1socat(1) socat(1)
2
3
4
6 socat - Multipurpose relay (SOcket CAT)
7
9 socat [options] <address> <address>
10 socat -V
11 socat -h[h[h]] | -?[?[?]]
12 filan
13 procan
14
16 Socat is a command line based utility that establishes two bidirec‐
17 tional byte streams and transfers data between them. Because the
18 streams can be constructed from a large set of different types of data
19 sinks and sources (see address types), and because lots of address op‐
20 tions may be applied to the streams, socat can be used for many differ‐
21 ent purposes.
22
23 Filan is a utility that prints information about its active file de‐
24 scriptors to stdout. It has been written for debugging socat, but might
25 be useful for other purposes too. Use the -h option to find more infos.
26
27 Procan is a utility that prints information about process parameters to
28 stdout. It has been written to better understand some UNIX process
29 properties and for debugging socat, but might be useful for other pur‐
30 poses too.
31
32 The life cycle of a socat instance typically consists of four phases.
33
34 In the init phase, the command line options are parsed and logging is
35 initialized.
36
37 During the open phase, socat opens the first address and afterwards the
38 second address. These steps are usually blocking; thus, especially for
39 complex address types like socks, connection requests or authentication
40 dialogs must be completed before the next step is started.
41
42 In the transfer phase, socat watches both streams’ read and write file
43 descriptors via select() , and, when data is available on one side and
44 can be written to the other side, socat reads it, performs newline
45 character conversions if required, and writes the data to the write
46 file descriptor of the other stream, then continues waiting for more
47 data in both directions.
48
49 When one of the streams effectively reaches EOF, the closing phase be‐
50 gins. Socat transfers the EOF condition to the other stream, i.e. tries
51 to shutdown only its write stream, giving it a chance to terminate
52 gracefully. For a defined time socat continues to transfer data in the
53 other direction, but then closes all remaining channels and terminates.
54
56 Socat provides some command line options that modify the behaviour of
57 the program. They have nothing to do with so called address options
58 that are used as parts of address specifications.
59
60 -V Print version and available feature information to stdout, and
61 exit.
62
63 -h | -?
64 Print a help text to stdout describing command line options and
65 available address types, and exit.
66
67 -hh | -??
68 Like -h, plus a list of the short names of all available address
69 options. Some options are platform dependend, so this output is
70 helpful for checking the particular implementation.
71
72 -hhh | -???
73 Like -hh, plus a list of all available address option names.
74
75 -d Without this option, only fatal and error messages are gener‐
76 ated; applying this option also prints warning messages. See DI‐
77 AGNOSTICS for more information.
78
79 -d -d Prints fatal, error, warning, and notice messages.
80
81 -d -d -d
82 Prints fatal, error, warning, notice, and info messages.
83
84 -d -d -d -d
85 Prints fatal, error, warning, notice, info, and debug messages.
86
87 -D Logs information about file descriptors before starting the
88 transfer phase.
89
90 -ly[<facility>]
91 Writes messages to syslog instead of stderr; severity as defined
92 with -d option. With optional <facility>, the syslog type can be
93 selected, default is "daemon". Third party libraries might not
94 obey this option.
95
96 -lf <logfile>
97 Writes messages to <logfile> [filename] instead of stderr. Some
98 third party libraries, in particular libwrap, might not obey
99 this option.
100
101 -ls Writes messages to stderr (this is the default). Some third
102 party libraries might not obey this option, in particular lib‐
103 wrap appears to only log to syslog.
104
105 -lp<progname>
106 Overrides the program name printed in error messages and used
107 for constructing environment variable names.
108
109 -lu Extends the timestamp of error messages to microsecond resolu‐
110 tion. Does not work when logging to syslog.
111
112 -lm[<facility>]
113 Mixed log mode. During startup messages are printed to stderr;
114 when socat starts the transfer phase loop or daemon mode (i.e.
115 after opening all streams and before starting data transfer, or,
116 with listening sockets with fork option, before the first accept
117 call), it switches logging to syslog. With optional <facility>,
118 the syslog type can be selected, default is "daemon".
119
120 -lh Adds hostname to log messages. Uses the value from environment
121 variable HOSTNAME or the value retrieved with uname() if HOST‐
122 NAME is not set.
123
124 -v Writes the transferred data not only to their target streams,
125 but also to stderr. The output format is text with some conver‐
126 sions for readability, and prefixed with "> " or "< " indicating
127 flow directions.
128
129 -x Writes the transferred data not only to their target streams,
130 but also to stderr. The output format is hexadecimal, prefixed
131 with "> " or "< " indicating flow directions. Can be combined
132 with -v .
133
134 -r <file>
135 Dumps the raw (binary) data flowing from left to right address
136 to the given file.
137
138 -R <file>
139 Dumps the raw (binary) data flowing from right to left address
140 to the given file.
141
142 -b<size>
143 Sets the data transfer block <size> [size_t]. At most <size>
144 bytes are transferred per step. Default is 8192 bytes.
145
146 -s By default, socat terminates when an error occurred to prevent
147 the process from running when some option could not be applied.
148 With this option, socat is sloppy with errors and tries to con‐
149 tinue. Even with this option, socat will exit on fatals, and
150 will abort connection attempts when security checks failed.
151
152 -t<timeout>
153 When one channel has reached EOF, the write part of the other
154 channel is shut down. Then, socat waits <timeout> [timeval] sec‐
155 onds before terminating. Default is 0.5 seconds. This timeout
156 only applies to addresses where write and read part can be
157 closed independently. When during the timeout interval the read
158 part gives EOF, socat terminates without awaiting the timeout.
159
160 -T<timeout>
161 Total inactivity timeout: when socat is already in the transfer
162 loop and nothing has happened for <timeout> [timeval] seconds
163 (no data arrived, no interrupt occurred...) then it terminates.
164 Useful with protocols like UDP that cannot transfer EOF.
165
166 -u Uses unidirectional mode. The first address is only used for
167 reading, and the second address is only used for writing (exam‐
168 ple).
169
170 -U Uses unidirectional mode in reverse direction. The first address
171 is only used for writing, and the second address is only used
172 for reading.
173
174 -g During address option parsing, don’t check if the option is con‐
175 sidered useful in the given address environment. Use it if you
176 want to force, e.g., appliance of a socket option to a serial
177 device.
178
179 -L<lockfile>
180 If lockfile exists, exits with error. If lockfile does not ex‐
181 ist, creates it and continues, unlinks lockfile on exit.
182
183 -W<lockfile>
184 If lockfile exists, waits until it disappears. When lockfile
185 does not exist, creates it and continues, unlinks lockfile on
186 exit.
187
188 -4 Use IP version 4 in case that the addresses do not implicitly or
189 explicitly specify a version; this is the default.
190
191 -6 Use IP version 6 in case that the addresses do not implicitly or
192 explicitly specify a version.
193
194
196 With the address command line arguments, the user gives socat instruc‐
197 tions and the necessary information for establishing the byte streams.
198
199 An address specification usually consists of an address type keyword,
200 zero or more required address parameters separated by ’:’ from the key‐
201 word and from each other, and zero or more address options separated by
202 ’,’.
203
204 The keyword specifies the address type (e.g., TCP4, OPEN, EXEC). For
205 some keywords there exist synonyms (’-’ for STDIO, TCP for TCP4). Key‐
206 words are case insensitive. For a few special address types, the key‐
207 word may be omitted: Address specifications starting with a number are
208 assumed to be FD (raw file descriptor) addresses; if a ’/’ is found be‐
209 fore the first ’:’ or ’,’, GOPEN (generic file open) is assumed.
210
211 The required number and type of address parameters depend on the ad‐
212 dress type. E.g., TCP4 requires a server specification (name or ad‐
213 dress), and a port specification (number or service name).
214
215 Zero or more address options may be given with each address. They in‐
216 fluence the address in some ways. Options consist of an option keyword
217 or an option keyword and a value, separated by ’=’. Option keywords are
218 case insensitive. For filtering the options that are useful with an
219 address type, each option is member of one option group. For each ad‐
220 dress type there is a set of option groups allowed. Only options be‐
221 longing to one of these address groups may be used (except with option
222 -g).
223
224 Address specifications following the above schema are also called sin‐
225 gle address specifications. Two single addresses can be combined with
226 "!!" to form a dual type address for one channel. Here, the first ad‐
227 dress is used by socat for reading data, and the second address for
228 writing data. There is no way to specify an option only once for being
229 applied to both single addresses.
230
231 Usually, addresses are opened in read/write mode. When an address is
232 part of a dual address specification, or when option -u or -U is used,
233 an address might be used only for reading or for writing. Considering
234 this is important with some address types.
235
236 With socat version 1.5.0 and higher, the lexical analysis tries to han‐
237 dle quotes and parenthesis meaningfully and allows escaping of special
238 characters. If one of the characters ( { [ ’ is found, the correspond‐
239 ing closing character - ) } ] ’ - is looked for; they may also be
240 nested. Within these constructs, socats special characters and strings
241 : , !! are not handled specially. All those characters and strings can
242 be escaped with \ or within ""
243
245 This section describes the available address types with their keywords,
246 parameters, and semantics.
247
248 CREATE:<filename>
249 Opens <filename> with creat() and uses the file descriptor for
250 writing. This address type requires write-only context, because
251 a file opened with creat cannot be read from.
252 Flags like O_LARGEFILE cannot be applied. If you need them use
253 OPEN with options create,create.
254 <filename> must be a valid existing or not existing path. If
255 <filename> is a named pipe, creat() might block; if <filename>
256 refers to a socket, this is an error.
257 Option groups: FD,REG,NAMED
258 Useful options: mode, user, group, unlink-early, unlink-late,
259 append
260 See also: OPEN, GOPEN
261
262 EXEC:<command-line>
263 Forks a sub process that establishes communication with its par‐
264 ent process and invokes the specified program with execvp() .
265 <command-line> is a simple command with arguments separated by
266 single spaces. If the program name contains a ’/’, the part af‐
267 ter the last ’/’ is taken as ARGV[0]. If the program name is a
268 relative path, the execvp() semantics for finding the program
269 via $PATH apply. After successful program start, socat writes
270 data to stdin of the process and reads from its stdout using a
271 UNIX domain socket generated by socketpair() per default. (exam‐
272 ple)
273 Option groups: FD,SOCKET,EXEC,FORK,TERMIOS
274 Useful options: path, fdin, fdout, chroot, su, su-d, nofork,
275 pty, stderr, ctty, setsid, pipes, login, sigint, sigquit
276 See also: SYSTEM
277
278 FD:<fdnum>
279 Uses the file descriptor <fdnum>. It must already exist as valid
280 UN*X file descriptor.
281 Option groups: FD (TERMIOS,REG,SOCKET)
282 See also: STDIO, STDIN, STDOUT, STDERR
283
284 GOPEN:<filename>
285 (Generic open) This address type tries to handle any file system
286 entry except directories usefully. <filename> may be a relative
287 or absolute path. If it already exists, its type is checked. In
288 case of a UNIX domain socket, socat connects; if connecting
289 fails, socat assumes a datagram socket and uses sendto() calls.
290 If the entry is not a socket, socat opens it applying the O_AP‐
291 PEND flag. If it does not exist, it is opened with flag O_CREAT
292 as a regular file (example).
293 Option groups: FD,REG,SOCKET,NAMED,OPEN
294 See also: OPEN, CREATE, UNIX-CONNECT
295
296 IP-SENDTO:<host>:<protocol>
297 Opens a raw IP socket. Depending on host specification or option
298 pf, IP protocol version 4 or 6 is used. It uses <protocol> to
299 send packets to <host> [IP address] and receives packets from
300 host, ignores packets from other hosts. Protocol 255 uses the
301 raw socket with the IP header being part of the data.
302 Option groups: FD,SOCKET,IP4,IP6
303 Useful options: pf, ttl
304 See also: IP4-SENDTO, IP6-SENDTO, IP-RECVFROM, IP-RECV,
305 UDP-SENDTO, UNIX-SENDTO
306
307 INTERFACE:<interface>
308 Communicates with a network connected on an interface using raw
309 packets including link level data. <interface> is the name of
310 the network interface. Currently only available on Linux. Op‐
311 tion groups: FD,SOCKET
312 Useful options: pf, type
313 See also: ip-recv
314
315 IP4-SENDTO:<host>:<protocol>
316 Like IP-SENDTO, but always uses IPv4.
317 Option groups: FD,SOCKET,IP4
318
319 IP6-SENDTO:<host>:<protocol>
320 Like IP-SENDTO, but always uses IPv6.
321 Option groups: FD,SOCKET,IP6
322
323
324 IP-DATAGRAM:<address>:<protocol>
325 Sends outgoing data to the specified address which may in par‐
326 ticular be a broadcast or multicast address. Packets arriving on
327 the local socket are checked if their source addresses match
328 RANGE or TCPWRAP options. This address type can for example be
329 used for implementing symmetric or asymmetric broadcast or mul‐
330 ticast communications.
331 Option groups: FD, SOCKET, IP4, IP6, RANGE
332 Useful options: bind, range, tcpwrap, broadcast, ip-multi‐
333 cast-loop, ip-multicast-ttl, ip-multicast-if, ip-add-membership,
334 ip-add-source-membership, ttl, tos, pf
335 See also: IP4-DATAGRAM, IP6-DATAGRAM, IP-SENDTO, IP-RECVFROM,
336 IP-RECV, UDP-DATAGRAM
337
338 IP4-DATAGRAM:<host>:<protocol>
339 Like IP-DATAGRAM, but always uses IPv4. (example)
340 Option groups: FD,SOCKET,IP4,RANGE
341
342 IP6-DATAGRAM:<host>:<protocol>
343 Like IP-DATAGRAM, but always uses IPv6. Please note that IPv6
344 does not know broadcasts.
345 Option groups: FD,SOCKET,IP6,RANGE
346
347
348 IP-RECVFROM:<protocol>
349 Opens a raw IP socket of <protocol>. Depending on option pf, IP
350 protocol version 4 or 6 is used. It receives one packet from an
351 unspecified peer and may send one or more answer packets to that
352 peer. This mode is particularly useful with fork option where
353 each arriving packet - from arbitrary peers - is handled by its
354 own sub process. This allows a behaviour similar to typical UDP
355 based servers like ntpd or named.
356 Please note that the reply packets might be fetched as incoming
357 traffic when sender and receiver IP address are identical be‐
358 cause there is no port number to distinguish the sockets.
359 This address works well with IP-SENDTO address peers (see
360 above). Protocol 255 uses the raw socket with the IP header be‐
361 ing part of the data.
362 See the note about RECVFROM addresses.
363 Option groups: FD,SOCKET,IP4,IP6,CHILD,RANGE
364 Useful options: pf, fork, range, ttl, broadcast
365 See also: IP4-RECVFROM, IP6-RECVFROM, IP-SENDTO, IP-RECV,
366 UDP-RECVFROM, UNIX-RECVFROM
367
368 IP4-RECVFROM:<protocol>
369 Like IP-RECVFROM, but always uses IPv4.
370 Option groups: FD,SOCKET,IP4,CHILD,RANGE
371
372 IP6-RECVFROM:<protocol>
373 Like IP-RECVFROM, but always uses IPv6.
374 Option groups: FD,SOCKET,IP6,CHILD,RANGE
375
376
377 IP-RECV:<protocol>
378 Opens a raw IP socket of <protocol>. Depending on option pf, IP
379 protocol version 4 or 6 is used. It receives packets from multi‐
380 ple unspecified peers and merges the data. No replies are pos‐
381 sible. It can be, e.g., addressed by socat IP-SENDTO address
382 peers. Protocol 255 uses the raw socket with the IP header be‐
383 ing part of the data.
