920
1921       sctp-nodelay
1922              Sets the SCTP_NODELAY socket  option  that  disables  the  Nagle
1923              algorithm.
1924
1925       sctp-maxseg=<bytes>
1926              Sets the SCTP_MAXSEG socket option to <bytes> [int].  This value
1927              is then proposed to the peer with the SYN or SYN/ACK packet.
1928
1929
1930       UDP, TCP, and SCTP option group
1931
1932       Here we find options that are related to the network port mechanism and
1933       thus can be used with UDP, TCP, and SCTP client and server addresses.
1934
1935       sourceport=<port>
1936              For  outgoing  (client)  TCP  and  UDP  connections, it sets the
1937              source <port> using an extra bind() call.  With TCP or UDP  lis‐
1938              ten  addresses,  socat  immediately shuts down the connection if
1939              the client does not use this sourceport. UDP-RECV, UDP-RECVFROM,
1940              UDP-SENDTO, and UDP-DATAGRAM addresses ignore the packet when it
1941              does not match.  (example).
1942
1943       lowport
1944              Outgoing (client) TCP and UDP connections with this  option  use
1945              an  unused random source port between 640 and 1023 incl. On UNIX
1946              class operating systems, this requires root privilege, and  thus
1947              indicates  that  the client process is authorized by local root.
1948              TCP and UDP listen addresses with this option  immediately  shut
1949              down  the  connection if the client does not use a sourceport <=
1950              1023.  This mechanism can provide  limited  authorization  under
1951              some circumstances.
1952
1953
1954       SOCKS option group
1955
1956       When  using  SOCKS  type  addresses, some socks specific options can be
1957       set.
1958
1959       socksport=<tcp service>
1960              Overrides the default "socks" service or port 1080 for the socks
1961              server port with <TCP service>.
1962
1963       socksuser=<user>
1964              Sends  the  <user>  [string]  in the username field to the socks
1965              server. Default is the actual  user  name  ($LOGNAME  or  $USER)
1966              (example).
1967
1968
1969       HTTP option group
1970
1971       Options  that  can  be provided with HTTP type addresses. The only HTTP
1972       address currently implemented is proxy-connect.
1973
1974       proxyport=<TCP service>
1975              Overrides the default HTTP proxy port 8080 with <TCP service>.
1976
1977       ignorecr
1978              The HTTP protocol requires the use of CR+NL as line  terminator.
1979              When  a  proxy  server  violates  this standard, socat might not
1980              understand its answer.  This option directs socat to  interprete
1981              NL  as line terminator and to ignore CR in the answer. Neverthe‐
1982              less, socat sends CR+NL to the proxy.
1983
1984       proxy-authorization=<username>:<password>
1985              Provide "basic" authentication to the proxy server. The argument
1986              to the option is used with a "Proxy-Authorization: Basic" header
1987              in base64 encoded form.
1988              Note: username and password are visible for every  user  on  the
1989              local  machine  in  the  process list; username and password are
1990              transferred to the proxy server unencrypted (base64 encoded) and
1991              might be sniffed.
1992
1993       proxy-authorization-file=<filename>
1994              Like  option  proxy-authorization,  but the credentials are read
1995              from the file and therefore not visible in the process list.
1996
1997       resolve
1998              Per default, socat sends to the proxy a CONNECT request contain‐
1999              ing  the  target  hostname. With this option, socat resolves the
2000              hostname locally and sends the IP  address.  Please  note  that,
2001              according to RFC 2396, only name resolution to IPv4 addresses is
2002              implemented.
2003
2004
2005       RANGE option group
2006
2007       These options check if a connecting client should  be  granted  access.
2008       They  can  be  applied  to  listening  and  receiving  network sockets.
2009       tcp-wrappers options fall into this group.
2010
2011       range=<address-range>
2012              After accepting a connection, tests if the peer is within range.
2013              For  IPv4  addresses, address-range takes the form address/bits,
2014              e.g.   10.0.0.0/8,  or  address:mask,  e.g.   10.0.0.0:255.0.0.0
2015              (example);  for  IPv6, it is [ip6-address]/bits, e.g. [::1]/128.
2016              If the client address does not match, socat refuses the  connec‐
2017              tion attempt, issues a warning, and keeps listening/receiving.
2018
2019       tcpwrap[=<name>]
2020              Uses  Wietse Venema’s libwrap (tcpd) library to determine if the
2021              client is  allowed  to  connect.  The  configuration  files  are
2022              /etc/hosts.allow  and  /etc/hosts.deny  per  default, see "man 5
2023              hosts_access" for more information. The  optional  <name>  (type
2024              string)  is  passed  to  the wrapper functions as daemon process
2025              name (example).  If omitted, the basename of  socats  invocation
2026              (argv[0])  is  passed.   If  both  tcpwrap and range options are
2027              applied to an address, both  conditions  must  be  fulfilled  to
2028              allow the connection.
2029
2030       allow-table=<filename>
2031              Takes the specified file instead of /etc/hosts.allow.
2032
2033       deny-table=<filename>
2034              Takes the specified file instead of /etc/hosts.deny.
2035
2036       tcpwrap-etc=<directoryname>
2037              Looks for hosts.allow and hosts.deny in the specified directory.
2038              Is overridden by options hosts-allow and hosts-deny.
2039
2040
2041       LISTEN option group
2042
2043       Options specific to listening sockets.
2044
2045       backlog=<count>
2046              Sets the backlog value passed with the listen() system  call  to
2047              <count> [int]. Default is 5.
2048
2049       accept-timeout=<seconds>
2050              End  waiting  for  a  connection  after <seconds> [timeval] with
2051              error status.
2052
2053       max-children=<count>
2054              Limits the number of concurrent child processes [int].   Default
2055              is no limit.
2056
2057
2058       CHILD option group
2059
2060       Options for addresses with multiple connections via child processes.
2061
2062       fork   After  establishing a connection, handles its channel in a child
2063              process and keeps the parent process attempting to produce  more
2064              connections,  either  by  listening  or  by connecting in a loop
2065              (example).
2066              OPENSSL-CONNECT and OPENSSL-LISTEN differ in when they  actually
2067              fork  off  the  child: OPENSSL-LISTEN forks before the SSL hand‐
2068              shake, while OPENSSL-CONNECT forks afterwards.  retry  and  for‐
2069              ever options are not inherited by the child process.
2070              On  some  operating  systems (e.g. FreeBSD) this option does not
2071              work for UDP-LISTEN addresses.
2072
2073
2074       EXEC option group
2075
2076       Options for addresses that invoke a program.
2077
2078       path=<string>
2079              Overrides the PATH environment variable for searching  the  pro‐
2080              gram  with  <string>. This $PATH value is effective in the child
2081              process too.
2082
2083       login  Prefixes argv[0] for the execvp() call with ’-’, thus  making  a
2084              shell behave as login shell.
2085
2086
2087       FORK option group
2088
2089       EXEC  or  SYSTEM  addresses  invoke a program using a child process and
2090       transfer data between socat and the program. The interprocess  communi‐
2091       cation  mechanism  can  be  influenced  with the following options. Per
2092       default, a socketpair() is created and assigned to stdin and stdout  of
2093       the  child  process,  while stderr is inherited from the socat process,
2094       and the child process uses file descriptors 0 and 1  for  communicating
2095       with the main socat process.
2096
2097       nofork Does  not  fork  a subprocess for executing the program, instead
2098              calls execvp()  or  system()  directly  from  the  actual  socat
2099              instance.  This  avoids  the overhead of another process between
2100              the program and its peer, but introduces a lot of restrictions:
2101
2102       o      this option can only be applied to the second socat address.
2103
2104       o      it cannot be applied to a part of a dual address.
2105
2106       o      the first socat address cannot be OPENSSL or READLINE
2107
2108       o      socat options -b, -t, -D, -l, -v, -x become useless
2109
2110       o      for both addresses, options ignoreeof, cr, and crnl become  use‐
2111              less
2112
2113       o      for  the  second  address  (the one with option nofork), options
2114              append,  cloexec, flock, user, group, mode, nonblock, perm-late,
2115              setlk,  and  setpgid  cannot  be applied. Some of these could be
2116              used on the first address though.
2117
2118       pipes  Creates a pair of unnamed pipes for  interprocess  communication
2119              instead of a socket pair.
2120
2121       openpty
2122              Establishes  communication  with  the sub process using a pseudo
2123              terminal created with openpty() instead of the default  (socket‐
2124              pair or ptmx).
2125
2126       ptmx   Establishes  communication  with  the sub process using a pseudo
2127              terminal created by opening /dev/ptmx or /dev/ptc instead of the
2128              default (socketpair).
2129
2130       pty    Establishes  communication  with  the sub process using a pseudo
2131              terminal instead of a socket  pair.  Creates  the  pty  with  an
2132              available  mechanism. If openpty and ptmx are both available, it
2133              uses ptmx because this is POSIX compliant (example).
2134
2135       ctty   Makes the pty the controlling tty of the sub process (example).
2136
2137       stderr Directs stderr of the sub process to its output channel by  mak‐
2138              ing stderr a dup() of stdout (example).
2139
2140       fdin=<fdnum>
2141              Assigns  the  sub processes input channel to its file descriptor
2142              <fdnum> instead of stdin (0). The program started from the  sub‐
2143              process  has  to  use this fd for reading data from socat (exam‐
2144              ple).
2145
2146       fdout=<fdnum>
2147              Assigns the sub processes output channel to its file  descriptor
2148              <fdnum> instead of stdout (1). The program started from the sub‐
2149              process has to use this fd for writing data to socat (example).
2150
2151       sighup, sigint, sigquit
2152              Has socat pass signals of this type to the sub process.   If  no
2153              address has this option, socat terminates on these signals.
2154
2155
2156       TERMIOS option group
2157
2158       For   addresses  that  work  on  a  tty  (e.g.,  stdio,  file:/dev/tty,
2159       exec:...,pty), the terminal parameters  defined  in  the  UN*X  termios
2160       mechanism are made available as address option parameters.  Please note
2161       that changes of the parameters  of  your  interactive  terminal  remain
2162       effective after socat’s termination, so you might have to enter "reset"
2163       or "stty sane" in your shell afterwards.  For EXEC and SYSTEM addresses
2164       with option PTY, these options apply to the pty by the child processes.
2165
2166       b0     Disconnects the terminal.
2167
2168       b19200 Sets  the  serial line speed to 19200 baud. Some other rates are
2169              possible; use something like socat -hh |grep ’ b[1-9]’  to  find
2170              all speeds supported by your implementation.
2171              Note: On some operating systems, these options may not be avail‐
2172              able. Use ispeed or ospeed instead.
2173
2174       echo=<bool>
2175              Enables or disables local echo.
2176
2177       icanon=<bool>
2178              Sets or clears canonical mode, enabling line buffering and  some
2179              special characters.
2180
2181       raw    Sets raw mode, thus passing input and output almost unprocessed.
2182              This option is obsolete, use option rawer or cfmakeraw instead.
2183
2184       rawer  Makes terminal rawer than raw  option.  This  option  implicitly
2185              turns off echo. (example).
2186
2187       cfmakeraw
2188              Sets  raw  mode  by  invoking  cfmakeraw() or by simulating this
2189              call. This option implicitly turns off echo.
2190
2191       ignbrk=<bool>
2192              Ignores or interpretes the BREAK character (e.g., ^C)
2193
2194       brkint=<bool>
2195
2196       bs0
2197
2198       bs1
2199
2200       bsdly=<0|1>
2201
2202       clocal=<bool>
2203
2204
2205       cr0
2206       cr1
2207       cr2
2208       cr3
2209
2210              Sets the carriage return delay to 0, 1, 2, or  3,  respectively.
2211              0 means no delay, the other values are terminal dependent.
2212
2213       crdly=<0|1|2|3>
2214
2215       cread=<bool>
2216
2217       crtscts=<bool>
2218
2219
2220       cs5
2221       cs6
2222       cs7
2223       cs8
2224
2225              Sets the character size to 5, 6, 7, or 8 bits, respectively.
2226
2227       csize=<0|1|2|3>
2228
2229       cstopb=<bool>
2230              Sets two stop bits, rather than one.
2231
2232       dsusp=<byte>
2233              Sets  the  value for the VDSUSP character that suspends the cur‐
2234              rent foreground process and reactivates the  shell  (all  except
2235              Linux).
2236
2237       echoctl=<bool>
2238              Echos control characters in hat notation (e.g. ^A)
2239
2240       echoe=<bool>
2241
2242       echok=<bool>
2243
2244       echoke=<bool>
2245
2246       echonl=<bool>
2247
2248       echoprt=<bool>
2249
2250       eof=<byte>
2251
2252       eol=<byte>
2253
2254       eol2=<byte>
2255
2256       erase=<byte>
2257
2258       discard=<byte>
2259
2260       ff0
2261
2262       ff1
2263
2264       ffdly=<bool>
2265
2266       flusho=<bool>
2267
2268       hupcl=<bool>
2269
2270       icrnl=<bool>
2271
2272       iexten=<bool>
2273
2274       igncr=<bool>
2275
2276       ignpar=<bool>
2277
2278       imaxbel=<bool>
2279
2280       inlcr=<bool>
2281
2282       inpck=<bool>
2283
2284       intr=<byte>
2285
2286       isig=<bool>
2287
2288       ispeed=<unsigned-int>
2289              Set the baud rate for incoming data on this line.
2290              See also: ospeed, b19200
2291
2292       istrip=<bool>
2293
2294       iuclc=<bool>
2295
2296       ixany=<bool>
2297
2298       ixoff=<bool>
2299
2300       ixon=<bool>
2301
2302       kill=<byte>
2303
2304       lnext=<byte>
2305
2306       min=<byte>
2307
2308       nl0    Sets the newline delay to 0.
2309
2310       nl1
2311
2312       nldly=<bool>
2313
2314       noflsh=<bool>
2315
2316       ocrnl=<bool>
2317
2318       ofdel=<bool>
2319
2320       ofill=<bool>
2321
2322       olcuc=<bool>
2323
2324       onlcr=<bool>
2325
2326       onlret=<bool>
2327
2328       onocr=<bool>
2329
2330       opost=<bool>
2331              Enables  or  disables  output  processing;  e.g., converts NL to
2332              CR-NL.
2333
2334       ospeed=<unsigned-int>
2335              Set the baud rate for outgoing data on this line.
2336              See also: ispeed, b19200
2337
2338       parenb=<bool>
2339              Enable parity generation  on  output  and  parity  checking  for
2340              input.
2341
2342       parmrk=<bool>
2343
2344       parodd=<bool>
2345
2346       pendin=<bool>
2347
2348       quit=<byte>
2349
2350       reprint=<byte>
2351
2352       sane   Brings the terminal to something like a useful default state.
2353
2354       start=<byte>
2355
2356       stop=<byte>
2357
2358       susp=<byte>
2359
2360       swtc=<byte>
2361
2362       tab0
2363
2364       tab1
2365
2366       tab2
2367
2368       tab3
2369
2370       tabdly=<unsigned-int>
2371
2372       time=<byte>
2373
2374       tostop=<bool>
2375
2376       vt0
2377
2378       vt1
2379
2380       vtdly=<bool>
2381
2382       werase=<byte>
2383
2384       xcase=<bool>
2385
2386       xtabs
2387
2388       i-pop-all
2389              With UNIX System V STREAMS, removes all drivers from the stack.
2390
2391       i-push=<string>
2392              With  UNIX System V STREAMS, pushes the driver (module) with the
2393              given name (string) onto the stack. For example,  to  make  sure
2394              that a character device on Solaris supports termios etc, use the
2395              following                                               options:
2396              i-pop-all,i-push=ptem,i-push=ldterm,i-push=ttcompat
2397
2398
2399       PTY option group
2400
2401       These options are intended for use with the pty address type.
2402
2403       link=<filename>
2404              Generates  a symbolic link that points to the actual pseudo ter‐
2405              minal (pty). This might help to solve the problem that ptys  are
2406              generated  with more or less unpredictable names, making it dif‐
2407              ficult to directly access the socat generated pty automatically.
2408              With this option, the user can specify a "fix" point in the file
2409              hierarchy that helps him to access  the  actual  pty  (example).
2410              Beginning with socat version 1.4.3, the symbolic link is removed
2411              when the address is closed (but see option unlink-close).
2412
2413       wait-slave
2414              Blocks the open phase until a process opens the  slave  side  of
2415              the pty.  Usually, socat continues after generating the pty with
2416              opening the next address or with  entering  the  transfer  loop.
2417              With the wait-slave option, socat waits until some process opens
2418              the slave side of the pty before continuing.  This  option  only
2419              works  if  the operating system provides the poll() system call.
2420              And it depends on an undocumented behaviour of pty’s, so it does
2421              not  work  on  all  operating  systems. It has successfully been
2422              tested on Linux, FreeBSD, NetBSD, and on Tru64 with openpty.
2423
2424       pty-interval=<seconds>
2425              When the wait-slave option is set, socat periodically checks the
2426              HUP  condition  using poll() to find if the pty’s slave side has
2427              been opened.  The  default  polling  interval  is  1s.  Use  the
2428              pty-interval option [timeval] to change this value.
2429
2430
2431       OPENSSL option group
2432
2433       These options apply to the openssl and openssl-listen address types.
2434
2435       cipher=<cipherlist>