384 Option groups: FD,SOCKET,IP4,IP6,RANGE
385 Useful options: pf, range
386 See also: IP4-RECV, IP6-RECV, IP-SENDTO, IP-RECVFROM, UDP-RECV,
387 UNIX-RECV
388
389 IP4-RECV:<protocol>
390 Like IP-RECV, but always uses IPv4.
391 Option groups: FD,SOCKET,IP4,RANGE
392
393 IP6-RECV:<protocol>
394 Like IP-RECV, but always uses IPv6.
395 Option groups: FD,SOCKET,IP6,RANGE
396
397
398 OPEN:<filename>
399 Opens <filename> using the open() system call (example). This
400 operation fails on UNIX domain sockets.
401 Note: This address type is rarely useful in bidirectional mode.
402 Option groups: FD,REG,NAMED,OPEN
403 Useful options: creat, excl, noatime, nofollow, append, rdonly,
404 wronly, lock, readbytes, ignoreeof
405 See also: CREATE, GOPEN, UNIX-CONNECT
406
407 OPENSSL:<host>:<port>
408 Tries to establish a SSL connection to <port> [TCP service] on
409 <host> [IP address] using TCP/IP version 4 or 6 depending on ad‐
410 dress specification, name resolution, or option pf.
411 NOTE: Up to version 1.7.2.4 the server certificate was only
412 checked for validity against the system certificate store or
413 cafile or capath, but not for match with the server’s name or
414 its IP address. Since version 1.7.3.0 socat checks the peer
415 certificate for match with the <host> parameter or the value of
416 the openssl-commonname option. Socat tries to match it against
417 the certificates subject commonName, and the certificates exten‐
418 sion subjectAltName DNS names. Wildcards in the certificate are
419 supported.
420 Option groups: FD,SOCKET,IP4,IP6,TCP,OPENSSL,RETRY
421 Useful options: min-proto-version, cipher, verify, commonname,
422 cafile, capath, certificate, key, compress, bind, pf, con‐
423 nect-timeout, sourceport, retry
424 See also: OPENSSL-LISTEN, TCP
425
426 OPENSSL-LISTEN:<port>
427 Listens on tcp <port> [TCP service]. The IP version is 4 or the
428 one specified with pf. When a connection is accepted, this ad‐
429 dress behaves as SSL server.
430 Note: You probably want to use the certificate option with this
431 address.
432 NOTE: The client certificate is only checked for validity
433 against cafile or capath, but not for match with the client’s
434 name or its IP address!
435 Option groups: FD,SOCKET,IP4,IP6,TCP,LIS‐
436 TEN,OPENSSL,CHILD,RANGE,RETRY
437 Useful options: pf, min-proto-version, cipher, verify, common‐
438 name, cafile, capath, certificate, key, compress, fork, bind,
439 range, tcpwrap, su, reuseaddr, retry
440 See also: OPENSSL, TCP-LISTEN
441
442 OPENSSL-DTLS-CLIENT:<host>:<port>
443 Tries to establish a DTLS connection to <port> [UDP service] on
444 <host> [IP address] using UDP/IP version 4 or 6 depending on ad‐
445 dress specification, name resolution, or option pf.
446 Socat checks the peer certificates subjectAltName or commonName
447 against the addresses option openssl-commonname or the host
448 name. Wildcards in the certificate are supported.
449 Use socat option -b to make datagrams small enough to fit with
450 overhead on the network. Use option -T to prevent indefinite
451 hanging when peer went down quietly.
452 Option groups: FD,SOCKET,IP4,IP6,OPENSSL,RETRY
453 Useful options: min-proto-version, cipher, verify, commonname,
454 cafile, capath, certificate, key, compress, bind, pf, source‐
455 port, retry
456 See also: OPENSSL-DTLS-SERVER, OPENSSL-CONNECT, UDP-CONNECT
457
458 OPENSSL-DTLS-SERVER:<port>
459 Listens on UDP <port> [UDP service]. The IP version is 4 or the
460 one specified with pf. When a connection is accepted, this ad‐
461 dress behaves as DTLS server.
462 Note: You probably want to use the certificate option with this
463 address.
464 NOTE: The client certificate is only checked for validity
465 against cafile or capath, but not for match with the client’s
466 name or its IP address! Use socat option -b to make datagrams
467 small enough to fit with overhead on the network. Use option -T
468 to prevent indefinite hanging when peer went down quietly.
469 Option groups: FD,SOCKET,IP4,IP6,LIS‐
470 TEN,OPENSSL,CHILD,RANGE,RETRY
471 Useful options: pf, min-proto-version, cipher, verify, common‐
472 name, cafile, capath, certificate, key, compress, fork, bind,
473 range, tcpwrap, su, reuseaddr, retry
474 See also: OPENSSL-DTLS-CLIENT, OPENSSL-LISTEN, UDP-LISTEN
475
476 PIPE:<filename>
477 If <filename> already exists, it is opened. If it does not ex‐
478 ist, a named pipe is created and opened. Beginning with socat
479 version 1.4.3, the named pipe is removed when the address is
480 closed (but see option unlink-close
481 Note: When a pipe is used for both reading and writing, it works
482 as echo service.
483 Note: When a pipe is used for both reading and writing, and so‐
484 cat tries to write more bytes than the pipe can buffer (Linux
485 2.4: 2048 bytes), socat might block. Consider using socat op‐
486 tion, e.g., -b 2048
487 Option groups: FD,NAMED,OPEN
488 Useful options: rdonly, nonblock, group, user, mode, un‐
489 link-early
490 See also: unnamed pipe
491
492 PIPE Creates an unnamed pipe and uses it for reading and writing. It
493 works as an echo, because everything written to it appeares im‐
494 mediately as read data.
495 Note: When socat tries to write more bytes than the pipe can
496 queue (Linux 2.4: 2048 bytes), socat might block. Consider,
497 e.g., using option -b 2048
498 Option groups: FD
499 See also: named pipe
500
501 PROXY:<proxy>:<hostname>:<port>
502 Connects to an HTTP proxy server on port 8080 using TCP/IP ver‐
503 sion 4 or 6 depending on address specification, name resolution,
504 or option pf, and sends a CONNECT request for hostname:port. If
505 the proxy grants access and succeeds to connect to the target,
506 data transfer between socat and the target can start. Note that
507 the traffic need not be HTTP but can be an arbitrary protocol.
508 Option groups: FD,SOCKET,IP4,IP6,TCP,HTTP,RETRY
509 Useful options: proxyport, ignorecr, proxyauth, resolve, crnl,
510 bind, connect-timeout, mss, sourceport, retry
511 See also: SOCKS, TCP
512
513 PTY Generates a pseudo terminal (pty) and uses its master side. An‐
514 other process may open the pty’s slave side using it like a se‐
515 rial line or terminal. (example). If both the ptmx and the
516 openpty mechanisms are available, ptmx is used (POSIX).
517 Option groups: FD,NAMED,PTY,TERMIOS
518 Useful options: link, openpty, wait-slave, mode, user, group
519 See also: UNIX-LISTEN, PIPE, EXEC, SYSTEM
520
521 READLINE
522 Uses GNU readline and history on stdio to allow editing and
523 reusing input lines (example). This requires the GNU readline
524 and history libraries. Note that stdio should be a (pseudo) ter‐
525 minal device, otherwise readline does not seem to work.
526 Option groups: FD,READLINE,TERMIOS
527 Useful options: history, noecho
528 See also: STDIO
529
530 SCTP-CONNECT:<host>:<port>
531 Establishes an SCTP stream connection to the specified <host>
532 [IP address] and <port> [TCP service] using IP version 4 or 6
533 depending on address specification, name resolution, or option
534 pf.
535 Option groups: FD,SOCKET,IP4,IP6,SCTP,CHILD,RETRY
536 Useful options: bind, pf, connect-timeout, tos, mtudiscover,
537 sctp-maxseg, sctp-nodelay, nonblock, sourceport, retry, read‐
538 bytes
539 See also: SCTP4-CONNECT, SCTP6-CONNECT, SCTP-LISTEN, TCP-CONNECT
540
541 SCTP4-CONNECT:<host>:<port>
542 Like SCTP-CONNECT, but only supports IPv4 protocol.
543 Option groups: FD,SOCKET,IP4,SCTP,CHILD,RETRY
544
545 SCTP6-CONNECT:<host>:<port>
546 Like SCTP-CONNECT, but only supports IPv6 protocol.
547 Option groups: FD,SOCKET,IP6,SCTP,CHILD,RETRY
548
549 SCTP-LISTEN:<port>
550 Listens on <port> [TCP service] and accepts an SCTP connection.
551 The IP version is 4 or the one specified with address option pf,
552 socat option (-4, -6), or environment variable SOCAT_DE‐
553 FAULT_LISTEN_IP. Note that opening this address usually blocks
554 until a client connects.
555 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,SCTP,RETRY
556 Useful options: crnl, fork, bind, range, tcpwrap, pf, max-chil‐
557 dren, backlog, accept-timeout, sctp-maxseg, sctp-nodelay, su,
558 reuseaddr, retry, cool-write
559 See also: SCTP4-LISTEN, SCTP6-LISTEN, TCP-LISTEN, SCTP-CONNECT
560
561 SCTP4-LISTEN:<port>
562 Like SCTP-LISTEN, but only supports IPv4 protocol.
563 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,SCTP,RETRY
564
565 SCTP6-LISTEN:<port>
566 Like SCTP-LISTEN, but only supports IPv6 protocol.
567 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP6,SCTP,RETRY
568
569 SOCKET-CONNECT:<domain>:<protocol>:<remote-address>
570 Creates a stream socket using the first and second given socket
571 parameters and SOCK_STREAM (see man socket(2)) and connects to
572 the remote-address. The two socket parameters have to be speci‐
573 fied by int numbers. Consult your OS documentation and include
574 files to find the appropriate values. The remote-address must be
575 the data representation of a sockaddr structure without sa_fam‐
576 ily and (BSD) sa_len components.
577 Please note that you can - beyond the options of the specified
578 groups - also use options of higher level protocols when you ap‐
579 ply socat option -g.
580 Option groups: FD,SOCKET,CHILD,RETRY
581 Useful options: bind, setsockopt,
582 See also: TCP, UDP-CONNECT, UNIX-CONNECT, SOCKET-LISTEN,
583 SOCKET-SENDTO
584
585 SOCKET-DATAGRAM:<domain>:<type>:<protocol>:<remote-address>
586 Creates a datagram socket using the first three given socket pa‐
587 rameters (see man socket(2)) and sends outgoing data to the re‐
588 mote-address. The three socket parameters have to be specified
589 by int numbers. Consult your OS documentation and include files
590 to find the appropriate values. The remote-address must be the
591 data representation of a sockaddr structure without sa_family
592 and (BSD) sa_len components.
593 Please note that you can - beyond the options of the specified
594 groups - also use options of higher level protocols when you ap‐
595 ply socat option -g.
596 Option groups: FD,SOCKET,RANGE
597 Useful options: bind, range, setsockopt,
598 See also: UDP-DATAGRAM, IP-DATAGRAM, SOCKET-SENDTO, SOCKET-RECV,
599 SOCKET-RECVFROM
600
601 SOCKET-LISTEN:<domain>:<protocol>:<local-address>
602 Creates a stream socket using the first and second given socket
603 parameters and SOCK_STREAM (see man socket(2)) and waits for in‐
604 coming connections on local-address. The two socket parameters
605 have to be specified by int numbers. Consult your OS documenta‐
606 tion and include files to find the appropriate values. The lo‐
607 cal-address must be the data representation of a sockaddr struc‐
608 ture without sa_family and (BSD) sa_len components.
609 Please note that you can - beyond the options of the specified
610 groups - also use options of higher level protocols when you ap‐
611 ply socat option -g.
612 Option groups: FD,SOCKET,LISTEN,RANGE,CHILD,RETRY
613 Useful options: setsockopt, setsockopt-listen,
614 See also: TCP, UDP-CONNECT, UNIX-CONNECT, SOCKET-LISTEN,
615 SOCKET-SENDTO, SOCKET-SENDTO
616
617 SOCKET-RECV:<domain>:<type>:<protocol>:<local-address>
618 Creates a socket using the three given socket parameters (see
619 man socket(2)) and binds it to <local-address>. Receives arriv‐
620 ing data. The three parameters have to be specified by int num‐
621 bers. Consult your OS documentation and include files to find
622 the appropriate values. The local-address must be the data rep‐
623 resentation of a sockaddr structure without sa_family and (BSD)
624 sa_len components.
625 Option groups: FD,SOCKET,RANGE
626 Useful options: range, setsockopt, setsockopt-listen
627 See also: UDP-RECV, IP-RECV, UNIX-RECV, SOCKET-DATAGRAM,
628 SOCKET-SENDTO, SOCKET-RECVFROM
629
630 SOCKET-RECVFROM:<domain>:<type>:<protocol>:<local-address>
631 Creates a socket using the three given socket parameters (see
632 man socket(2)) and binds it to <local-address>. Receives arriv‐
633 ing data and sends replies back to the sender. The first three
634 parameters have to be specified as int numbers. Consult your OS
635 documentation and include files to find the appropriate values.
636 The local-address must be the data representation of a sockaddr
637 structure without sa_family and (BSD) sa_len components.
638 See the note about RECVFROM addresses.
639 Option groups: FD,SOCKET,CHILD,RANGE
640 Useful options: fork, range, setsockopt, setsockopt-listen
641 See also: UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, SOCKET-DATA‐
642 GRAM, SOCKET-SENDTO, SOCKET-RECV
643
644 SOCKET-SENDTO:<domain>:<type>:<protocol>:<remote-address>
645 Creates a socket using the three given socket parameters (see
646 man socket(2)). Sends outgoing data to the given address and re‐
647 ceives replies. The three parameters have to be specified as
648 int numbers. Consult your OS documentation and include files to
649 find the appropriate values. The remote-address must be the data
650 representation of a sockaddr structure without sa_family and
651 (BSD) sa_len components.
652 Option groups: FD,SOCKET
653 Useful options: bind, setsockopt, setsockopt-listen
654 See also: UDP-SENDTO, IP-SENDTO, UNIX-SENDTO, SOCKET-DATAGRAM,
655 SOCKET-RECV SOCKET-RECVFROM
656
657 SOCKS4:<socks-server>:<host>:<port>
658 Connects via <socks-server> [IP address] to <host> [IPv4 ad‐
659 dress] on <port> [TCP service], using socks version 4 protocol
660 over IP version 4 or 6 depending on address specification, name
661 resolution, or option pf (example).
662 Option groups: FD,SOCKET,IP4,IP6,TCP,SOCKS4,RETRY
663 Useful options: socksuser, socksport, sourceport, pf, retry
664 See also: SOCKS4A, PROXY, TCP
665
666 SOCKS4A:<socks-server>:<host>:<port>
667 like SOCKS4, but uses socks protocol version 4a, thus leaving
668 host name resolution to the socks server.
669 Option groups: FD,SOCKET,IP4,IP6,TCP,SOCKS4,RETRY
670
671 STDERR Uses file descriptor 2.
672 Option groups: FD (TERMIOS,REG,SOCKET)
673 See also: FD
674
675 STDIN Uses file descriptor 0.
676 Option groups: FD (TERMIOS,REG,SOCKET)
677 Useful options: readbytes
678 See also: FD
679
680 STDIO Uses file descriptor 0 for reading, and 1 for writing.
681 Option groups: FD (TERMIOS,REG,SOCKET)
682 Useful options: readbytes
683 See also: FD
684
685 STDOUT Uses file descriptor 1.
686 Option groups: FD (TERMIOS,REG,SOCKET)
687 See also: FD
688
689 SYSTEM:<shell-command>
690 Forks a sub process that establishes communication with its par‐
691 ent process and invokes the specified program with system() .