2436              Selects the list of ciphers that may be used for the connection.
2437              See the man page of ciphers , section CIPHER  LIST  FORMAT,  for
2438              detailed  information  about  syntax,  values,  and  default  of
2439              <cipherlist>.
2440              Several cipher strings may be given,  separated  by  ’:’.   Some
2441              simple cipher strings:
2442
2443       3DES   Uses a cipher suite with triple DES.
2444
2445       MD5    Uses a cipher suite with MD5.
2446
2447       aNULL  Uses a cipher suite without authentication.
2448
2449       NULL   Does not use encryption.
2450
2451       HIGH   Uses  a cipher suite with "high" encryption.  Note that the peer
2452              must support the selected  property,  or  the  negotiation  will
2453              fail.
2454
2455       method=<ssl-method>
2456              This  option is based on deprecated functions and is only avail‐
2457              able when socat was  build  with  option  --with-openssl-method.
2458              Sets  the  protocol  version to be used. Valid strings (not case
2459              sensitive) are:
2460
2461       SSL2   Select SSL protocol version 2.
2462
2463       SSL3   Select SSL protocol version 3.
2464
2465       SSL23  Select the best available SSL or TLS protocol.
2466
2467       TLS1   Select TLS protocol version 1.
2468
2469       TLS1.1 Select TLS protocol version 1.1.
2470
2471       TLS1.2 Select TLS protocol version 1.2.  When this option is  not  pro‐
2472              vided OpenSSL negotiates the mothod with its peer.
2473
2474       verify=<bool>
2475              Controls  check  of the peer’s certificate. Default is 1 (true).
2476              Disabling verify might open your socket for everyone, making the
2477              encryption useless!
2478
2479       cert=<filename>
2480              Specifies  the  file  with  the  certificate and private key for
2481              authentication.  The  certificate  must  be  in  OpenSSL  format
2482              (*.pem).   With  openssl-listen,  use of this option is strongly
2483              recommended. Except with cipher aNULL, "no shared ciphers" error
2484              will occur when no certificate is given.
2485
2486       key=<filename>
2487              Specifies  the file with the private key. The private key may be
2488              in this file or in the file given  with  the  cert  option.  The
2489              party  that  has  to proof that it is the owner of a certificate
2490              needs the private key.
2491
2492       dhparams=<filename>
2493              Specifies the file with the  Diffie  Hellman  parameters.  These
2494              parameters may also be in the file given with the cert option in
2495              which case the dhparams option is not needed.
2496
2497       cafile=<filename>
2498              Specifies the file with the trusted  (root)  authority  certifi‐
2499              cates.  The file must be in PEM format and should contain one or
2500              more certificates. The party that checks the  authentication  of
2501              its peer trusts only certificates that are in this file.
2502
2503       capath=<dirname>
2504              Specifies  the  directory  with the trusted (root) certificates.
2505              The directory must contain certificates in PEM format and  their
2506              hashes (see OpenSSL documentation)
2507
2508       egd=<filename>
2509              On  some  systems, openssl requires an explicit source of random
2510              data. Specify the socket name where an entropy gathering  daemon
2511              like egd provides random data, e.g. /dev/egd-pool.
2512
2513       pseudo On systems where openssl cannot find an entropy source and where
2514              no entropy gathering daemon can be utilized, this  option  acti‐
2515              vates a mechanism for providing pseudo entropy. This is achieved
2516              by taking the current time in microseconds for feeding the  libc
2517              pseudo random number generator with an initial value. openssl is
2518              then feeded with output from random() calls.
2519              NOTE:This mechanism is not sufficient for generation  of  secure
2520              keys!
2521
2522       compress
2523              Enable  or disable the use of compression for a connection. Set‐
2524              ting this to "none" disables compression, setting it  to  "auto"
2525              lets  OpenSSL  choose  the best available algorithm supported by
2526              both  parties.  The  default  is  to  not  touch  any   compres‐
2527              sion-related  settings.   NOTE: Requires OpenSSL 0.9.8 or higher
2528              and disabling compression with OpenSSL  0.9.8  affects  all  new
2529              connections in the process.
2530
2531       commonname=<string>
2532              Specify  the  commonname  that  the peer certificate must match.
2533              With OPENSSL-CONNECT address this overrides the  given  hostname
2534              or IP target address; with OPENSSL-LISTEN this turns on check of
2535              peer certificates commonname. This option has only meaning  when
2536              option  verify  is not disabled and the chosen cipher provides a
2537              peer certificate.
2538
2539       no-sni=<bool>
2540              Do not use the client side Server Name Indication (SNI)  feature
2541              that selects the desired server certificate.
2542              Note:  SNI is automatically used since socat version 1.7.4.0 and
2543              uses commonname or the given host name.
2544
2545       snihost=<string>
2546              Set the client side Server Name Indication (SNI) host name  dif‐
2547              ferent from the addressed server name or common name. This might
2548              be useful when the server certificate has multiple host names or
2549              wildcard  names because the SNI host name is passed in cleartext
2550              to the server and might be eavesdropped; with this option a mock
2551              name of the desired certificate may be transferred.
2552
2553       fips   Enables  FIPS  mode  if  compiled  in.  For  info about the FIPS
2554              encryption   implementation   standard   see   http://oss-insti
2555              tute.org/fips-faq.html.    This  mode  might  require  that  the
2556              involved certificates are generated with a FIPS enabled  version
2557              of openssl. Setting or clearing this option on one socat address
2558              affects all OpenSSL addresses of this process.
2559
2560
2561       RETRY option group
2562
2563       Options that control retry of some system calls, especially  connection
2564       attempts.
2565
2566       retry=<num>
2567              Number  of  retries  before  the connection or listen attempt is
2568              aborted.  Default is 0, which means just one attempt.
2569
2570       interval=<timespec>
2571              Time between consecutive attempts (seconds, [timespec]). Default
2572              is 1 second.
2573
2574       forever
2575              Performs an unlimited number of retry attempts.
2576
2577
2578       TUN option group
2579
2580       Options that control Linux TUN/TAP interface device addresses.
2581
2582       tun-device=<device-file>
2583              Instructs  socat  to take another path for the TUN clone device.
2584              Default is /dev/net/tun.
2585
2586       tun-name=<if-name>
2587              Gives the resulting network interface a specific name instead of
2588              the system generated (tun0, tun1, etc.)
2589
2590       tun-type=[tun|tap]
2591              Sets  the  type of the TUN device; use this option to generate a
2592              TAP device. See the Linux docu for the difference between  these
2593              types.   When  you  try  to  establish  a tunnel between two TUN
2594              devices, their types should be the same.
2595
2596       iff-no-pi
2597              Sets the IFF_NO_PI flag which controls if  the  device  includes
2598              additional  packet  information  in the tunnel.  When you try to
2599              establish a tunnel between two TUN devices, these  flags  should
2600              have the same values.
2601
2602       iff-up Sets the TUN network interface status UP. Strongly recommended.
2603
2604       iff-broadcast
2605              Sets the BROADCAST flag of the TUN network interface.
2606
2607       iff-debug
2608              Sets the DEBUG flag of the TUN network interface.
2609
2610       iff-loopback
2611              Sets the LOOPBACK flag of the TUN network interface.
2612
2613       iff-pointopoint
2614              Sets the POINTOPOINT flag of the TUN device.
2615
2616       iff-notrailers
2617              Sets the NOTRAILERS flag of the TUN device.
2618
2619       iff-running
2620              Sets the RUNNING flag of the TUN device.
2621
2622       iff-noarp
2623              Sets the NOARP flag of the TUN device.
2624
2625       iff-promisc
2626              Sets the PROMISC flag of the TUN device.
2627
2628       iff-allmulti
2629              Sets the ALLMULTI flag of the TUN device.
2630
2631       iff-master
2632              Sets the MASTER flag of the TUN device.
2633
2634       iff-slave
2635              Sets the SLAVE flag of the TUN device.
2636
2637       iff-multicast
2638              Sets the MULTICAST flag of the TUN device.
2639
2640       iff-portsel
2641              Sets the PORTSEL flag of the TUN device.
2642
2643       iff-automedia
2644              Sets the AUTOMEDIA flag of the TUN device.
2645
2646       iff-dynamic
2647              Sets the DYNAMIC flag of the TUN device.
2648
2649

DATA VALUES

2651       This  section explains the different data types that address parameters
2652       and address options can take.
2653
2654       address-range
2655              Is  currently  only  implemented  for   IPv4   and   IPv6.   See
2656              address-option `range’
2657
2658       bool   "0" or "1"; if value is omitted, "1" is taken.
2659
2660       byte   An  unsigned int number, read with strtoul() , lower or equal to
2661              UCHAR_MAX .
2662
2663       command-line
2664              A string specifying a program name and its arguments,  separated
2665              by single spaces.
2666
2667       data   This is a more general data specification. The given text string
2668              contains information about the target data type and value.  Gen‐
2669              erally  a  leading character specifies the type of the following
2670              data item. In its specific  context  a  default  data  type  may
2671              exist.
2672              Currently only the following specifications are implemented:
2673
2674       i      A signed integer number, stored in host byte order.
2675              Example:    i-1000    (Integer number -1000)
2676
2677       I      An unsigned integer number, stored in host byte order.
2678
2679       l      A signed long integer number, stored in host byte order.
2680
2681       L      An unsigned long integer number, stored in host byte order.
2682
2683       s      A signed short integer number, stored in host byte order.
2684
2685       S      An unsigned short integer number, stored in host byte order.
2686
2687       b      A signed byte (signed char).
2688
2689       B      An unsigned byte (unsigned char).
2690
2691       x      Following is an even number of hex digits, stored as sequence of
2692              bytes.
2693              Example:    x7f000001 (IP address 127.0.0.1)
2694
2695       "      Following is a string that is used with the  common  conversions
2696              \n  \r  \t  \f  \b \a \e \0; the string must be closed with ’"’.
2697              Please note that the quotes and backslashes need to  be  escaped
2698              from shell and socat conversion.
2699              Example:    "Hello world!\n"
2700
2701       ’      A  single char, with the usual conversions. Please note that the
2702              quotes and backslashes need to be escaped from shell  and  socat
2703              conversion.
2704              Example:     ’a’  Data  items  may be separated with white space
2705              without need to repeat the type specifier again.
2706
2707       directory
2708              A string with usual UN*X directory name semantics.
2709
2710       facility
2711              The name of a syslog facility in lower case characters.
2712
2713       fdnum  An unsigned int type, read with strtoul() ,  specifying  a  UN*X
2714              file descriptor.
2715
2716       filename
2717              A string with usual UN*X filename semantics.
2718
2719       group  If  the  first  character  is a decimal digit, the value is read
2720              with strtoul() as unsigned integer specifying a group id. Other‐
2721              wise, it must be an existing group name.
2722
2723       int    A  number following the rules of the strtol() function with base
2724              "0", i.e. decimal number, octal  number  with  leading  "0",  or
2725              hexadecimal  number with leading "0x". The value must fit into a
2726              C int.
2727
2728       interface
2729              A string specifying the device name of a  network  interface  as
2730              shown by ifconfig or procan, e.g. "eth0".
2731
2732       IP address
2733              An IPv4 address in numbers-and-dots notation, an IPv6 address in
2734              hex notation enclosed in brackets, or a hostname  that  resolves
2735              to an IPv4 or an IPv6 address.
2736              Examples: 127.0.0.1, [::1], www.dest-unreach.org, dns1
2737
2738       IPv4 address
2739              An  IPv4 address in numbers-and-dots notation or a hostname that
2740              resolves to an IPv4 address.
2741              Examples: 127.0.0.1, www.dest-unreach.org, dns2
2742
2743       IPv6 address
2744              An IPv6 address in hexnumbers-and-colons  notation  enclosed  in
2745              brackets, or a hostname that resolves to an IPv6 address.
2746              Examples:    [::1],   [1234:5678:9abc:def0:1234:5678:9abc:def0],
2747              ip6name.domain.org
2748
2749       long   A number read with strtol() . The value must fit into a C long.
2750
2751       long long
2752              A number read with strtoll() . The value must fit into a C  long
2753              long.
2754
2755       off_t  An implementation dependend signed number, usually 32 bits, read
2756              with strtol or strtoll.
2757
2758       off64_t
2759              An implementation dependend signed number, usually 64 bits, read
2760              with strtol or strtoll.
2761
2762       mode_t An unsigned integer, read with strtoul() , specifying mode (per‐
2763              mission) bits.
2764
2765       pid_t  A number, read with strtol() , specifying a process id.
2766
2767       port   A uint16_t (16 bit unsigned number)  specifying  a  TCP  or  UDP
2768              port, read with strtoul() .
2769
2770       protocol
2771              An unsigned 8 bit number, read with strtoul() .
2772
2773       size_t An unsigned number with size_t limitations, read with strtoul .
2774
2775       sockname
2776              A socket address. See address-option `bind’
2777
2778       string A  sequence of characters, not containing ’\0’ and, depending on
2779              the position within the command line, ’:’, ’,’,  or  "!!".  Note
2780              that  you might have to escape shell meta characters in the com‐
2781              mand line.
2782
2783       TCP service
2784              A service name, not starting with a digit, that is  resolved  by
2785              getservbyname()  ,  or  an  unsigned int 16 bit number read with
2786              strtoul() .
2787
2788       timeval
2789              A double float specifying seconds; the number is mapped  into  a
2790              struct timeval, consisting of seconds and microseconds.
2791
2792       timespec
2793              A  double  float specifying seconds; the number is mapped into a
2794              struct timespec, consisting of seconds and nanoseconds.
2795
2796       UDP service
2797              A service name, not starting with a digit, that is  resolved  by
2798              getservbyname()  ,  or  an  unsigned int 16 bit number read with
2799              strtoul() .
2800
2801       unsigned int
2802              A number read with strtoul() . The  value  must  fit  into  a  C
2803              unsigned int.
2804
2805       user   If  the  first  character  is a decimal digit, the value is read
2806              with strtoul() as unsigned integer specifying a user id.  Other‐
2807              wise, it must be an existing user name.
2808
2809       VSOCK cid
2810              A  uint32_t  (32 bit unsigned number) specifying a VSOCK Context
2811              Identifier (CID), read with strtoul() .  There are several  spe‐
2812              cial addresses: VMADDR_CID_ANY (-1U) means any address for bind‐
2813              ing; VMADDR_CID_HOST (2) is the well-known address of the host.
2814
2815       VSOCK port
2816              A uint32_t (32 bit unsigned number)  specifying  a  VSOCK  port,
2817              read with strtoul() .
2818
2819