692 Please note that <shell-command> [string] must not contain ’,’
693 or "!!", and that shell meta characters may have to be pro‐
694 tected. After successful program start, socat writes data to
695 stdin of the process and reads from its stdout.
696 Option groups: FD,SOCKET,EXEC,FORK,TERMIOS
697 Useful options: path, fdin, fdout, chroot, su, su-d, nofork,
698 pty, stderr, ctty, setsid, pipes, sigint, sigquit
699 See also: EXEC
700
701 TCP:<host>:<port>
702 Connects to <port> [TCP service] on <host> [IP address] using
703 TCP/IP version 4 or 6 depending on address specification, name
704 resolution, or option pf.
705 Option groups: FD,SOCKET,IP4,IP6,TCP,RETRY
706 Useful options: crnl, bind, pf, connect-timeout, tos, mtudis‐
707 cover, mss, nodelay, nonblock, sourceport, retry, readbytes
708 See also: TCP4, TCP6, TCP-LISTEN, UDP, SCTP-CONNECT, UNIX-CON‐
709 NECT
710
711 TCP4:<host>:<port>
712 Like TCP, but only supports IPv4 protocol (example).
713 Option groups: FD,SOCKET,IP4,TCP,RETRY
714
715 TCP6:<host>:<port>
716 Like TCP, but only supports IPv6 protocol.
717 Option groups: FD,SOCKET,IP6,TCP,RETRY
718
719 TCP-LISTEN:<port>
720 Listens on <port> [TCP service] and accepts a TCP/IP connection.
721 The IP version is 4 or the one specified with address option pf,
722 socat option (-4, -6), or environment variable SOCAT_DE‐
723 FAULT_LISTEN_IP. Note that opening this address usually blocks
724 until a client connects.
725 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,TCP,RETRY
726 Useful options: crnl, fork, bind, range, tcpwrap, pf, max-chil‐
727 dren, backlog, accept-timeout, mss, su, reuseaddr, retry,
728 cool-write
729 See also: TCP4-LISTEN, TCP6-LISTEN, UDP-LISTEN, SCTP-LISTEN,
730 UNIX-LISTEN, OPENSSL-LISTEN, TCP-CONNECT
731
732 TCP4-LISTEN:<port>
733 Like TCP-LISTEN, but only supports IPv4 protocol (example).
734 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,TCP,RETRY
735
736 TCP6-LISTEN:<port>
737 Like TCP-LISTEN, but only supports IPv6 protocol.
738 Additional useful option: ipv6only
739 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP6,TCP,RETRY
740
741 TUN[:<if-addr>/<bits>]
742 Creates a Linux TUN/TAP device and optionally assignes it the
743 address and netmask given by the parameters. The resulting net‐
744 work interface is almost ready for use by other processes; socat
745 serves its "wire side". This address requires read and write ac‐
746 cess to the tunnel cloning device, usually /dev/net/tun , as
747 well as permission to set some ioctl()s. Option iff-up is re‐
748 quired to immediately activate the interface!
749 Note: If you intend to transfer packets between two Socat "wire
750 sides" you need a protocol that keeps packet boundaries,
751 e.g.UDP; TCP might work with option nodelay.
752 Option groups: FD,NAMED,OPEN,TUN
753 Useful options: iff-up, tun-device, tun-name, tun-type,
754 iff-no-pi
755 See also: ip-recv
756
757 UDP:<host>:<port>
758 Connects to <port> [UDP service] on <host> [IP address] using
759 UDP/IP version 4 or 6 depending on address specification, name
760 resolution, or option pf.
761 Please note that, due to UDP protocol properties, no real con‐
762 nection is established; data has to be sent for `connecting’ to
763 the server, and no end-of-file condition can be transported.
764 Option groups: FD,SOCKET,IP4,IP6
765 Useful options: ttl, tos, bind, sourceport, pf
766 See also: UDP4, UDP6, UDP-LISTEN, TCP, IP
767
768 UDP4:<host>:<port>
769 Like UDP, but only supports IPv4 protocol.
770 Option groups: FD,SOCKET,IP4
771
772 UDP6:<host>:<port>
773 Like UDP, but only supports IPv6 protocol.
774 Option groups: FD,SOCKET,IP6
775
776 UDP-DATAGRAM:<address>:<port>
777 Sends outgoing data to the specified address which may in par‐
778 ticular be a broadcast or multicast address. Packets arriving on
779 the local socket are checked for the correct remote port only
780 when option sourceport is used (this is a change with Socat ver‐
781 sion 1.7.4.0) and if their source addresses match RANGE or TCP‐
782 WRAP options. This address type can for example be used for im‐
783 plementing symmetric or asymmetric broadcast or multicast commu‐
784 nications.
785 Option groups: FD,SOCKET,IP4,IP6,RANGE
786 Useful options: bind, range, tcpwrap, broadcast, ip-multi‐
787 cast-loop, ip-multicast-ttl, ip-multicast-if, ip-add-membership,
788 ip-add-source-membership, ttl, tos, sourceport, pf
789 See also: UDP4-DATAGRAM, UDP6-DATAGRAM, UDP-SENDTO,
790 UDP-RECVFROM, UDP-RECV, UDP-CONNECT, UDP-LISTEN, IP-DATAGRAM
791
792 UDP4-DATAGRAM:<address>:<port>
793 Like UDP-DATAGRAM, but only supports IPv4 protocol (example1,
794 example2).
795 Option groups: FD,SOCKET,IP4, RANGE
796
797 UDP6-DATAGRAM:<address>:<port>
798 Like UDP-DATAGRAM, but only supports IPv6 protocol.
799 Option groups: FD,SOCKET,IP6,RANGE
800
801 UDP-LISTEN:<port>
802 Waits for a UDP/IP packet arriving on <port> [UDP service] and
803 `connects’ back to sender. The accepted IP version is 4 or the
804 one specified with option pf. Please note that, due to UDP pro‐
805 tocol properties, no real connection is established; data has to
806 arrive from the peer first, and no end-of-file condition can be
807 transported. Note that opening this address usually blocks until
808 a client connects.
809 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6
810 Useful options: fork, bind, range, pf
811 See also: UDP, UDP4-LISTEN, UDP6-LISTEN, TCP-LISTEN
812
813 UDP4-LISTEN:<port>
814 Like UDP-LISTEN, but only support IPv4 protocol.
815 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP4
816
817 UDP6-LISTEN:<port>
818 Like UDP-LISTEN, but only support IPv6 protocol.
819 Option groups: FD,SOCKET,LISTEN,CHILD,RANGE,IP6
820
821 UDP-SENDTO:<host>:<port>
822 Communicates with the specified peer socket, defined by <port>
823 [UDP service] on <host> [IP address], using UDP/IP version 4 or
824 6 depending on address specification, name resolution, or option
825 pf. It sends packets to and receives packets from that peer
826 socket only. This address effectively implements a datagram
827 client. It works well with socat UDP-RECVFROM and UDP-RECV ad‐
828 dress peers.
829 Option groups: FD,SOCKET,IP4,IP6
830 Useful options: ttl, tos, bind, sourceport, pf
831 See also: UDP4-SENDTO, UDP6-SENDTO, UDP-RECVFROM, UDP-RECV,
832 UDP-CONNECT, UDP-LISTEN, IP-SENDTO
833
834 UDP4-SENDTO:<host>:<port>
835 Like UDP-SENDTO, but only supports IPv4 protocol.
836 Option groups: FD,SOCKET,IP4
837
838 UDP6-SENDTO:<host>:<port>
839 Like UDP-SENDTO, but only supports IPv6 protocol.
840 Option groups: FD,SOCKET,IP6
841
842 UDP-RECVFROM:<port>
843 Creates a UDP socket on <port> [UDP service] using UDP/IP ver‐
844 sion 4 or 6 depending on option pf. It receives one packet from
845 an unspecified peer and may send one or more answer packets to
846 that peer. This mode is particularly useful with fork option
847 where each arriving packet - from arbitrary peers - is handled
848 by its own sub process. This allows a behaviour similar to typi‐
849 cal UDP based servers like ntpd or named. This address works
850 well with socat UDP-SENDTO address peers.
851 Note: When the second address fails before entering the transfer
852 loop the packet is dropped. Use option retry or forever on the
853 second address to avoid data loss.
854 Option groups: FD,SOCKET,IP4,IP6,CHILD,RANGE
855 Useful options: fork, ttl, tos, bind, sourceport, pf
856 See also: UDP4-RECVFROM, UDP6-RECVFROM, UDP-SENDTO, UDP-RECV,
857 UDP-CONNECT, UDP-LISTEN, IP-RECVFROM, UNIX-RECVFROM
858
859 UDP4-RECVFROM:<port>
860 Like UDP-RECVFROM, but only supports IPv4 protocol.
861 Option groups: FD,SOCKET,IP4,CHILD,RANGE
862
863 UDP6-RECVFROM:<port>
864 Like UDP-RECVFROM, but only supports IPv6 protocol.
865 Option groups: FD,SOCKET,IP6,CHILD,RANGE
866
867 UDP-RECV:<port>
868 Creates a UDP socket on <port> [UDP service] using UDP/IP ver‐
869 sion 4 or 6 depending on option pf. It receives packets from
870 multiple unspecified peers and merges the data. No replies are
871 possible. It works well with, e.g., socat UDP-SENDTO address
872 peers; it behaves similar to a syslog server.
873 Note: if you need the fork option, use UDP-RECVFROM in unidirec‐
874 tional mode (with option -u) instead.
875 Option groups: FD,SOCKET,IP4,IP6,RANGE
876 Useful options: pf, bind, sourceport, ttl, tos
877 See also: UDP4-RECV, UDP6-RECV, UDP-SENDTO, UDP-RECVFROM,
878 UDP-CONNECT, UDP-LISTEN, IP-RECV, UNIX-RECV
879
880 UDP4-RECV:<port>
881 Like UDP-RECV, but only supports IPv4 protocol.
882 Option groups: FD,SOCKET,IP4,RANGE
883
884 UDP6-RECV:<port>
885 Like UDP-RECV, but only supports IPv6 protocol.
886 Option groups: FD,SOCKET,IP6,RANGE
887
888 UNIX-CONNECT:<filename>
889 Connects to <filename> assuming it is a UNIX domain socket. If
890 <filename> does not exist, this is an error; if <filename> is
891 not a UNIX domain socket, this is an error; if <filename> is a
892 UNIX domain socket, but no process is listening, this is an er‐
893 ror.
894 Option groups: FD,SOCKET,NAMED,RETRY,UNIX
895 ) Useful options: bind
896 See also: UNIX-LISTEN, UNIX-SENDTO, TCP
897
898 UNIX-LISTEN:<filename>
899 Listens on <filename> using a UNIX domain stream socket and ac‐
900 cepts a connection. If <filename> exists and is not a socket,
901 this is an error. If <filename> exists and is a UNIX domain
902 socket, binding to the address fails (use option unlink-early!).
903 Note that opening this address usually blocks until a client
904 connects. Beginning with socat version 1.4.3, the file system
905 entry is removed when this address is closed (but see option un‐
906 link-close) (example).
907 Option groups: FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
908 Useful options: fork, umask, mode, user, group, unlink-early
909 See also: UNIX-CONNECT, UNIX-RECVFROM, UNIX-RECV, TCP-LISTEN
910
911 UNIX-SENDTO:<filename>
912 Communicates with the specified peer socket, defined by [<file‐
913 name>] assuming it is a UNIX domain datagram socket. It sends
914 packets to and receives packets from that peer socket only.
915 Please note that it might be necessary to bind the local socket
916 to an address (e.g. /tmp/sock1, which must not exist before).
917 This address type works well with socat UNIX-RECVFROM and
918 UNIX-RECV address peers.
919 Option groups: FD,SOCKET,NAMED,UNIX
920 Useful options: bind
921 See also: UNIX-RECVFROM, UNIX-RECV, UNIX-CONNECT, UDP-SENDTO,
922 IP-SENDTO
923
924 UNIX-RECVFROM:<filename>
925 Creates a UNIX domain datagram socket [<filename>]. Receives
926 one packet and may send one or more answer packets to that peer.
927 This mode is particularly useful with fork option where each ar‐
928 riving packet - from arbitrary peers - is handled by its own sub
929 process. This address works well with socat UNIX-SENDTO address
930 peers.
931 Option groups: FD,SOCKET,NAMED,CHILD,UNIX
932 See the note about RECVFROM addresses.
933 Useful options: fork
934 See also: UNIX-SENDTO, UNIX-RECV, UNIX-LISTEN, UDP-RECVFROM,
935 IP-RECVFROM
936
937 UNIX-RECV:<filename>
938 Creates a UNIX domain datagram socket [<filename>]. Receives
939 packets from multiple unspecified peers and merges the data. No
940 replies are possible. It can be, e.g., addressed by socat
941 UNIX-SENDTO address peers. It behaves similar to a syslog
942 server.
943 Option groups: FD,SOCKET,NAMED,UNIX
944 See also: UNIX-SENDTO, UNIX-RECVFROM, UNIX-LISTEN, UDP-RECV,
945 IP-RECV
946
947 UNIX-CLIENT:<filename>
948 Communicates with the specified peer socket, defined by [<file‐
949 name>] assuming it is a UNIX domain socket. It first tries to
950 connect and, if that fails, assumes it is a datagram socket,
951 thus supporting both types.
952 Option groups: FD,SOCKET,NAMED,UNIX
953 Useful options: bind
954 See also: UNIX-CONNECT, UNIX-SENDTO, GOPEN
955
956 VSOCK-CONNECT:<cid>:<port>
957 Establishes a VSOCK stream connection to the specified <cid>
958 [VSOCK cid] and <port> [VSOCK port].
959 Option groups: FD,SOCKET,CHILD,RETRY
960 Useful options: bind, pf, connect-timeout, retry, readbytes
961 See also: VSOCK-LISTEN,
962
963 VSOCK-LISTEN:<port>
964 Listens on <port> [VSOCK port] and accepts a VSOCK connection.
965 Note that opening this address usually blocks until a client
966 connects.
967 Option groups: FD,SOCKET,LISTEN,CHILD,RETRY
968 Useful options: fork, bind, pf, max-children, backlog, su,
969 reuseaddr, retry, cool-write
970 See also: VSOCK-CONNECT
971
972 ABSTRACT-CONNECT:<string>
973
974 ABSTRACT-LISTEN:<string>
975
976 ABSTRACT-SENDTO:<string>
977
978 ABSTRACT-RECVFROM:<string>
979
980 ABSTRACT-RECV:<string>
981
982 ABSTRACT-CLIENT:<string>
983 The ABSTRACT addresses are almost identical to the related UNIX
984 addresses except that they do not address file system based
985 sockets but an alternate UNIX domain address space. To achieve
986 this the socket address strings are prefixed with "\0" inter‐
987 nally. This feature is available (only?) on Linux. Option
988 groups are the same as with the related UNIX addresses, except
989 that the ABSTRACT addresses are not member of the NAMED group.
990
991
993 Address options can be applied to address specifications to influence
994 the process of opening the addresses and the properties of the result‐
995 ing data channels.
996
997 For technical reasons not every option can be applied to every address
998 type; e.g., applying a socket option to a regular file will fail. To
999 catch most useless combinations as early as in the open phase, the con‐
1000 cept of option groups was introduced. Each option belongs to one or
1001 more option groups. Options can be used only with address types that
1002 support at least one of their option groups (but see option -g).