EXAMPLES

2821       socat - TCP4:www.domain.org:80
2822
2823
2824              transfers  data  between STDIO (-) and a TCP4 connection to port
2825              80 of host www.domain.org. This example results in  an  interac‐
2826              tive  connection similar to telnet or netcat. The stdin terminal
2827              parameters are not changed, so you may close the relay  with  ^D
2828              or abort it with ^C.
2829
2830       socat -d -d READLINE,history=$HOME/.http_history \
2831       TCP4:www.domain.org:www,crnl
2832
2833              this  is  similar  to the previous example, but you can edit the
2834              current line in a bash like manner (READLINE) and use  the  his‐
2835              tory  file  .http_history;  socat prints messages about progress
2836              (-d -d). The  port is specified by service name (www), and  cor‐
2837              rect  network  line  termination characters (crnl) instead of NL
2838              are used.
2839
2840       socat TCP4-LISTEN:www TCP4:www.domain.org:www
2841
2842
2843              installs a simple TCP port forwarder. With TCP4-LISTEN  it  lis‐
2844              tens  on  local  port "www" until a connection comes in, accepts
2845              it, then connects to the remote  host  (TCP4)  and  starts  data
2846              transfer. It will not accept a second connection.
2847
2848       socat -d -d -lmlocal2 \
2849       TCP4-LISTEN:80,bind=myaddr1,reuseaddr,fork,su=nobody,range=10.0.0.0/8 \
2850       TCP4:www.domain.org:80,bind=myaddr2
2851
2852              TCP  port forwarder, each side bound to another local IP address
2853              (bind). This example handles an almost arbitrary number of  par‐
2854              allel or consecutive connections by fork’ing a new process after
2855              each accept() . It provides a little security by su’ing to  user
2856              nobody  after forking; it only permits connections from the pri‐
2857              vate 10 network (range); due to reuseaddr, it  allows  immediate
2858              restart  after  master process’s termination, even if some child
2859              sockets are not completely shut  down.   With  -lmlocal2,  socat
2860              logs to stderr until successfully reaching the accept loop. Fur‐
2861              ther logging is directed to syslog with facility local2.
2862
2863       socat TCP4-LISTEN:5555,fork,tcpwrap=script \
2864       EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr
2865
2866              a simple  server  that  accepts  connections  (TCP4-LISTEN)  and
2867              fork’s a new child process for each connection; every child acts
2868              as single relay.  The client must match  the  rules  for  daemon
2869              process  name  "script" in /etc/hosts.allow and /etc/hosts.deny,
2870              otherwise it is refused access (see "man 5 hosts_access").   For
2871              EXEC’uting   the   program,   the   child  process  chroot’s  to
2872              /home/sandbox, su’s to user sandbox, and then starts the program
2873              /home/sandbox/bin/myscript. Socat and myscript communicate via a
2874              pseudo tty (pty); myscript’s stderr is redirected to stdout,  so
2875              its  error  messages  are transferred via socat to the connected
2876              client.
2877
2878       socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \
2879       TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512
2880
2881              mail.sh is a shell script, distributed with socat,  that  imple‐
2882              ments  a simple SMTP client. It is programmed to "speak" SMTP on
2883              its FDs 3 (in) and 4 (out).  The fdin  and  fdout  options  tell
2884              socat  to  use  these  FDs  for  communication with the program.
2885              Because mail.sh inherits stdin and stdout while socat  does  not
2886              use  them,  the  script  can  read a mail body from stdin. Socat
2887              makes alias1 your local source address (bind), cares for correct
2888              network line termination (crnl) and sends at most 512 data bytes
2889              per packet (mss).
2890
2891       socat -,escape=0x0f /dev/ttyS0,rawer,crnl
2892
2893
2894              opens an interactive connection via the serial  line,  e.g.  for
2895              talking  with a modem. rawer sets the console’s and ttyS0’s ter‐
2896              minal parameters to practicable values, crnl converts to correct
2897              newline  characters. escape allows terminating the socat process
2898              with character control-O.  Consider using  READLINE  instead  of
2899              the first address.
2900
2901       socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \
2902       SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20
2903
2904              with  UNIX-LISTEN,  socat  opens  a listening UNIX domain socket
2905              /tmp/.X11-unix/X1. This path corresponds to local  XWindow  dis‐
2906              play  :1  on your machine, so XWindow client connections to DIS‐
2907              PLAY=:1 are accepted. Socat then speaks with the  SOCKS4  server
2908              host.victim.org  that  might  permit sourceport 20 based connec‐
2909              tions due to an FTP related weakness in its static  IP  filters.
2910              Socat  pretends  to be invoked by socksuser nobody, and requests
2911              to be connected to loopback port 6000 (only weak sockd  configu‐
2912              rations  will allow this). So we get a connection to the victims
2913              XWindow server and, if it does not require MIT cookies  or  Ker‐
2914              beros  authentication, we can start work. Please note that there
2915              can only be one connection at a time, because TCP can  establish
2916              only one session with a given set of addresses and ports.
2917
2918       socat -u /tmp/readdata,seek-end=0,ignoreeof -
2919
2920
2921              this  is an example for unidirectional data transfer (-u). Socat
2922              transfers data from file /tmp/readdata (implicit address GOPEN),
2923              starting at its current end (seek-end=0 lets socat start reading
2924              at current end of file; use seek=0 or no seek  option  to  first
2925              read  the  existing  data) in a "tail -f" like mode (ignoreeof).
2926              The "file" might also be a listening UNIX domain socket (do  not
2927              use a seek option then).
2928
2929       (sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
2930       socat - EXEC:'ssh -l user server',pty,setsid,ctty
2931
2932              EXEC’utes an ssh session to server. Uses a pty for communication
2933              between socat and ssh, makes it ssh’s  controlling  tty  (ctty),
2934              and makes this pty the owner of a new process group (setsid), so
2935              ssh accepts the password from socat.
2936
2937       socat -u TCP4-LISTEN:3334,reuseaddr,fork \
2938       OPEN:/tmp/in.log,creat,append
2939
2940              implements a simple network based message collector.   For  each
2941              client connecting to port 3334, a new child process is generated
2942              (option fork).  All data sent by the clients  are  append’ed  to
2943              the file /tmp/in.log.  If the file does not exist, socat creat’s
2944              it.  Option reuseaddr allows immediate  restart  of  the  server
2945              process.
2946
2947       socat READLINE,noecho=’[Pp]assword:’ EXEC:’ftp ftp.server.com’,pty,set‐
2948       sid,ctty
2949
2950
2951              wraps a command line history (READLINE) around the EXEC’uted ftp
2952              client  utility.   This allows editing and reuse of FTP commands
2953              for relatively comfortable browsing through  the  ftp  directory
2954              hierarchy.  The password is echoed!  pty is required to have ftp
2955              issue a prompt.  Nevertheless, there may  occur  some  confusion
2956              with the password and FTP prompts.
2957
2958       socat PTY,link=$HOME/dev/vmodem0,rawer,wait-slave \
2959       EXEC:"ssh modemserver.us.org socat - /dev/ttyS0,nonblock,rawer"
2960
2961              generates  a pseudo terminal device (PTY) on the client that can
2962              be reached under the symbolic link $HOME/dev/vmodem0.  An appli‐
2963              cation  that expects a serial line or modem can be configured to
2964              use $HOME/dev/vmodem0; its traffic will be directed to a  modem‐
2965              server  via  ssh  where  another  socat  instance  links  it  to
2966              /dev/ttyS0.
2967
2968       socat TCP4-LISTEN:2022,reuseaddr,fork \
2969       PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass
2970
2971              starts a forwarder that accepts connections on  port  2022,  and
2972              directs  them  through  the  proxy daemon listening on port 3128
2973              (proxyport) on host proxy, using the CONNECT method, where  they
2974              are  authenticated  as "user" with "pass" (proxyauth). The proxy
2975              should establish connections to host www.domain.org on  port  22
2976              then.
2977
2978       socat - SSL:server:4443,cafile=server.crt,cert=client.pem
2979
2980
2981              is an OpenSSL client that tries to establish a secure connection
2982              to an SSL server. Option cafile specifies a file  that  contains
2983              trust  certificates:  we  trust the server only when it presents
2984              one of these certificates and proofs that it  owns  the  related