1003
1004 Address options have data types that their values must conform to. Ev‐
1005 ery address option consists of just a keyword or a keyword followed by
1006 "=value", where value must conform to the options type. Some address
1007 options manipulate parameters of system calls; e.g., option sync sets
1008 the O_SYNC flag with the open() call. Other options cause a system or
1009 library call; e.g., with option `ttl=value’ the setsockopt(fd, SOL_IP,
1010 IP_TTL, value, sizeof(int)) call is applied. Other options set inter‐
1011 nal socat variables that are used during data transfer; e.g., `crnl’
1012 causes explicit character conversions. A few options have more complex
1013 implementations; e.g., su-d (substuser-delayed) inquires some user and
1014 group infos, stores them, and applies them later after a possible ch‐
1015 root() call.
1016
1017 If multiple options are given to an address, their sequence in the ad‐
1018 dress specification has (almost) no effect on the sequence of their ex‐
1019 ecution/application. Instead, socat has built in an option phase model
1020 that tries to bring the options in a useful order. Some options exist
1021 in different forms (e.g., unlink, unlink-early, unlink-late) to control
1022 the time of their execution.
1023
1024 If the same option is specified more than once within one address spec‐
1025 ification, with equal or different values, the effect depends on the
1026 kind of option. Options resulting in function calls like setsockopt()
1027 cause multiple invocations. With options that set parameters for a re‐
1028 quired call like open() or set internal flags, the value of the last
1029 option occurrence is effective.
1030
1031 The existence or semantics of many options are system dependent. Socat
1032 usually does NOT try to emulate missing libc or kernel features, it
1033 just provides an interface to the underlying system. So, if an operat‐
1034 ing system lacks a feature, the related option is simply not available
1035 on this platform.
1036
1037 The following paragraphs introduce just the more common address op‐
1038 tions. For a more comprehensive reference and to find information about
1039 canonical option names, alias names, option phases, and platforms see
1040 file xio.help.
1041
1042
1043 FD option group
1044
1045 This option group contains options that are applied to a UN*X style
1046 file descriptor, no matter how it was generated. Because all current
1047 socat address types are file descriptor based, these options may be ap‐
1048 plied to any address.
1049 Note: Some of these options are also member of another option group,
1050 that provides another, non-fd based mechanism. For these options, it
1051 depends on the actual address type and its option groups which mecha‐
1052 nism is used. The second, non-fd based mechanism is prioritized.
1053
1054 cloexec=<bool>
1055 Sets the FD_CLOEXEC flag with the fcntl() system call to value
1056 <bool>. If set, the file descriptor is closed on exec() family
1057 function calls. Socat internally handles this flag for the fds
1058 it controls, so in most cases there will be no need to apply
1059 this option.
1060
1061 setlk Tries to set a discretionary write lock to the whole file using
1062 the fcntl(fd, F_SETLK, ...) system call. If the file is already
1063 locked, this call results in an error. On Linux, when the file
1064 permissions for group are "S" (g-x,g+s), and the file system is
1065 locally mounted with the "mand" option, the lock is mandatory,
1066 i.e. prevents other processes from opening the file.
1067
1068 setlkw Tries to set a discretionary waiting write lock to the whole
1069 file using the fcntl(fd, F_SETLKW, ...) system call. If the
1070 file is already locked, this call blocks. See option setlk for
1071 information about making this lock mandatory.
1072
1073 setlk-rd
1074 Tries to set a discretionary read lock to the whole file using
1075 the fcntl(fd, F_SETLK, ...) system call. If the file is already
1076 write locked, this call results in an error. See option setlk
1077 for information about making this lock mandatory.
1078
1079 setlkw-rd
1080 Tries to set a discretionary waiting read lock to the whole file
1081 using the fcntl(fd, F_SETLKW, ...) system call. If the file is
1082 already write locked, this call blocks. See option setlk for
1083 information about making this lock mandatory.
1084
1085 flock-ex
1086 Tries to set a blocking exclusive advisory lock to the file us‐
1087 ing the flock(fd, LOCK_EX) system call. Socat hangs in this call
1088 if the file is locked by another process.
1089
1090 flock-ex-nb
1091 Tries to set a nonblocking exclusive advisory lock to the file
1092 using the flock(fd, LOCK_EX|LOCK_NB) system call. If the file is
1093 already locked, this option results in an error.
1094
1095 flock-sh
1096 Tries to set a blocking shared advisory lock to the file using
1097 the flock(fd, LOCK_SH) system call. Socat hangs in this call if
1098 the file is locked by another process.
1099
1100 flock-sh-nb
1101 Tries to set a nonblocking shared advisory lock to the file us‐
1102 ing the flock(fd, LOCK_SH|LOCK_NB) system call. If the file is
1103 already locked, this option results in an error.
1104
1105 lock Sets a blocking lock on the file. Uses the setlk or flock mecha‐
1106 nism depending on availability on the particular platform. If
1107 both are available, the POSIX variant (setlkw) is used.
1108
1109 user=<user>
1110 Sets the <user> (owner) of the stream. If the address is member
1111 of the NAMED option group, socat uses the chown() system call
1112 after opening the file or binding to the UNIX domain socket
1113 (race condition!). Without filesystem entry, socat sets the
1114 user of the stream using the fchown() system call. These calls
1115 might require root privilege.
1116
1117 user-late=<user>
1118 Sets the owner of the fd to <user> with the fchown() system call
1119 after opening or connecting the channel. This is useful only on
1120 file system entries.
1121
1122 group=<group>
1123 Sets the <group> of the stream. If the address is member of the
1124 NAMED option group, socat uses the chown() system call after
1125 opening the file or binding to the UNIX domain socket (race con‐
1126 dition!). Without filesystem entry, socat sets the group of the
1127 stream with the fchown() system call. These calls might require
1128 group membership or root privilege.
1129
1130 group-late=<group>
1131 Sets the group of the fd to <group> with the fchown() system
1132 call after opening or connecting the channel. This is useful
1133 only on file system entries.
1134
1135 mode=<mode>
1136 Sets the <mode> [mode_t] (permissions) of the stream. If the
1137 address is member of the NAMED option group and uses the open()
1138 or creat() call, the mode is applied with these. If the address
1139 is member of the NAMED option group without using these system
1140 calls, socat uses the chmod() system call after opening the
1141 filesystem entry or binding to the UNIX domain socket (race con‐
1142 dition!). Otherwise, socat sets the mode of the stream using
1143 fchmod() . These calls might require ownership or root privi‐
1144 lege.
1145
1146 perm-late=<mode>
1147 Sets the permissions of the fd to value <mode> [mode_t] using
1148 the fchmod() system call after opening or connecting the chan‐
1149 nel. This is useful only on file system entries.
1150
1151 append=<bool>
1152 Always writes data to the actual end of file. If the address is
1153 member of the OPEN option group, socat uses the O_APPEND flag
1154 with the open() system call (example). Otherwise, socat applies
1155 the fcntl(fd, F_SETFL, O_APPEND) call.
1156
1157 nonblock=<bool>
1158 Tries to open or use file in nonblocking mode. Its only effects
1159 are that the connect() call of TCP addresses does not block, and
1160 that opening a named pipe for reading does not block. If the
1161 address is member of the OPEN option group, socat uses the
1162 O_NONBLOCK flag with the open() system call. Otherwise, socat
1163 applies the fcntl(fd, F_SETFL, O_NONBLOCK) call.
1164
1165 binary Opens the file in binary mode to avoid implicit line terminator
1166 conversions (Cygwin).
1167
1168 text Opens the file in text mode to force implicit line terminator
1169 conversions (Cygwin).
1170
1171 noinherit
1172 Does not keep this file open in a spawned process (Cygwin).
1173
1174 cool-write
1175 Takes it easy when write fails with EPIPE or ECONNRESET and logs
1176 the message with notice level instead of error. This prevents
1177 the log file from being filled with useless error messages when
1178 socat is used as a high volume server or proxy where clients of‐
1179 ten abort the connection.
1180 This option is experimental.
1181
1182 end-close
1183 Changes the (address dependent) method of ending a connection to
1184 just close the file descriptors. This is useful when the connec‐
1185 tion is to be reused by or shared with other processes (exam‐
1186 ple).
1187 Normally, socket connections will be ended with shutdown(2)
1188 which terminates the socket even if it is shared by multiple
1189 processes. close(2) "unlinks" the socket from the process but
1190 keeps it active as long as there are still links from other pro‐
1191 cesses.
1192 Similarly, when an address of type EXEC or SYSTEM is ended, so‐
1193 cat usually will explicitly kill the sub process. With this op‐
1194 tion, it will just close the file descriptors.
1195
1196 shut-none
1197 Changes the (address dependent) method of shutting down the
1198 write part of a connection to not do anything.
1199
1200 shut-down
1201 Changes the (address dependent) method of shutting down the
1202 write part of a connection to shutdown(fd, SHUT_WR). Is only
1203 useful with sockets.
1204
1205 shut-close
1206 Changes the (address dependent) method of shutting down the
1207 write part of a connection to close(fd).
1208
1209 shut-null
1210 When one address indicates EOF, socat will send a zero sized
1211 packet to the write channel of the other address to transfer the
1212 EOF condition. This is useful with UDP and other datagram proto‐
1213 cols. Has been tested against netcat and socat with option
1214 null-eof.
1215
1216 null-eof
1217 Normally socat will ignore empty (zero size payload) packets ar‐
1218 riving on datagram sockets, so it survives port scans. With this
1219 option socat interprets empty datagram packets as EOF indicator
1220 (see shut-null).
1221
1222 ioctl-void=<request>
1223 Calls ioctl() with the request value as second argument and NULL
1224 as third argument. This option allows utilizing ioctls that are
1225 not explicitly implemented in socat.
1226
1227 ioctl-int=<request>:<value>
1228 Calls ioctl() with the request value as second argument and the
1229 integer value as third argument.
1230
1231 ioctl-intp=<request>:<value>
1232 Calls ioctl() with the request value as second argument and a
1233 pointer to the integer value as third argument.
1234
1235 ioctl-bin=<request>:<value>
1236 Calls ioctl() with the request value as second argument and a
1237 pointer to the given data value as third argument. This data
1238 must be specified in <dalan> form.
1239
1240 ioctl-string=<request>:<value>
1241 Calls ioctl() with the request value as second argument and a
1242 pointer to the given string as third argument. <dalan> form.
1243
1244
1245 NAMED option group
1246
1247 These options work on file system entries.
1248 Please note that, with UNIX domain client addresses, this means the
1249 bind entry, not the target/peer entry.
1250 See also options user, group, and mode.
1251
1252 user-early=<user>
1253 Changes the <user> (owner) of the file system entry before ac‐
1254 cessing it, using the chown() system call. This call might re‐
1255 quire root privilege.
1256
1257 group-early=<group>
1258 Changes the <group> of the file system entry before accessing
1259 it, using the chown() system call. This call might require group
1260 membership or root privilege.
1261
1262 perm-early=<mode>
1263 Changes the <mode> [mode_t] of the file system entry before ac‐
1264 cessing it, using the chmod() system call. This call might re‐
1265 quire ownership or root privilege.
1266
1267 umask=<mode>
1268 Sets the umask of the process to <mode> [mode_t] before access‐
1269 ing the file system entry (useful with UNIX domain sockets!).
1270 This call might affect all further operations of the socat
1271 process!
1272
1273 unlink-early
1274 Unlinks (removes) the file before opening it and even before ap‐
1275 plying user-early etc.
1276
1277 unlink Unlinks (removes) the file before accessing it, but after
1278 user-early etc.
1279
1280 unlink-late
1281 Unlinks (removes) the file after opening it to make it inacces‐
1282 sible for other processes after a short race condition.
1283
1284 unlink-close
1285 Removes the addresses file system entry when closing the ad‐
1286 dress. For named pipes, UNIX domain sockets, and the symbolic
1287 links of pty addresses, the default is 1; for created files,
1288 opened files, and generic opened files the default is 0.
1289
1290
1291 OPEN option group
1292
1293 The OPEN group options allow setting flags with the open() system call.
1294 E.g., option `creat’ sets the O_CREAT flag.
1295 See also options append and nonblock.
1296
1297 creat=<bool>
1298 Creates the file if it does not exist (example).
1299
1300 dsync=<bool>
1301 Blocks write() calls until metainfo is physically written to me‐
1302 dia.
1303
1304 excl=<bool>
1305 With option creat, if file exists this is an error.
1306
1307 largefile=<bool>
1308 On 32 bit systems, allows a file larger than 2^31 bytes.
1309
1310 noatime
1311 Sets the O_NOATIME options, so reads do not change the access
1312 timestamp.
1313
1314 noctty=<bool>
1315 Does not make this file the controlling terminal.
1316
1317 nofollow=<bool>
1318 Does not follow symbolic links.
1319
1320 nshare=<bool>
1321 Does not allow sharing this file with other processes.
1322
1323 rshare=<bool>
1324 Does not allow other processes to open this file for writing.
1325
1326 rsync=<bool>
1327 Blocks write() until metainfo is physically written to media.
1328
1329 sync=<bool>
1330 Blocks write() until data is physically written to media.
1331
1332 rdonly=<bool>
1333 Opens the file for reading only.
1334
1335 wronly=<bool>
1336 Opens the file for writing only.
1337
1338 trunc Truncates the file to size 0 during opening it.
1339
1340
1341 REG and BLK option group
1342
1343 These options are usually applied to a UN*X file descriptor, but their
1344 semantics make sense only on a file supporting random access.
1345
1346 seek=<offset>
1347 Applies the lseek(fd, <offset>, SEEK_SET) (or lseek64 ) system
1348 call, thus positioning the file pointer absolutely to <offset>
1349 [off_t or off64_t]. Please note that a missing value defaults to
1350 1, not 0.
1351
1352 seek-cur=<offset>
1353 Applies the lseek(fd, <offset>, SEEK_CUR) (or lseek64 ) system
1354 call, thus positioning the file pointer <offset> [off_t or
1355 off64_t] bytes relatively to its current position (which is usu‐
1356 ally 0). Please note that a missing value defaults to 1, not 0.
1357
1358 seek-end=<offset>
1359 Applies the lseek(fd, <offset>, SEEK_END) (or lseek64 ) system
1360 call, thus positioning the file pointer <offset> [off_t or
1361 off64_t] bytes relatively to the files current end. Please note
1362 that a missing value defaults to 1, not 0.
1363
1364 ftruncate=<offset>
1365 Applies the ftruncate(fd, <offset>) (or ftruncate64 if avail‐
1366 able) system call, thus truncating the file at the position
1367 <offset> [off_t or off64_t]. Please note that a missing value
1368 defaults to 1, not 0.
1369
1370 secrm=<bool>
1371
1372 unrm=<bool>
1373
1374 compr=<bool>
1375
1376 fs-sync=<bool>
1377
1378 immutable=<bool>
1379
1380 fs-append=<bool>
1381
1382 nodump=<bool>
1383
1384 fs-noatime=<bool>
1385
1386 journal-data=<bool>
1387
1388 notail=<bool>
1389
1390 dirsync=<bool>
1391 These options change non standard file attributes on operating
1392 systems and file systems that support these features, like Linux
1393 with ext2fs and successors, xfs, or reiserfs. See man 1 chattr
1394 for information on these options. Please note that there might
1395 be a race condition between creating the file and applying these
1396 options.