2985              private key.  Otherwise the connection is terminated.  With cert
2986              a file containing the client certificate and the associated pri‐
2987              vate  key  is  specified.  This  is  required in case the server
2988              wishes a client authentication; many Internet servers do not.
2989              The first address (’-’) can be  replaced  by  almost  any  other
2990              socat address.
2991
2992       socat                                        OPENSSL-LISTEN:4443,reuse‐
2993       addr,pf=ip4,fork,cert=server.pem,cafile=client.crt PIPE
2994
2995
2996              is an OpenSSL server that accepts TCP connections, presents  the
2997              certificate  from  the  file server.pem and forces the client to
2998              present a certificate that is verified against cafile.crt.
2999              The second address (’PIPE’) can be replaced by almost any  other
3000              socat address.
3001              For instructions on generating and distributing OpenSSL keys and
3002              certificates see the additional socat docu socat-openssl.txt.
3003
3004       echo |socat -u - file:/tmp/bigfile,create,largefile,seek=100000000000
3005
3006
3007              creates a 100GB sparse file; this requires a  file  system  type
3008              that supports this (ext2, ext3, reiserfs, jfs; not minix, vfat).
3009              The operation of writing 1 byte might take long (reiserfs:  some
3010              minutes;  ext2:  "no"  time), and the resulting file can consume
3011              some disk space with  just  its  inodes  (reiserfs:  2MB;  ext2:
3012              16KB).
3013
3014       socat tcp-l:7777,reuseaddr,fork system:’filan -i 0 -s >&2’,nofork
3015
3016
3017              listens  for  incoming  TCP  connections  on port 7777. For each
3018              accepted connection, invokes a shell. This shell has  its  stdin
3019              and  stdout  directly connected to the TCP socket (nofork).  The
3020              shell starts filan and lets it print  the  socket  addresses  to
3021              stderr (your terminal window).
3022
3023       echo         -e         "\0\14\0\0\c"         |socat        -u        -
3024       file:/usr/bin/squid.exe,seek=0x00074420
3025
3026
3027              functions as primitive binary editor: it writes the 4 bytes  000
3028              014   000   000  to  the  executable  /usr/bin/squid  at  offset
3029              0x00074420 (this is a real world patch to make  the  squid  exe‐
3030              cutable from Cygwin run under Windows, actual per May 2004).
3031
3032       socat - tcp:www.blackhat.org:31337,readbytes=1000
3033
3034
3035              connects to an unknown service and prevents being flooded.
3036
3037       socat -U TCP:target:9999,end-close TCP-L:8888,reuseaddr,fork
3038
3039
3040              merges  data arriving from different TCP streams on port 8888 to
3041              just one stream to target:9999. The  end-close  option  prevents
3042              the child processes forked off by the second address from termi‐
3043              nating the shared connection to 9999 (close(2) just unlinks  the
3044              inode  which  stays  active as long as the parent process lives;
3045              shutdown(2) would actively terminate the connection).
3046
3047       socat           -           UDP4-DATAGRAM:192.168.1.0:123,sp=123,broad‐
3048       cast,range=192.168.1.0/24
3049
3050
3051              sends a broadcast to the network 192.168.1.0/24 and receives the
3052              replies of the timeservers there. Ignores NTP packets from hosts
3053              outside this network.
3054
3055       socat                           -                          SOCKET-DATA‐
3056       GRAM:2:2:17:x007bxc0a80100x0000000000000000,bind=x007bx00000000x0000000000000000,set‐
3057       sock‐
3058       opt-int=1:6:1,range=x0000xc0a80100x0000000000000000:x0000xffffff00x0000000000000000
3059
3060
3061              is  semantically  equivalent  to  the  previous example, but all
3062              parameters are specified in generic form. the value  6  of  set‐
3063              sockopt-int is the Linux value for SO_BROADCAST.
3064
3065       socat - IP4-DATAGRAM:255.255.255.255:44,broadcast,range=10.0.0.0/8
3066
3067
3068              sends  a  broadcast  to  the local network(s) using protocol 44.
3069              Accepts replies from the private address range only.
3070
3071       socat    -     UDP4-DATAGRAM:224.255.0.1:6666,bind=:6666,ip-add-member‐
3072       ship=224.255.0.1:eth0
3073
3074
3075              transfers  data  from  stdin  to the specified multicast address
3076              using UDP. Both local and  remote  ports  are  6666.  Tells  the
3077              interface  eth0  to  also  accept multicast packets of the given
3078              group. Multiple hosts on the local network can run this command,
3079              so all data sent by any of the hosts will be received by all the
3080              other ones. Note that there are many possible reasons for  fail‐
3081              ure,  including  IP-filters,  routing  issues,  wrong  interface
3082              selection by the operating system, bridges, or a  badly  config‐
3083              ured switch.
3084
3085       socat UDP:host2:4443 TUN:192.168.255.1/24,up
3086
3087
3088              establishes  one  side  of  a virtual (but not private!) network
3089              with host2 where a similar process might run, with UDP-L and tun
3090              address  192.168.255.2.  They  can  reach  each  other using the
3091              addresses 192.168.255.1 and 192.168.255.2. Note  that  streaming
3092              eg.via TCP or SSL does not guarantee to retain packet boundaries
3093              and might thus cause packet loss.
3094
3095       socat - VSOCK-CONNECT:2:1234
3096
3097
3098              establishes a VSOCK connection with the  host  (host  is  always
3099              reachable with the well-know CID=2) on 1234 port.
3100
3101       socat - VSOCK-LISTEN:1234
3102
3103
3104              listens for a VSOCK connection on 1234 port.
3105
3106       socat - VSOCK-CONNECT:31:4321,bind:5555
3107
3108
3109              establishes  a  VSOCK connection with the guest that have CID=31
3110              on 1234 port, binding the local socket to the 5555 port.
3111
3112       socat VSOCK-LISTEN:3333,reuseaddr,fork VSOCK-CONNECT:42,3333
3113
3114
3115              starts a forwarder that accepts VSOCK connections on port  3333,
3116              and directs them to the guest with CID=42 on the same port.
3117
3118       socat VSOCK-LISTEN:22,reuseaddr,fork TCP:localhost:22
3119
3120
3121              forwards VSOCK connections from 22 port to the local SSH server.
3122              Running this in a VM allows you to connect via SSH from the host
3123              using VSOCK, as in the example below.
3124
3125       socat TCP4-LISTEN:22222,reuseaddr,fork VSOCK-CONNECT:33:22
3126
3127
3128              forwards  TCP  connections  from  22222  port  to the guest with
3129              CID=33 listening on VSOCK port 22.  Running this  in  the  host,
3130              allows  you to connect via SSH running "ssh -p 22222 user@local‐
3131              host", if the guest runs the example above.
3132
3133       socat PTY,link=/var/run/ppp,rawer INTERFACE:hdlc0
3134
3135
3136              circumvents the problem that pppd requires a serial  device  and
3137              thus  might  not  be  able to work on a synchronous line that is
3138              represented by a network device.  socat creates a  PTY  to  make
3139              pppd happy, binds to the network interface hdlc0, and can trans‐
3140              fer data between both devices. Use pppd on  device  /var/run/ppp
3141              then.
3142
3143       socat  -T  1  -d  -d  TCP-L:10081,reuseaddr,fork,crlf  SYSTEM:"echo  -e
3144       \"\\\"HTTP/1.0    200    OK\\\nDocumentType:    text/plain\\\n\\\ndate:
3145       \$\(date\)\\\nserver:\$SOCAT_SOCKADDR:\$SOCAT_SOCKPORT\\\nclient:
3146       \$SOCAT_PEERADDR:\$SOCAT_PEERPORT\\\n\\\"\";     cat;      echo      -e
3147       \"\\\"\\\n\\\"\""
3148
3149
3150              creates  a  simple  HTTP echo server: each HTTP client that con‐
3151              nects gets a valid HTTP reply that  contains  information  about
3152              the  client  address  and port as it is seen by the server host,
3153              the host address (which might vary on multihomed  servers),  and
3154              the original client request.
3155
3156       socat    -d   -d   UDP4-RECVFROM:9999,so-broadcast,so-timestamp,ip-pkt‐
3157       info,ip-recverr,ip-recvopts,ip-recvtos,ip-recvttl!!-    SYSTEM:’export;
3158       sleep 1’ |grep SOCAT
3159
3160
3161              waits  for  an  incoming  UDP packet on port 9999 and prints the
3162              environment variables provided by socat. On  BSD  based  systems
3163              you  have  to  replace ip-pktinfo with ip-recvdstaddr,ip-recvif.
3164              Especially interesting is SOCAT_IP_DSTADDR: it contains the tar‐
3165              get  address of the packet which may be a unicast, multicast, or
3166              broadcast address.
3167
3168       echo  -e   "M-SEARCH   *   HTTP/1.1\nHOST:   239.255.255.250:1900\nMAN:
3169       \"ssdp:discover\"\nMX:  4\nST:  \"ssdp:all\"\n"  |./socat  -  UDP-DATA‐
3170       GRAM:239.255.255.250:1900,crlf
3171
3172
3173              sends an SSDP (Simple Service Discovery Protocol) query  to  the
3174              local network and collects and outputs the answers received.
3175
3176
3177
3178