1397
1398
1399 PROCESS option group
1400
1401 Options of this group change the process properties instead of just af‐
1402 fecting one data channel. For EXEC and SYSTEM addresses and for LISTEN
1403 and CONNECT type addresses with option FORK, these options apply to the
1404 child processes instead of the main socat process.
1405
1406 chroot=<directory>
1407 Performs a chroot() operation to <directory> after processing
1408 the address (example). This call might require root privilege.
1409
1410 chroot-early=<directory>
1411 Performs a chroot() operation to <directory> before opening the
1412 address. This call might require root privilege.
1413
1414 setgid=<group>
1415 Changes the primary <group> of the process after processing the
1416 address. This call might require root privilege. Please note
1417 that this option does not drop other group related privileges.
1418
1419 setgid-early=<group>
1420 Like setgit but is performed before opening the address.
1421
1422 setuid=<user>
1423 Changes the <user> (owner) of the process after processing the
1424 address. This call might require root privilege. Please note
1425 that this option does not drop group related privileges. Check
1426 if option su better fits your needs.
1427
1428 setuid-early=<user>
1429 Like setuid but is performed before opening the address.
1430
1431 su=<user>
1432 Changes the <user> (owner) and groups of the process after pro‐
1433 cessing the address (example). This call might require root
1434 privilege.
1435
1436 su-d=<user>
1437 Short name for substuser-delayed. Changes the <user> (owner)
1438 and groups of the process after processing the address (exam‐
1439 ple). The user and his groups are retrieved before a possible
1440 chroot() . This call might require root privilege.
1441
1442 setpgid=<pid_t>
1443 Makes the process a member of the specified process group
1444 <pid_t>. If no value is given, or if the value is 0 or 1, the
1445 process becomes leader of a new process group.
1446
1447 setsid Makes the process the leader of a new session (example).
1448
1449
1450 READLINE option group
1451
1452 These options apply to the readline address type.
1453
1454 history=<filename>
1455 Reads and writes history from/to <filename> (example).
1456
1457 noprompt
1458 Since version 1.4.0, socat per default tries to determine a
1459 prompt - that is then passed to the readline call - by remember‐
1460 ing the last incomplete line of the output. With this option,
1461 socat does not pass a prompt to readline, so it begins line
1462 editing in the first column of the terminal.
1463
1464 noecho=<pattern>
1465 Specifies a regular pattern for a prompt that prevents the fol‐
1466 lowing input line from being displayed on the screen and from
1467 being added to the history. The prompt is defined as the text
1468 that was output to the readline address after the lastest new‐
1469 line character and before an input character was typed. The pat‐
1470 tern is a regular expression, e.g. "^[Pp]assword:.*$" or
1471 "([Uu]ser:|[Pp]assword:)". See regex(7) for details. (example)
1472
1473 prompt=<string>
1474 Passes the string as prompt to the readline function. readline
1475 prints this prompt when stepping through the history. If this
1476 string matches a constant prompt issued by an interactive pro‐
1477 gram on the other socat address, consistent look and feel can be
1478 achieved.
1479
1480
1481 APPLICATION option group
1482
1483 This group contains options that work at data level. Note that these
1484 options only apply to the "raw" data transferred by socat, but not to
1485 protocol data used by addresses like PROXY.
1486
1487 cr Converts the default line termination character NL (’\n’, 0x0a)
1488 to/from CR (’\r’, 0x0d) when writing/reading on this channel.
1489
1490 crnl Converts the default line termination character NL (’\n’, 0x0a)
1491 to/from CRNL ("\r\n", 0x0d0a) when writing/reading on this chan‐
1492 nel (example). Note: socat simply strips all CR characters.
1493
1494 ignoreeof
1495 When EOF occurs on this channel, socat ignores it and tries to
1496 read more data (like "tail -f") (example).
1497
1498 readbytes=<bytes>
1499 socat reads only so many bytes from this address (the address
1500 provides only so many bytes for transfer and pretends to be at
1501 EOF afterwards). Must be greater than 0.
1502
1503 lockfile=<filename>
1504 If lockfile exists, exits with error. If lockfile does not ex‐
1505 ist, creates it and continues, unlinks lockfile on exit.
1506
1507 waitlock=<filename>
1508 If lockfile exists, waits until it disappears. When lockfile
1509 does not exist, creates it and continues, unlinks lockfile on
1510 exit.
1511
1512 escape=<int>
1513 Specifies the numeric code of a character that triggers EOF on
1514 the input stream. It is useful with a terminal in raw mode (ex‐
1515 ample).
1516
1517
1518 SOCKET option group
1519
1520 These options are intended for all kinds of sockets, e.g. IP or UNIX
1521 domain. Most are applied with a setsockopt() call.
1522
1523 bind=<sockname>
1524 Binds the socket to the given socket address using the bind()
1525 system call. The form of <sockname> is socket domain dependent:
1526 IP4 and IP6 allow the form [hostname|hostaddress][:(ser‐
1527 vice|port)] (example), UNIX domain sockets require <filename>,
1528 VSOCK allow the form [cid][:(port)].
1529
1530 connect-timeout=<seconds>
1531 Abort the connection attempt after <seconds> [timeval] with er‐
1532 ror status.
1533
1534 so-bindtodevice=<interface>
1535 Binds the socket to the given <interface>. This option might
1536 require root privilege.
1537
1538 broadcast
1539 For datagram sockets, allows sending to broadcast addresses and
1540 receiving packets addressed to broadcast addresses.
1541
1542 debug Enables socket debugging.
1543
1544 dontroute
1545 Only communicates with directly connected peers, does not use
1546 routers.
1547
1548 keepalive
1549 Enables sending keepalives on the socket.
1550
1551 linger=<seconds>
1552 Blocks shutdown() or close() until data transfers have finished
1553 or the given timeout [int] expired.
1554
1555 oobinline
1556 Places out-of-band data in the input data stream.
1557
1558 priority=<priority>
1559 Sets the protocol defined <priority> [<int>] for outgoing pack‐
1560 ets.
1561
1562 rcvbuf=<bytes>
1563 Sets the size of the receive buffer after the socket() call to
1564 <bytes> [int]. With TCP sockets, this value corresponds to the
1565 socket’s maximal window size.
1566
1567 rcvbuf-late=<bytes>
1568 Sets the size of the receive buffer when the socket is already
1569 connected to <bytes> [int]. With TCP sockets, this value corre‐
1570 sponds to the socket’s maximal window size.
1571
1572 rcvlowat=<bytes>
1573 Specifies the minimum number of received bytes [int] until the
1574 socket layer will pass the buffered data to socat.
1575
1576 reuseaddr
1577 Allows other sockets to bind to an address even if parts of it
1578 (e.g. the local port) are already in use by socat (example).
1579
1580 sndbuf=<bytes>
1581 Sets the size of the send buffer after the socket() call to
1582 <bytes> [int].
1583
1584 sndbuf-late=<bytes>
1585 Sets the size of the send buffer when the socket is connected to
1586 <bytes> [int].
1587
1588 sndlowat=<bytes>
1589 Specifies the minimum number of bytes in the send buffer until
1590 the socket layer will send the data to <bytes> [int].
1591
1592 pf=<string>
1593 Forces the use of the specified IP version or protocol. <string>
1594 can be something like "ip4" or "ip6". The resulting value is
1595 used as first argument to the socket() or socketpair() calls.
1596 This option affects address resolution and the required syntax
1597 of bind and range options.
1598
1599 type=<type>
1600 Sets the type of the socket, specified as second argument to the
1601 socket() or socketpair() calls, to <type> [int]. Address resolu‐
1602 tion is not affected by this option. Under Linux, 1 means
1603 stream oriented socket, 2 means datagram socket, and 3 means raw
1604 socket.
1605
1606 protocol
1607 Sets the protocol of the socket, specified as third argument to
1608 the socket() or socketpair() calls, to <protocol> [int]. Address
1609 resolution is not affected by this option. 6 means TCP, 17
1610 means UDP.
1611
1612 reuseport
1613 Set the SO_REUSEPORT socket option.
1614
1615 so-timestamp
1616 Sets the SO_TIMESTAMP socket option. This enables receiving and
1617 logging of timestamp ancillary messages.
1618
1619 setsockopt=<level>:<optname>:<optval>
1620 Invokes setsockopt() for the socket with the given parameters.
1621 level [int] is used as second argument to setsockopt() and spec‐
1622 ifies the layer, e.g. SOL_TCP for TCP (6 on Linux), or
1623 SOL_SOCKET for the socket layer (1 on Linux). optname [int] is
1624 the third argument to setsockopt() and tells which socket option
1625 is to be set. For the actual numbers you might have to look up
1626 the appropriate include files of your system. For the 4th and
1627 5th setsockopt() parameters, value [dalan] specifies an arbi‐
1628 trary sequence of bytes that are passed to the function per
1629 pointer, with the automatically derived length parameter.
1630
1631 setsockopt-int=<level>:<optname>:<optval>
1632 Like setsockopt, but <optval> is a pointer to int [int]
1633
1634 setsockopt-listen=<level>:<optname>:<optval>
1635 Like setsockopt, but for listen type addresses it is applied to
1636 the listening socket instead of the connected socket.
1637
1638 setsockopt-string=<level>:<optname>:<optval>
1639 Like setsockopt, but <optval> is a string. This string is
1640 passed to the function with trailing null character, and the
1641 length parameter is automatically derived from the data.
1642
1643
1644 UNIX option group
1645
1646 These options apply to UNIX domain based addresses.
1647
1648 unix-tightsocklen=[0|1]
1649 On socket operations, pass a socket address length that does not
1650 include the whole struct sockaddr_un record but (besides other
1651 components) only the relevant part of the filename or abstract
1652 string. Default is 1.
1653
1654
1655 IP4 and IP6 option groups
1656
1657 These options can be used with IPv4 and IPv6 based sockets.
1658
1659 tos=<tos>
1660 Sets the TOS (type of service) field of outgoing packets to
1661 <tos> [byte] (see RFC 791).
1662
1663 ttl=<ttl>
1664 Sets the TTL (time to live) field of outgoing packets to <ttl>
1665 [byte].
1666
1667 ip-options=<data>
1668 Sets IP options like source routing. Must be given in binary
1669 form, recommended format is a leading "x" followed by an even
1670 number of hex digits. This option may be used multiple times,
1671 data are appended. E.g., to connect to host 10.0.0.1 via some
1672 gateway using a loose source route, use the gateway as address
1673 parameter and set a loose source route using the option ip-op‐
1674 tions=x8307040a000001 .
1675 IP options are defined in RFC 791.
1676
1677 mtudiscover=<0|1|2>
1678 Takes 0, 1, 2 to never, want, or always use path MTU discover on
1679 this socket.
1680
1681 ip-pktinfo
1682 Sets the IP_PKTINFO socket option. This enables receiving and
1683 logging of ancillary messages containing destination address and
1684 interface (Linux) (example).
1685
1686 ip-recverr
1687 Sets the IP_RECVERR socket option. This enables receiving and
1688 logging of ancillary messages containing detailed error informa‐
1689 tion.
1690
1691 ip-recvopts
1692 Sets the IP_RECVOPTS socket option. This enables receiving and
1693 logging of IP options ancillary messages (Linux, *BSD).
1694
1695 ip-recvtos
1696 Sets the IP_RECVTOS socket option. This enables receiving and
1697 logging of TOS (type of service) ancillary messages (Linux).
1698
1699 ip-recvttl
1700 Sets the IP_RECVTTL socket option. This enables receiving and
1701 logging of TTL (time to live) ancillary messages (Linux, *BSD).
1702
1703 ip-recvdstaddr
1704 Sets the IP_RECVDSTADDR socket option. This enables receiving
1705 and logging of ancillary messages containing destination address
1706 (*BSD) (example).
1707
1708 ip-recvif
1709 Sets the IP_RECVIF socket option. This enables receiving and
1710 logging of interface ancillary messages (*BSD) (example).
1711
1712 ip-add-membership=<multicast-address:interface-address>
1713
1714 ip-add-membership=<multicast-address:interface-name>
1715
1716 ip-add-membership=<multicast-address:interface-index>
1717
1718 ip-add-membership=<multicast-address:interface-address:interface-name>
1719
1720 ip-add-membership=<multicast-address:interface-address:interface-index>
1721 Makes the socket member of the specified multicast group. This
1722 is currently only implemented for IPv4. The option takes the IP
1723 address of the multicast group and info about the desired net‐
1724 work interface. The most common syntax is the first one, while
1725 the others are only available on systems that provide struct
1726 mreqn (Linux).
1727 The indices of active network interfaces can be shown using the
1728 utility procan.
1729
1730 ip-add-source-membership=<multicast-address:interface-ad‐
1731 dress:source-address>
1732 Makes the socket member of the specified multicast group for the
1733 specified source, i.e. only multicast traffic from this address
1734 is to be delivered. This is currently only implemented for
1735 IPv4.
1736
1737 ip-multicast-if=<hostname>
1738 Specifies hostname or address of the network interface to be
1739 used for multicast traffic.
1740
1741 ip-multicast-loop=<bool>
1742 Specifies if outgoing multicast traffic should loop back to the
1743 interface.
1744
1745 ip-multicast-ttl=<byte>
1746 Sets the TTL used for outgoing multicast traffic. Default is 1.
1747
1748 ip-transparent
1749 Sets the IP_TRANSPARENT socket option. This option might re‐
1750 quire root privilege.
1751
1752 res-debug
1753
1754 res-aaonly
1755
1756 res-usevc
1757
1758 res-primary
1759
1760 res-igntc
1761
1762 res-recurse
1763
1764 res-defnames
1765
1766 res-stayopen
1767
1768 res-dnsrch
1769 These options set the corresponding resolver (name resolution)
1770 option flags. Append "=0" to clear a default option. See man
1771 resolver(5) for more information on these options. Note: these
1772 options are valid only for the address they are applied to.
1773
1774 IP6 option group
1775
1776 These options can only be used on IPv6 based sockets. See IP options
1777 for options that can be applied to both IPv4 and IPv6 sockets.
1778
1779 ipv6only=<bool>
1780 Sets the IPV6_V6ONLY socket option. If 0, the TCP stack will
1781 also accept connections using IPv4 protocol on the same port.
1782 The default is system dependent.
1783
1784 ipv6-recvdstopts
1785 Sets the IPV6_RECVDSTOPTS socket option. This enables receiving
1786 and logging of ancillary messages containing the destination op‐
1787 tions.
1788
1789 ipv6-recvhoplimit
1790 Sets the IPV6_RECVHOPLIMIT socket option. This enables receiving
1791 and logging of ancillary messages containing the hoplimit.
1792
1793 ipv6-recvhopopts
1794 Sets the IPV6_RECVHOPOPTS socket option. This enables receiving
1795 and logging of ancillary messages containing the hop options.
1796
1797 ipv6-recvpktinfo
1798 Sets the IPV6_RECVPKTINFO socket option. This enables receiving
1799 and logging of ancillary messages containing destination address
1800 and interface.
1801
1802 ipv6-unicast-hops=link(TYPE_INT)(<int>)
1803 Sets the IPV6_UNICAST_HOPS socket option. This sets the hop
1804 count limit (TTL) for outgoing unicast packets.
1805
1806 ipv6-recvrthdr
1807 Sets the IPV6_RECVRTHDR socket option. This enables receiving
1808 and logging of ancillary messages containing routing informa‐
1809 tion.
1810
1811 ipv6-tclass
1812 Sets the IPV6_TCLASS socket option. This sets the transfer class
1813 of outgoing packets.
1814
1815 ipv6-recvtclass
1816 Sets the IPV6_RECVTCLASS socket option. This enables receiving
1817 and logging of ancillary messages containing the transfer class.
1818
1819
1820 TCP option group
1821
1822 These options may be applied to TCP sockets. They work by invoking set‐
1823 sockopt() with the appropriate parameters.
1824
1825 cork Doesn’t send packets smaller than MSS (maximal segment size).
1826
1827 defer-accept
1828 While listening, accepts connections only when data from the
1829 peer arrived.
1830
1831 keepcnt=<count>
1832 Sets the number of keepalives before shutting down the socket to
1833 <count> [int].
1834
1835 keepidle=<seconds>
1836 Sets the idle time before sending the first keepalive to <sec‐
1837 onds> [int].
1838
1839 keepintvl=<seconds>
1840 Sets the interval between two keepalives to <seconds> [int].
1841
1842 linger2=<seconds>
1843 Sets the time to keep the socket in FIN-WAIT-2 state to <sec‐
1844 onds> [int].
1845
1846 mss=<bytes>
1847 Sets the MSS (maximum segment size) after the socket() call to
1848 <bytes> [int]. This value is then proposed to the peer with the
1849 SYN or SYN/ACK packet (example).
1850
1851 mss-late=<bytes>
1852 Sets the MSS of the socket after connection has been established
1853 to <bytes> [int].
1854
1855 nodelay
1856 Turns off the Nagle algorithm for measuring the RTT (round trip
1857 time).
1858
1859 rfc1323
1860 Enables RFC1323 TCP options: TCP window scale, round-trip time
1861 measurement (RTTM), and protect against wrapped sequence numbers
1862 (PAWS) (AIX).
1863
1864 stdurg Enables RFC1122 compliant urgent pointer handling (AIX).
1865
1866 syncnt=<count>
1867 Sets the maximal number of SYN retransmits during connect to
1868 <count> [int].
1869
1870 md5sig Enables generation of MD5 digests on the packets (FreeBSD).
1871
1872 noopt Disables use of TCP options (FreeBSD, MacOSX).
1873
1874 nopush sets the TCP_NOPUSH socket option (FreeBSD, MacOSX).
1875
1876 sack-disable
1877 Disables use the selective acknowledge feature (OpenBSD).
1878
1879 signature-enable
1880 Enables generation of MD5 digests on the packets (OpenBSD).
1881
1882 abort-threshold=<milliseconds>
1883 Sets the time to wait for an answer of the peer on an estab‐
1884 lished connection (HP-UX).
1885
1886 conn-abort-threshold=<milliseconds>
1887 Sets the time to wait for an answer of the server during the
1888 initial connect (HP-UX).
1889
1890 keepinit
1891 Sets the time to wait for an answer of the server during con‐
1892 nect() before giving up. Value in half seconds, default is 150
1893 (75s) (Tru64).
1894
1895 paws Enables the "protect against wrapped sequence numbers" feature
1896 (Tru64).
1897
1898 sackena
1899 Enables selective acknowledge (Tru64).
1900
1901 tsoptena
1902 Enables the time stamp option that allows RTT recalculation on
1903 existing connections (Tru64).
1904
1905
1906 UDP option group
1907
1908 This option may be applied to UDP datagram sockets.
1909
1910 udp-ignore-peerport>
1911 Address UDP-DATAGRAM expects incoming responses to come from the
1912 port specified in its second parameter. With this option, it ac‐
1913 cepts packets coming from any port.
1914
1915
1916 SCTP option group
1917
1918 These options may be applied to SCTP stream sockets.
1919
1920 sctp-nodelay
1921 Sets the SCTP_NODELAY socket option that disables the Nagle al‐
1922 gorithm.
1923
1924 sctp-maxseg=<bytes>
1925 Sets the SCTP_MAXSEG socket option to <bytes> [int]. This value
1926 is then proposed to the peer with the SYN or SYN/ACK packet.
1927
1928
1929 UDP, TCP, and SCTP option group
1930
1931 Here we find options that are related to the network port mechanism and
1932 thus can be used with UDP, TCP, and SCTP client and server addresses.
1933
1934 sourceport=<port>
1935 For outgoing (client) TCP and UDP connections, it sets the
1936 source <port> using an extra bind() call. With TCP or UDP lis‐
1937 ten addresses, socat immediately shuts down the connection if
1938 the client does not use this sourceport. UDP-RECV, UDP-RECVFROM,
1939 UDP-SENDTO, and UDP-DATAGRAM addresses ignore the packet when it
1940 does not match. (example).
1941
1942 lowport
1943 Outgoing (client) TCP and UDP connections with this option use
1944 an unused random source port between 640 and 1023 incl. On UNIX
1945 class operating systems, this requires root privilege, and thus
1946 indicates that the client process is authorized by local root.
1947 TCP and UDP listen addresses with this option immediately shut
1948 down the connection if the client does not use a sourceport <=
1949 1023. This mechanism can provide limited authorization under
1950 some circumstances.
1951
1952
1953 SOCKS option group
1954
1955 When using SOCKS type addresses, some socks specific options can be
1956 set.
1957
1958 socksport=<tcp service>
1959 Overrides the default "socks" service or port 1080 for the socks
1960 server port with <TCP service>.
1961
1962 socksuser=<user>
1963 Sends the <user> [string] in the username field to the socks
1964 server. Default is the actual user name ($LOGNAME or $USER) (ex‐
1965 ample).
1966
1967
1968 HTTP option group
1969
1970 Options that can be provided with HTTP type addresses. The only HTTP
1971 address currently implemented is proxy-connect.
1972
1973 proxyport=<TCP service>
1974 Overrides the default HTTP proxy port 8080 with <TCP service>.
1975
1976 ignorecr
1977 The HTTP protocol requires the use of CR+NL as line terminator.
1978 When a proxy server violates this standard, socat might not un‐
1979 derstand its answer. This option directs socat to interprete NL
1980 as line terminator and to ignore CR in the answer. Nevertheless,
1981 socat sends CR+NL to the proxy.
1982
1983 proxy-authorization=<username>:<password>
1984 Provide "basic" authentication to the proxy server. The argument
1985 to the option is used with a "Proxy-Authorization: Basic" header
1986 in base64 encoded form.
1987 Note: username and password are visible for every user on the
1988 local machine in the process list; username and password are
1989 transferred to the proxy server unencrypted (base64 encoded) and
1990 might be sniffed.
1991
1992 proxy-authorization-file=<filename>
1993 Like option proxy-authorization, but the credentials are read
1994 from the file and therefore not visible in the process list.
1995
1996 resolve
1997 Per default, socat sends to the proxy a CONNECT request contain‐
1998 ing the target hostname. With this option, socat resolves the
1999 hostname locally and sends the IP address. Please note that, ac‐
2000 cording to RFC 2396, only name resolution to IPv4 addresses is
2001 implemented.
2002
2003
2004 RANGE option group
2005
2006 These options check if a connecting client should be granted access.
2007 They can be applied to listening and receiving network sockets.
2008 tcp-wrappers options fall into this group.
2009
2010 range=<address-range>
2011 After accepting a connection, tests if the peer is within range.
2012 For IPv4 addresses, address-range takes the form address/bits,
2013 e.g. 10.0.0.0/8, or address:mask, e.g. 10.0.0.0:255.0.0.0 (ex‐
2014 ample); for IPv6, it is [ip6-address]/bits, e.g. [::1]/128. If
2015 the client address does not match, socat refuses the connection
2016 attempt, issues a warning, and keeps listening/receiving.
2017
2018 tcpwrap[=<name>]
2019 Uses Wietse Venema’s libwrap (tcpd) library to determine if the
2020 client is allowed to connect. The configuration files are
2021 /etc/hosts.allow and /etc/hosts.deny per default, see "man 5
2022 hosts_access" for more information. The optional <name> (type
2023 string) is passed to the wrapper functions as daemon process
2024 name (example). If omitted, the basename of socats invocation
2025 (argv[0]) is passed. If both tcpwrap and range options are ap‐
2026 plied to an address, both conditions must be fulfilled to allow
2027 the connection.
2028
2029 allow-table=<filename>
2030 Takes the specified file instead of /etc/hosts.allow.
2031
2032 deny-table=<filename>
2033 Takes the specified file instead of /etc/hosts.deny.
2034
2035 tcpwrap-etc=<directoryname>
2036 Looks for hosts.allow and hosts.deny in the specified directory.
2037 Is overridden by options hosts-allow and hosts-deny.
2038
2039
2040 LISTEN option group
2041
2042 Options specific to listening sockets.
2043
2044 backlog=<count>
2045 Sets the backlog value passed with the listen() system call to
2046 <count> [int]. Default is 5.
2047
2048 accept-timeout=<seconds>
2049 End waiting for a connection after <seconds> [timeval] with er‐
2050 ror status.
2051
2052 max-children=<count>
2053 Limits the number of concurrent child processes [int]. Default
2054 is no limit.
2055
2056
2057 CHILD option group
2058
2059 Options for addresses with multiple connections via child processes.
2060
2061 fork After establishing a connection, handles its channel in a child
2062 process and keeps the parent process attempting to produce more
2063 connections, either by listening or by connecting in a loop (ex‐
2064 ample).
2065 OPENSSL-CONNECT and OPENSSL-LISTEN differ in when they actually
2066 fork off the child: OPENSSL-LISTEN forks before the SSL hand‐
2067 shake, while OPENSSL-CONNECT forks afterwards. retry and for‐
2068 ever options are not inherited by the child process.
2069 On some operating systems (e.g. FreeBSD) this option does not
2070 work for UDP-LISTEN addresses.
2071
2072
2073 EXEC option group
2074
2075 Options for addresses that invoke a program.
2076
2077 path=<string>
2078 Overrides the PATH environment variable for searching the pro‐
2079 gram with <string>. This $PATH value is effective in the child
2080 process too.
2081
2082 login Prefixes argv[0] for the execvp() call with ’-’, thus making a
2083 shell behave as login shell.
2084
2085
2086 FORK option group
2087
2088 EXEC or SYSTEM addresses invoke a program using a child process and
2089 transfer data between socat and the program. The interprocess communi‐
2090 cation mechanism can be influenced with the following options. Per de‐
2091 fault, a socketpair() is created and assigned to stdin and stdout of
2092 the child process, while stderr is inherited from the socat process,
2093 and the child process uses file descriptors 0 and 1 for communicating
2094 with the main socat process.
2095
2096 nofork Does not fork a subprocess for executing the program, instead
2097 calls execvp() or system() directly from the actual socat in‐
2098 stance. This avoids the overhead of another process between the
2099 program and its peer, but introduces a lot of restrictions:
2100
2101 o this option can only be applied to the second socat address.
2102
2103 o it cannot be applied to a part of a dual address.
2104
2105 o the first socat address cannot be OPENSSL or READLINE
2106
2107 o socat options -b, -t, -D, -l, -v, -x become useless
2108
2109 o for both addresses, options ignoreeof, cr, and crnl become use‐
2110 less
2111
2112 o for the second address (the one with option nofork), options ap‐
2113 pend, cloexec, flock, user, group, mode, nonblock, perm-late,
2114 setlk, and setpgid cannot be applied. Some of these could be
2115 used on the first address though.
2116
2117 pipes Creates a pair of unnamed pipes for interprocess communication
2118 instead of a socket pair.
2119
2120 openpty
2121 Establishes communication with the sub process using a pseudo
2122 terminal created with openpty() instead of the default (socket‐
2123 pair or ptmx).
2124
2125 ptmx Establishes communication with the sub process using a pseudo
2126 terminal created by opening /dev/ptmx or /dev/ptc instead of the
2127 default (socketpair).
2128
2129 pty Establishes communication with the sub process using a pseudo
2130 terminal instead of a socket pair. Creates the pty with an
2131 available mechanism. If openpty and ptmx are both available, it
2132 uses ptmx because this is POSIX compliant (example).
2133
2134 ctty Makes the pty the controlling tty of the sub process (example).
2135
2136 stderr Directs stderr of the sub process to its output channel by mak‐
2137 ing stderr a dup() of stdout (example).
2138
2139 fdin=<fdnum>
2140 Assigns the sub processes input channel to its file descriptor
2141 <fdnum> instead of stdin (0). The program started from the sub‐
2142 process has to use this fd for reading data from socat (exam‐
2143 ple).
2144
2145 fdout=<fdnum>
2146 Assigns the sub processes output channel to its file descriptor
2147 <fdnum> instead of stdout (1). The program started from the sub‐
2148 process has to use this fd for writing data to socat (example).
2149
2150 sighup, sigint, sigquit
2151 Has socat pass signals of this type to the sub process. If no
2152 address has this option, socat terminates on these signals.
2153
2154
2155 TERMIOS option group
2156
2157 For addresses that work on a tty (e.g., stdio, file:/dev/tty,
2158 exec:...,pty), the terminal parameters defined in the UN*X termios
2159 mechanism are made available as address option parameters. Please note
2160 that changes of the parameters of your interactive terminal remain ef‐
2161 fective after socat’s termination, so you might have to enter "reset"
2162 or "stty sane" in your shell afterwards. For EXEC and SYSTEM addresses
2163 with option PTY, these options apply to the pty by the child processes.
2164
2165 b0 Disconnects the terminal.
2166
2167 b19200 Sets the serial line speed to 19200 baud. Some other rates are
2168 possible; use something like socat -hh |grep ’ b[1-9]’ to find
2169 all speeds supported by your implementation.
2170 Note: On some operating systems, these options may not be avail‐
2171 able. Use ispeed or ospeed instead.
2172
2173 echo=<bool>
2174 Enables or disables local echo.
2175
2176 icanon=<bool>
2177 Sets or clears canonical mode, enabling line buffering and some
2178 special characters.
2179
2180 raw Sets raw mode, thus passing input and output almost unprocessed.
2181 This option is obsolete, use option rawer or cfmakeraw instead.
2182
2183 rawer Makes terminal rawer than raw option. This option implicitly
2184 turns off echo. (example).
2185
2186 cfmakeraw
2187 Sets raw mode by invoking cfmakeraw() or by simulating this
2188 call. This option implicitly turns off echo.
2189
2190 ignbrk=<bool>
2191 Ignores or interpretes the BREAK character (e.g., ^C)
2192
2193 brkint=<bool>
2194
2195 bs0
2196
2197 bs1
2198
2199 bsdly=<0|1>
2200
2201 clocal=<bool>
2202
2203
2204 cr0
2205 cr1
2206 cr2
2207 cr3
2208
2209 Sets the carriage return delay to 0, 1, 2, or 3, respectively.
2210 0 means no delay, the other values are terminal dependent.
2211
2212 crdly=<0|1|2|3>
2213
2214 cread=<bool>
2215
2216 crtscts=<bool>
2217
2218
2219 cs5
2220 cs6
2221 cs7
2222 cs8
2223
2224 Sets the character size to 5, 6, 7, or 8 bits, respectively.
2225
2226 csize=<0|1|2|3>
2227
2228 cstopb=<bool>
2229 Sets two stop bits, rather than one.
2230
2231 dsusp=<byte>
2232 Sets the value for the VDSUSP character that suspends the cur‐
2233 rent foreground process and reactivates the shell (all except
2234 Linux).
2235
2236 echoctl=<bool>
2237 Echos control characters in hat notation (e.g. ^A)
2238
2239 echoe=<bool>
2240
2241 echok=<bool>
2242
2243 echoke=<bool>
2244
2245 echonl=<bool>
2246
2247 echoprt=<bool>
2248
2249 eof=<byte>
2250
2251 eol=<byte>
2252
2253 eol2=<byte>
2254
2255 erase=<byte>
2256
2257 discard=<byte>
2258
2259 ff0
2260
2261 ff1
2262
2263 ffdly=<bool>
2264
2265 flusho=<bool>
2266
2267 hupcl=<bool>
2268
2269 icrnl=<bool>
2270
2271 iexten=<bool>
2272
2273 igncr=<bool>
2274
2275 ignpar=<bool>
2276
2277 imaxbel=<bool>
2278
2279 inlcr=<bool>
2280
2281 inpck=<bool>
2282
2283 intr=<byte>
2284
2285 isig=<bool>
2286
2287 ispeed=<unsigned-int>
2288 Set the baud rate for incoming data on this line.
2289 See also: ospeed, b19200
2290
2291 istrip=<bool>
2292
2293 iuclc=<bool>
2294
2295 ixany=<bool>
2296
2297 ixoff=<bool>
2298
2299 ixon=<bool>
2300
2301 kill=<byte>
2302
2303 lnext=<byte>
2304
2305 min=<byte>
2306
2307 nl0 Sets the newline delay to 0.