DIAGNOSTICS

3180       Socat uses a logging mechanism that allows filtering messages by sever‐
3181       ity. The severities provided are more or less compatible to the  appro‐
3182       priate  syslog  priority.  With one or up to four occurrences of the -d
3183       command line option, the lowest priority of messages  that  are  issued
3184       can  be  selected.  Each  message contains a single uppercase character
3185       specifying the messages severity (one of F, E, W, N, I, or D)
3186
3187       FATAL: Conditions that require unconditional and immediate program ter‐
3188              mination.
3189
3190       ERROR: Conditions  that  prevent proper program processing. Usually the
3191              program is terminated (see option -s).
3192
3193       WARNING:
3194              Something did not function correctly or is in a state where cor‐
3195              rect  further processing cannot be guaranteed, but might be pos‐
3196              sible.
3197
3198       NOTICE:
3199              Interesting actions of the program, e.g. for  supervising  socat
3200              in some kind of server mode.
3201
3202       INFO:  Description  of what the program does, and maybe why it happens.
3203              Allows monitoring the lifecycles of file descriptors.
3204
3205       DEBUG: Description of how the program  works,  all  system  or  library
3206              calls and their results.
3207
3208
3209       Log messages can be written to stderr, to a file, or to syslog.
3210
3211       On exit, socat gives status 0 if it terminated due to EOF or inactivity
3212       timeout, with a positive value on error, and with a negative  value  on
3213       fatal error.
3214

FILES

3216       /usr/bin/socat
3217       /usr/bin/filan
3218       /usr/bin/procan
3219

ENVIRONMENT VARIABLES

3221       Input variables carry information from the environment to socat, output
3222       variables are set by socat for use in executed scripts and programs.
3223
3224       In the output variables beginning with "SOCAT" this prefix is  actually
3225       replaced  by  the  upper  case  name  of the executable or the value of
3226       option -lp.
3227
3228       SOCAT_DEFAULT_LISTEN_IP (input)
3229              (Values 4 or 6) Sets the IP version to be used for listen, recv,
3230              and  recvfrom  addresses  if  no  pf (protocol-family) option is
3231              given. Is overridden by socat options -4 or -6.
3232
3233       SOCAT_PREFERRED_RESOLVE_IP (input)
3234              (Values 0, 4, or 6) Sets the IP version to be used when  resolv‐
3235              ing  target  host names when version is not specified by address
3236              type, option pf (protocol-family), or address  format.  If  name
3237              resolution  does  not  return a matching entry, the first result
3238              (with differing IP version) is taken. With value 0, socat always
3239              selects the first record and its IP version.
3240
3241       SOCAT_FORK_WAIT (input)
3242              Specifies  the time (seconds) to sleep the parent and child pro‐
3243              cesses after successful fork(). Useful for debugging.
3244
3245       SOCAT_VERSION (output)
3246              Socat sets this variable to its version string,  e.g.  "1.7.0.0"
3247              for  released  versions  or  e.g. "1.6.0.1+envvar" for temporary
3248              versions; can be used in scripts invoked by socat.
3249
3250       SOCAT_PID (output)
3251              Socat sets this variable to its process  id.  In  case  of  fork
3252              address  option,  SOCAT_PID gets the child processes id. Forking
3253              for exec and system does not change SOCAT_PID.
3254
3255       SOCAT_PPID (output)
3256              Socat sets this variable to its process id.  In  case  of  fork,
3257              SOCAT_PPID keeps the pid of the master process.
3258
3259       SOCAT_PEERADDR (output)
3260              With   passive   socket   addresses  (all  LISTEN  and  RECVFROM
3261              addresses), this variable is set  to  a  string  describing  the
3262              peers socket address. Port information is not included.
3263
3264       SOCAT_PEERPORT (output)
3265              With  appropriate passive socket addresses (TCP, UDP, and SCTP -
3266              LISTEN and RECVFROM), this variable is set to a string  contain‐
3267              ing the number of the peer port.
3268
3269       SOCAT_SOCKADDR (output)
3270              With  all  LISTEN  addresses,  this  variable is set to a string
3271              describing the local socket address.  Port  information  is  not
3272              included example
3273
3274       SOCAT_SOCKPORT (output)
3275              With  TCP-LISTEN,  UDP-LISTEN,  and  SCTP-LISTEN addresses, this
3276              variable is set to the local port.
3277
3278       SOCAT_TIMESTAMP (output)
3279              With all RECVFROM addresses where address option so-timestamp is
3280              applied, socat sets this variable to the resulting timestamp.
3281
3282       SOCAT_IP_OPTIONS (output)
3283              With  all  IPv4  based  RECVFROM  addresses where address option
3284              ip-recvopts is applied, socat fills this variable  with  the  IP
3285              options of the received packet.
3286
3287       SOCAT_IP_DSTADDR (output)
3288              With  all  IPv4  based  RECVFROM  addresses where address option
3289              ip-recvdstaddr (BSD) or ip-pktinfo (other platforms) is applied,
3290              socat  sets  this  variable  to  the  destination address of the
3291              received packet. This is particularly useful to identify  broad‐
3292              cast and multicast addressed packets.
3293
3294       SOCAT_IP_IF (output)
3295              With  all  IPv4  based  RECVFROM  addresses where address option
3296              ip-recvif (BSD) or  ip-pktinfo  (other  platforms)  is  applied,
3297              socat  sets this variable to the name of the interface where the
3298              packet was received.
3299
3300       SOCAT_IP_LOCADDR (output)
3301              With all IPv4 based  RECVFROM  addresses  where  address  option
3302              ip-pktinfo  is  applied, socat sets this variable to the address
3303              of the interface where the packet was received.
3304
3305       SOCAT_IP_TOS (output)
3306              With all IPv4 based  RECVFROM  addresses  where  address  option
3307              ip-recvtos is applied, socat sets this variable to the TOS (type
3308              of service) of the received packet.
3309
3310       SOCAT_IP_TTL (output)
3311              With all IPv4 based  RECVFROM  addresses  where  address  option
3312              ip-recvttl is applied, socat sets this variable to the TTL (time
3313              to live) of the received packet.
3314
3315       SOCAT_IPV6_HOPLIMIT (output)
3316              With all IPv6 based  RECVFROM  addresses  where  address  option
3317              ipv6-recvhoplimit  is  applied,  socat sets this variable to the
3318              hoplimit value of the received packet.
3319
3320       SOCAT_IPV6_DSTADDR (output)
3321              With all IPv6 based  RECVFROM  addresses  where  address  option
3322              ipv6-recvpktinfo  is  applied,  socat  sets this variable to the
3323              destination address of the received packet.
3324
3325       SOCAT_IPV6_TCLASS (output)
3326              With all IPv6 based  RECVFROM  addresses  where  address  option
3327              ipv6-recvtclass  is  applied,  socat  sets  this variable to the
3328              transfer class of the received packet.
3329
3330       SOCAT_OPENSSL_X509_ISSUER (output)
3331              Issuer field from peer certificate
3332
3333       SOCAT_OPENSSL_X509_SUBJECT (output)
3334              Subject field from peer certificate
3335
3336       SOCAT_OPENSSL_X509_COMMONNAME (output)
3337              commonName entries from peer certificates subject. Multiple val‐
3338              ues are separated by " // ".
3339
3340       SOCAT_OPENSSL_X509_* (output)
3341              all other entries from peer certificates subject
3342
3343       SOCAT_OPENSSL_X509V3_DNS (output)
3344              DNS  entries  from peer certificates extensions - subjectAltName
3345              field. Multiple values are separated by " // ".
3346
3347       HOSTNAME (input)
3348              Is used to determine the hostname for logging (see -lh).
3349
3350       LOGNAME (input)
3351              Is used as name for the socks client user name if  no  socksuser
3352              is given.
3353              With options su and su-d, LOGNAME is set to the given user name.
3354
3355       USER (input)
3356              Is  used  as name for the socks client user name if no socksuser
3357              is given and LOGNAME is empty.
3358              With options su and su-d, USER is set to the given user name.
3359
3360       SHELL (output)
3361              With options su and su-d, SHELL is set to the login shell of the
3362              given user.
3363
3364       PATH (output)
3365              Can be set with option path for exec and system addresses.
3366
3367       HOME (output)
3368              With  options  su and su-d, HOME is set to the home directory of
3369              the given user.
3370

CREDITS

3372       The work of the following groups and organizations was  invaluable  for
3373       this project:
3374
3375       The  FSF (GNU, http://www.fsf.org/ project with their free and portable
3376       development software and lots of other useful tools and libraries.
3377
3378       The Linux developers community (http://www.linux.org/) for providing  a
3379       free, open source operating system.
3380
3381       The Open Group (http://www.unix-systems.org/) for making their standard
3382       specifications available on the Internet for free.
3383

VERSION

3385       This man page describes version 1.7.4 of socat.
3386

BUGS

3388       Addresses cannot be nested, so a single  socat  process  cannot,  e.g.,
3389       drive ssl over socks.
3390
3391       Address option ftruncate without value uses default 1 instead of 0.
3392
3393       Verbose modes (-x and/or -v) display line termination characters incon‐
3394       sistently when address options cr or crnl are used: They show the  data
3395       after conversion in either direction.
3396
3397       The  data transfer blocksize setting (-b) is ignored with address read‐
3398       line.
3399
3400       Send bug reports to <socat@dest-unreach.org>
3401

SEE ALSO

3403       nc(1), rinetd(8), openssl(1), stunnel(8), rlwrap(1), setsid(1)
3404
3405       Socat home page http://www.dest-unreach.org/socat/
3406

AUTHOR

3408       Gerhard Rieger <rieger@dest-unreach.org> and contributors
3409
3410
3411
3412                                                                      socat(1)
Impressum