2308
2309 nl1
2310
2311 nldly=<bool>
2312
2313 noflsh=<bool>
2314
2315 ocrnl=<bool>
2316
2317 ofdel=<bool>
2318
2319 ofill=<bool>
2320
2321 olcuc=<bool>
2322
2323 onlcr=<bool>
2324
2325 onlret=<bool>
2326
2327 onocr=<bool>
2328
2329 opost=<bool>
2330 Enables or disables output processing; e.g., converts NL to
2331 CR-NL.
2332
2333 ospeed=<unsigned-int>
2334 Set the baud rate for outgoing data on this line.
2335 See also: ispeed, b19200
2336
2337 parenb=<bool>
2338 Enable parity generation on output and parity checking for in‐
2339 put.
2340
2341 parmrk=<bool>
2342
2343 parodd=<bool>
2344
2345 pendin=<bool>
2346
2347 quit=<byte>
2348
2349 reprint=<byte>
2350
2351 sane Brings the terminal to something like a useful default state.
2352
2353 start=<byte>
2354
2355 stop=<byte>
2356
2357 susp=<byte>
2358
2359 swtc=<byte>
2360
2361 tab0
2362
2363 tab1
2364
2365 tab2
2366
2367 tab3
2368
2369 tabdly=<unsigned-int>
2370
2371 time=<byte>
2372
2373 tostop=<bool>
2374
2375 vt0
2376
2377 vt1
2378
2379 vtdly=<bool>
2380
2381 werase=<byte>
2382
2383 xcase=<bool>
2384
2385 xtabs
2386
2387 i-pop-all
2388 With UNIX System V STREAMS, removes all drivers from the stack.
2389
2390 i-push=<string>
2391 With UNIX System V STREAMS, pushes the driver (module) with the
2392 given name (string) onto the stack. For example, to make sure
2393 that a character device on Solaris supports termios etc, use the
2394 following options:
2395 i-pop-all,i-push=ptem,i-push=ldterm,i-push=ttcompat
2396
2397
2398 PTY option group
2399
2400 These options are intended for use with the pty address type.
2401
2402 link=<filename>
2403 Generates a symbolic link that points to the actual pseudo ter‐
2404 minal (pty). This might help to solve the problem that ptys are
2405 generated with more or less unpredictable names, making it dif‐
2406 ficult to directly access the socat generated pty automatically.
2407 With this option, the user can specify a "fix" point in the file
2408 hierarchy that helps him to access the actual pty (example).
2409 Beginning with socat version 1.4.3, the symbolic link is removed
2410 when the address is closed (but see option unlink-close).
2411
2412 wait-slave
2413 Blocks the open phase until a process opens the slave side of
2414 the pty. Usually, socat continues after generating the pty with
2415 opening the next address or with entering the transfer loop.
2416 With the wait-slave option, socat waits until some process opens
2417 the slave side of the pty before continuing. This option only
2418 works if the operating system provides the poll() system call.
2419 And it depends on an undocumented behaviour of pty’s, so it does
2420 not work on all operating systems. It has successfully been
2421 tested on Linux, FreeBSD, NetBSD, and on Tru64 with openpty.
2422
2423 pty-interval=<seconds>
2424 When the wait-slave option is set, socat periodically checks the
2425 HUP condition using poll() to find if the pty’s slave side has
2426 been opened. The default polling interval is 1s. Use the pty-in‐
2427 terval option [timeval] to change this value.
2428
2429
2430 OPENSSL option group
2431
2432 These options apply to the openssl and openssl-listen address types.
2433
2434 cipher=<cipherlist>
2435 Specifies the list of ciphers that may be used for the connec‐
2436 tion. See the man page of ciphers , section CIPHER LIST FORMAT,
2437 for detailed information about syntax, values, and default of
2438 <cipherlist>.
2439 Several cipher strings may be given, separated by ’:’. Some
2440 simple cipher strings:
2441
2442 3DES Uses a cipher suite with triple DES.
2443
2444 MD5 Uses a cipher suite with MD5.
2445
2446 aNULL Uses a cipher suite without authentication.
2447
2448 NULL Does not use encryption.
2449
2450 HIGH Uses a cipher suite with "high" encryption. Note that the peer
2451 must support the selected property, or the negotiation will
2452 fail.
2453
2454 method=<ssl-method>
2455 This option is based on deprecated functions and is only avail‐
2456 able when socat was build with option --with-openssl-method.
2457 Use option min-proto-version and maybe max-proto-version in‐
2458 stead. Sets the protocol version to be used. Valid strings (not
2459 case sensitive) are:
2460
2461 SSL2 Select SSL protocol version 2.
2462
2463 SSL3 Select SSL protocol version 3.
2464
2465 SSL23 Select the best available SSL or TLS protocol.
2466
2467 TLS1 Select TLS protocol version 1.
2468
2469 TLS1.1 Select TLS protocol version 1.1.
2470
2471 TLS1.2 Select TLS protocol version 1.2. When this option is not pro‐
2472 vided OpenSSL negotiates the mothod with its peer.
2473
2474 min-proto-version
2475 This option tells OpenSSL to use this or a later SSL/TLS proto‐
2476 col version and refuses to accept a lower/older protocol. Valid
2477 syntax is:
2478
2479 SSL2 Select SSL protocol version 2.
2480
2481 SSL3 Select SSL protocol version 3.
2482
2483 TLS1
2484
2485 TLS1.0 Select TLS protocol version 1.
2486
2487 TLS1.1 Select TLS protocol version 1.1.
2488
2489 TLS1.2 Select TLS protocol version 1.2.
2490
2491 TLS1.3 Select TLS protocol version 1.3.
2492
2493 openssl-max-proto-version
2494 This option is similar to min-proto-version, however, it disal‐
2495 lows use of a higher protocol version. Useful for testing the
2496 peer.
2497
2498 verify=<bool>
2499 Controls check of the peer’s certificate. Default is 1 (true).
2500 Disabling verify might open your socket for everyone, making the
2501 encryption useless!
2502
2503 cert=<filename>
2504 Specifies the file with the certificate and private key for au‐
2505 thentication. The certificate must be in OpenSSL format
2506 (*.pem). With openssl-listen, use of this option is strongly
2507 recommended. Except with cipher aNULL, "no shared ciphers" error
2508 will occur when no certificate is given.
2509
2510 key=<filename>
2511 Specifies the file with the private key. The private key may be
2512 in this file or in the file given with the cert option. The
2513 party that has to proof that it is the owner of a certificate
2514 needs the private key.
2515
2516 dhparams=<filename>
2517 Specifies the file with the Diffie Hellman parameters. These pa‐
2518 rameters may also be in the file given with the cert option in
2519 which case the dhparams option is not needed.
2520
2521 cafile=<filename>
2522 Specifies the file with the trusted (root) authority certifi‐
2523 cates. The file must be in PEM format and should contain one or
2524 more certificates. The party that checks the authentication of
2525 its peer trusts only certificates that are in this file.
2526
2527 capath=<dirname>
2528 Specifies the directory with the trusted (root) certificates.
2529 The directory must contain certificates in PEM format and their
2530 hashes (see OpenSSL documentation)
2531
2532 egd=<filename>
2533 On some systems, openssl requires an explicit source of random
2534 data. Specify the socket name where an entropy gathering daemon
2535 like egd provides random data, e.g. /dev/egd-pool.
2536
2537 pseudo On systems where openssl cannot find an entropy source and where
2538 no entropy gathering daemon can be utilized, this option acti‐
2539 vates a mechanism for providing pseudo entropy. This is achieved
2540 by taking the current time in microseconds for feeding the libc
2541 pseudo random number generator with an initial value. openssl is
2542 then feeded with output from random() calls.
2543 NOTE:This mechanism is not sufficient for generation of secure
2544 keys!
2545
2546 compress
2547 Enable or disable the use of compression for a connection. Set‐
2548 ting this to "none" disables compression, setting it to "auto"
2549 lets OpenSSL choose the best available algorithm supported by
2550 both parties. The default is to not touch any compression-re‐
2551 lated settings. NOTE: Requires OpenSSL 0.9.8 or higher and dis‐
2552 abling compression with OpenSSL 0.9.8 affects all new connec‐
2553 tions in the process.
2554
2555 commonname=<string>
2556 Specify the commonname that the peer certificate must match.
2557 With OPENSSL-CONNECT address this overrides the given hostname
2558 or IP target address; with OPENSSL-LISTEN this turns on check of
2559 peer certificates commonname. This option has only meaning when
2560 option verify is not disabled and the chosen cipher provides a
2561 peer certificate.
2562
2563 no-sni=<bool>
2564 Do not use the client side Server Name Indication (SNI) feature
2565 that selects the desired server certificate.
2566 Note: SNI is automatically used since socat version 1.7.4.0 and
2567 uses commonname or the given host name.
2568
2569 snihost=<string>
2570 Set the client side Server Name Indication (SNI) host name dif‐
2571 ferent from the addressed server name or common name. This might
2572 be useful when the server certificate has multiple host names or
2573 wildcard names because the SNI host name is passed in cleartext
2574 to the server and might be eavesdropped; with this option a mock
2575 name of the desired certificate may be transferred.
2576
2577 fips Enables FIPS mode if compiled in. For info about the FIPS en‐
2578 cryption implementation standard see http://oss-insti‐
2579 tute.org/fips-faq.html. This mode might require that the in‐
2580 volved certificates are generated with a FIPS enabled version of
2581 openssl. Setting or clearing this option on one socat address
2582 affects all OpenSSL addresses of this process.
2583
2584
2585 RETRY option group
2586
2587 Options that control retry of some system calls, especially connection
2588 attempts.
2589
2590 retry=<num>
2591 Number of retries before the connection or listen attempt is
2592 aborted. Default is 0, which means just one attempt.
2593
2594 interval=<timespec>
2595 Time between consecutive attempts (seconds, [timespec]). Default
2596 is 1 second.
2597
2598 forever
2599 Performs an unlimited number of retry attempts.
2600
2601
2602 TUN option group
2603
2604 Options that control Linux TUN/TAP interface device addresses.
2605
2606 tun-device=<device-file>
2607 Instructs socat to take another path for the TUN clone device.
2608 Default is /dev/net/tun.
2609
2610 tun-name=<if-name>
2611 Gives the resulting network interface a specific name instead of
2612 the system generated (tun0, tun1, etc.)
2613
2614 tun-type=[tun|tap]
2615 Sets the type of the TUN device; use this option to generate a
2616 TAP device. See the Linux docu for the difference between these
2617 types. When you try to establish a tunnel between two TUN de‐
2618 vices, their types should be the same.
2619
2620 iff-no-pi
2621 Sets the IFF_NO_PI flag which controls if the device includes
2622 additional packet information in the tunnel. When you try to
2623 establish a tunnel between two TUN devices, these flags should
2624 have the same values.
2625
2626 iff-up Sets the TUN network interface status UP. Strongly recommended.
2627
2628 iff-broadcast
2629 Sets the BROADCAST flag of the TUN network interface.
2630
2631 iff-debug
2632 Sets the DEBUG flag of the TUN network interface.
2633
2634 iff-loopback
2635 Sets the LOOPBACK flag of the TUN network interface.
2636
2637 iff-pointopoint
2638 Sets the POINTOPOINT flag of the TUN device.
2639
2640 iff-notrailers
2641 Sets the NOTRAILERS flag of the TUN device.
2642
2643 iff-running
2644 Sets the RUNNING flag of the TUN device.
2645
2646 iff-noarp
2647 Sets the NOARP flag of the TUN device.
2648
2649 iff-promisc
2650 Sets the PROMISC flag of the TUN device.
2651
2652 iff-allmulti
2653 Sets the ALLMULTI flag of the TUN device.
2654
2655 iff-master
2656 Sets the MASTER flag of the TUN device.
2657
2658 iff-slave
2659 Sets the SLAVE flag of the TUN device.
2660
2661 iff-multicast
2662 Sets the MULTICAST flag of the TUN device.
2663
2664 iff-portsel
2665 Sets the PORTSEL flag of the TUN device.
2666
2667 iff-automedia
2668 Sets the AUTOMEDIA flag of the TUN device.
2669
2670 iff-dynamic
2671 Sets the DYNAMIC flag of the TUN device.
2672
2673
2675 This section explains the different data types that address parameters
2676 and address options can take.
2677
2678 address-range
2679 Is currently only implemented for IPv4 and IPv6. See address-op‐
2680 tion `range’
2681
2682 bool "0" or "1"; if value is omitted, "1" is taken.
2683
2684 byte An unsigned int number, read with strtoul() , lower or equal to
2685 UCHAR_MAX .
2686
2687 command-line
2688 A string specifying a program name and its arguments, separated
2689 by single spaces.
2690
2691 data This is a more general data specification. The given text string
2692 contains information about the target data type and value. Gen‐
2693 erally a leading character specifies the type of the following
2694 data item. In its specific context a default data type may ex‐
2695 ist.
2696 Currently only the following specifications are implemented:
2697
2698 i A signed integer number, stored in host byte order.
2699 Example: i-1000 (Integer number -1000)
2700
2701 I An unsigned integer number, stored in host byte order.
2702
2703 l A signed long integer number, stored in host byte order.
2704
2705 L An unsigned long integer number, stored in host byte order.
2706
2707 s A signed short integer number, stored in host byte order.
2708
2709 S An unsigned short integer number, stored in host byte order.
2710
2711 b A signed byte (signed char).
2712
2713 B An unsigned byte (unsigned char).
2714
2715 x Following is an even number of hex digits, stored as sequence of
2716 bytes.
2717 Example: x7f000001 (IP address 127.0.0.1)
2718
2719 " Following is a string that is used with the common conversions
2720 \n \r \t \f \b \a \e \0; the string must be closed with ’"’.
2721 Please note that the quotes and backslashes need to be escaped
2722 from shell and socat conversion.
2723 Example: "Hello world!\n"
2724
2725 ’ A single char, with the usual conversions. Please note that the
2726 quotes and backslashes need to be escaped from shell and socat
2727 conversion.
2728 Example: ’a’ Data items may be separated with white space
2729 without need to repeat the type specifier again.
2730
2731 directory
2732 A string with usual UN*X directory name semantics.
2733
2734 facility
2735 The name of a syslog facility in lower case characters.
2736
2737 fdnum An unsigned int type, read with strtoul() , specifying a UN*X
2738 file descriptor.
2739
2740 filename
2741 A string with usual UN*X filename semantics.
2742
2743 group If the first character is a decimal digit, the value is read
2744 with strtoul() as unsigned integer specifying a group id. Other‐
2745 wise, it must be an existing group name.
2746
2747 int A number following the rules of the strtol() function with base
2748 "0", i.e. decimal number, octal number with leading "0", or
2749 hexadecimal number with leading "0x". The value must fit into a
2750 C int.
2751
2752 interface
2753 A string specifying the device name of a network interface as
2754 shown by ifconfig or procan, e.g. "eth0".
2755
2756 IP address
2757 An IPv4 address in numbers-and-dots notation, an IPv6 address in
2758 hex notation enclosed in brackets, or a hostname that resolves
2759 to an IPv4 or an IPv6 address.
2760 Examples: 127.0.0.1, [::1], www.dest-unreach.org, dns1
2761
2762 IPv4 address
2763 An IPv4 address in numbers-and-dots notation or a hostname that
2764 resolves to an IPv4 address.
2765 Examples: 127.0.0.1, www.dest-unreach.org, dns2
2766
2767 IPv6 address
2768 An IPv6 address in hexnumbers-and-colons notation enclosed in
2769 brackets, or a hostname that resolves to an IPv6 address.
2770 Examples: [::1], [1234:5678:9abc:def0:1234:5678:9abc:def0],
2771 ip6name.domain.org
2772
2773 long A number read with strtol() . The value must fit into a C long.
2774
2775 long long
2776 A number read with strtoll() . The value must fit into a C long
2777 long.
2778
2779 off_t An implementation dependend signed number, usually 32 bits, read
2780 with strtol or strtoll.
2781
2782 off64_t
2783 An implementation dependend signed number, usually 64 bits, read
2784 with strtol or strtoll.
2785
2786 mode_t An unsigned integer, read with strtoul() , specifying mode (per‐
2787 mission) bits.
2788
2789 pid_t A number, read with strtol() , specifying a process id.
2790
2791 port A uint16_t (16 bit unsigned number) specifying a TCP or UDP
2792 port, read with strtoul() .
2793
2794 protocol
2795 An unsigned 8 bit number, read with strtoul() .
2796
2797 size_t An unsigned number with size_t limitations, read with strtoul .
2798
2799 sockname
2800 A socket address. See address-option `bind’
2801
2802 string A sequence of characters, not containing ’\0’ and, depending on
2803 the position within the command line, ’:’, ’,’, or "!!". Note
2804 that you might have to escape shell meta characters in the com‐
2805 mand line.
2806
2807 TCP service
2808 A service name, not starting with a digit, that is resolved by
2809 getservbyname() , or an unsigned int 16 bit number read with
2810 strtoul() .
2811
2812 timeval
2813 A double float specifying seconds; the number is mapped into a
2814 struct timeval, consisting of seconds and microseconds.
2815
2816 timespec
2817 A double float specifying seconds; the number is mapped into a
2818 struct timespec, consisting of seconds and nanoseconds.
2819
2820 UDP service
2821 A service name, not starting with a digit, that is resolved by
2822 getservbyname() , or an unsigned int 16 bit number read with
2823 strtoul() .
2824
2825 unsigned int
2826 A number read with strtoul() . The value must fit into a C un‐
2827 signed int.
2828
2829 user If the first character is a decimal digit, the value is read
2830 with strtoul() as unsigned integer specifying a user id. Other‐
2831 wise, it must be an existing user name.
2832
2833 VSOCK cid
2834 A uint32_t (32 bit unsigned number) specifying a VSOCK Context
2835 Identifier (CID), read with strtoul() . There are several spe‐
2836 cial addresses: VMADDR_CID_ANY (-1U) means any address for bind‐
2837 ing; VMADDR_CID_HOST (2) is the well-known address of the host.
2838
2839 VSOCK port
2840 A uint32_t (32 bit unsigned number) specifying a VSOCK port,
2841 read with strtoul() .
2842
2843
2845 socat - TCP4:www.domain.org:80
2846
2847
2848 transfers data between STDIO (-) and a TCP4 connection to port
2849 80 of host www.domain.org. This example results in an interac‐
2850 tive connection similar to telnet or netcat. The stdin terminal
2851 parameters are not changed, so you may close the relay with ^D
2852 or abort it with ^C.
2853
2854 socat -d -d READLINE,history=$HOME/.http_history \
2855 TCP4:www.domain.org:www,crnl
2856
2857 this is similar to the previous example, but you can edit the
2858 current line in a bash like manner (READLINE) and use the his‐
2859 tory file .http_history; socat prints messages about progress
2860 (-d -d). The port is specified by service name (www), and cor‐
2861 rect network line termination characters (crnl) instead of NL
2862 are used.
2863
2864 socat TCP4-LISTEN:www TCP4:www.domain.org:www
2865
2866
2867 installs a simple TCP port forwarder. With TCP4-LISTEN it lis‐
2868 tens on local port "www" until a connection comes in, accepts
2869 it, then connects to the remote host (TCP4) and starts data
2870 transfer. It will not accept a second connection.
2871
2872 socat -d -d -lmlocal2 \
2873 TCP4-LISTEN:80,bind=myaddr1,reuseaddr,fork,su=nobody,range=10.0.0.0/8 \
2874 TCP4:www.domain.org:80,bind=myaddr2
2875
2876 TCP port forwarder, each side bound to another local IP address
2877 (bind). This example handles an almost arbitrary number of par‐
2878 allel or consecutive connections by fork’ing a new process after
2879 each accept() . It provides a little security by su’ing to user
2880 nobody after forking; it only permits connections from the pri‐
2881 vate 10 network (range); due to reuseaddr, it allows immediate
2882 restart after master process’s termination, even if some child
2883 sockets are not completely shut down. With -lmlocal2, socat
2884 logs to stderr until successfully reaching the accept loop. Fur‐
2885 ther logging is directed to syslog with facility local2.
2886
2887 socat TCP4-LISTEN:5555,fork,tcpwrap=script \
2888 EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr
2889
2890 a simple server that accepts connections (TCP4-LISTEN) and
2891 fork’s a new child process for each connection; every child acts
2892 as single relay. The client must match the rules for daemon
2893 process name "script" in /etc/hosts.allow and /etc/hosts.deny,
2894 otherwise it is refused access (see "man 5 hosts_access"). For
2895 EXEC’uting the program, the child process chroot’s to
2896 /home/sandbox, su’s to user sandbox, and then starts the program
2897 /home/sandbox/bin/myscript. Socat and myscript communicate via a
2898 pseudo tty (pty); myscript’s stderr is redirected to stdout, so
2899 its error messages are transferred via socat to the connected
2900 client.
2901
2902 socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \
2903 TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512
2904
2905 mail.sh is a shell script, distributed with socat, that imple‐
2906 ments a simple SMTP client. It is programmed to "speak" SMTP on
2907 its FDs 3 (in) and 4 (out). The fdin and fdout options tell so‐
2908 cat to use these FDs for communication with the program. Because
2909 mail.sh inherits stdin and stdout while socat does not use them,
2910 the script can read a mail body from stdin. Socat makes alias1
2911 your local source address (bind), cares for correct network line
2912 termination (crnl) and sends at most 512 data bytes per packet
2913 (mss).
2914
2915 socat -,escape=0x0f /dev/ttyS0,rawer,crnl
2916
2917
2918 opens an interactive connection via the serial line, e.g. for
2919 talking with a modem. rawer sets the console’s and ttyS0’s ter‐
2920 minal parameters to practicable values, crnl converts to correct
2921 newline characters. escape allows terminating the socat process
2922 with character control-O. Consider using READLINE instead of
2923 the first address.
2924
2925 socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \
2926 SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20
2927
2928 with UNIX-LISTEN, socat opens a listening UNIX domain socket
2929 /tmp/.X11-unix/X1. This path corresponds to local XWindow dis‐
2930 play :1 on your machine, so XWindow client connections to DIS‐
2931 PLAY=:1 are accepted. Socat then speaks with the SOCKS4 server
2932 host.victim.org that might permit sourceport 20 based connec‐
2933 tions due to an FTP related weakness in its static IP filters.
2934 Socat pretends to be invoked by socksuser nobody, and requests
2935 to be connected to loopback port 6000 (only weak sockd configu‐
2936 rations will allow this). So we get a connection to the victims
2937 XWindow server and, if it does not require MIT cookies or Ker‐
2938 beros authentication, we can start work. Please note that there
2939 can only be one connection at a time, because TCP can establish
2940 only one session with a given set of addresses and ports.
2941
2942 socat -u /tmp/readdata,seek-end=0,ignoreeof -
2943
2944
2945 this is an example for unidirectional data transfer (-u). Socat
2946 transfers data from file /tmp/readdata (implicit address GOPEN),
2947 starting at its current end (seek-end=0 lets socat start reading
2948 at current end of file; use seek=0 or no seek option to first
2949 read the existing data) in a "tail -f" like mode (ignoreeof).
2950 The "file" might also be a listening UNIX domain socket (do not
2951 use a seek option then).
2952
2953 (sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
2954 socat - EXEC:'ssh -l user server',pty,setsid,ctty
2955
2956 EXEC’utes an ssh session to server. Uses a pty for communication
2957 between socat and ssh, makes it ssh’s controlling tty (ctty),
2958 and makes this pty the owner of a new process group (setsid), so
2959 ssh accepts the password from socat.
2960
2961 socat -u TCP4-LISTEN:3334,reuseaddr,fork \
2962 OPEN:/tmp/in.log,creat,append
2963
2964 implements a simple network based message collector. For each
2965 client connecting to port 3334, a new child process is generated
2966 (option fork). All data sent by the clients are append’ed to
2967 the file /tmp/in.log. If the file does not exist, socat creat’s
2968 it. Option reuseaddr allows immediate restart of the server
2969 process.
2970
2971 socat READLINE,noecho=’[Pp]assword:’ EXEC:’ftp ftp.server.com’,pty,set‐
2972 sid,ctty
2973
2974
2975 wraps a command line history (READLINE) around the EXEC’uted ftp
2976 client utility. This allows editing and reuse of FTP commands
2977 for relatively comfortable browsing through the ftp directory
2978 hierarchy. The password is echoed! pty is required to have ftp
2979 issue a prompt. Nevertheless, there may occur some confusion
2980 with the password and FTP prompts.
2981
2982 socat PTY,link=$HOME/dev/vmodem0,rawer,wait-slave \
2983 EXEC:"ssh modemserver.us.org socat - /dev/ttyS0,nonblock,rawer"
2984
2985 generates a pseudo terminal device (PTY) on the client that can
2986 be reached under the symbolic link $HOME/dev/vmodem0. An appli‐
2987 cation that expects a serial line or modem can be configured to
2988 use $HOME/dev/vmodem0; its traffic will be directed to a modem‐
2989 server via ssh where another socat instance links it to
2990 /dev/ttyS0.
2991
2992 socat TCP4-LISTEN:2022,reuseaddr,fork \
2993 PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass
2994
2995 starts a forwarder that accepts connections on port 2022, and
2996 directs them through the proxy daemon listening on port 3128
2997 (proxyport) on host proxy, using the CONNECT method, where they
2998 are authenticated as "user" with "pass" (proxyauth). The proxy
2999 should establish connections to host www.domain.org on port 22
3000 then.
3001
3002 socat - SSL:server:4443,cafile=server.crt,cert=client.pem
3003
3004
3005 is an OpenSSL client that tries to establish a secure connection
3006 to an SSL server. Option cafile specifies a file that contains
3007 trust certificates: we trust the server only when it presents
3008 one of these certificates and proofs that it owns the related
3009 private key. Otherwise the connection is terminated. With cert
3010 a file containing the client certificate and the associated pri‐
3011 vate key is specified. This is required in case the server
3012 wishes a client authentication; many Internet servers do not.
3013 The first address (’-’) can be replaced by almost any other so‐
3014 cat address.
3015
3016 socat OPENSSL-LISTEN:4443,reuse‐
3017 addr,pf=ip4,fork,cert=server.pem,cafile=client.crt PIPE
3018
3019
3020 is an OpenSSL server that accepts TCP connections, presents the
3021 certificate from the file server.pem and forces the client to
3022 present a certificate that is verified against cafile.crt.
3023 The second address (’PIPE’) can be replaced by almost any other
3024 socat address.
3025 For instructions on generating and distributing OpenSSL keys and
3026 certificates see the additional socat docu socat-openssl.txt.
3027
3028 echo |socat -u - file:/tmp/bigfile,create,largefile,seek=100000000000
3029
3030
3031 creates a 100GB sparse file; this requires a file system type
3032 that supports this (ext2, ext3, reiserfs, jfs; not minix, vfat).
3033 The operation of writing 1 byte might take long (reiserfs: some
3034 minutes; ext2: "no" time), and the resulting file can consume
3035 some disk space with just its inodes (reiserfs: 2MB; ext2:
3036 16KB).
3037
3038 socat tcp-l:7777,reuseaddr,fork system:’filan -i 0 -s >&2’,nofork
3039
3040
3041 listens for incoming TCP connections on port 7777. For each ac‐
3042 cepted connection, invokes a shell. This shell has its stdin and
3043 stdout directly connected to the TCP socket (nofork). The shell
3044 starts filan and lets it print the socket addresses to stderr
3045 (your terminal window).
3046
3047 echo -e "\0\14\0\0\c" |socat -u -
3048 file:/usr/bin/squid.exe,seek=0x00074420
3049
3050
3051 functions as primitive binary editor: it writes the 4 bytes 000
3052 014 000 000 to the executable /usr/bin/squid at offset
3053 0x00074420 (this is a real world patch to make the squid exe‐
3054 cutable from Cygwin run under Windows, actual per May 2004).
3055
3056 socat - tcp:www.blackhat.org:31337,readbytes=1000
3057
3058
3059 connects to an unknown service and prevents being flooded.
3060
3061 socat -U TCP:target:9999,end-close TCP-L:8888,reuseaddr,fork
3062
3063
3064 merges data arriving from different TCP streams on port 8888 to
3065 just one stream to target:9999. The end-close option prevents
3066 the child processes forked off by the second address from termi‐
3067 nating the shared connection to 9999 (close(2) just unlinks the
3068 inode which stays active as long as the parent process lives;
3069 shutdown(2) would actively terminate the connection).
3070
3071 socat - UDP4-DATAGRAM:192.168.1.0:123,sp=123,broad‐
3072 cast,range=192.168.1.0/24
3073
3074
3075 sends a broadcast to the network 192.168.1.0/24 and receives the
3076 replies of the timeservers there. Ignores NTP packets from hosts
3077 outside this network.
3078
3079 socat - SOCKET-DATA‐
3080 GRAM:2:2:17:x007bxc0a80100x0000000000000000,bind=x007bx00000000x0000000000000000,set‐
3081 sock‐
3082 opt-int=1:6:1,range=x0000xc0a80100x0000000000000000:x0000xffffff00x0000000000000000
3083
3084
3085 is semantically equivalent to the previous example, but all pa‐
3086 rameters are specified in generic form. the value 6 of setsock‐
3087 opt-int is the Linux value for SO_BROADCAST.
3088
3089 socat - IP4-DATAGRAM:255.255.255.255:44,broadcast,range=10.0.0.0/8
3090
3091
3092 sends a broadcast to the local network(s) using protocol 44. Ac‐
3093 cepts replies from the private address range only.
3094
3095 socat - UDP4-DATAGRAM:224.255.0.1:6666,bind=:6666,ip-add-member‐
3096 ship=224.255.0.1:eth0
3097
3098
3099 transfers data from stdin to the specified multicast address us‐
3100 ing UDP. Both local and remote ports are 6666. Tells the inter‐
3101 face eth0 to also accept multicast packets of the given group.
3102 Multiple hosts on the local network can run this command, so all
3103 data sent by any of the hosts will be received by all the other
3104 ones. Note that there are many possible reasons for failure, in‐
3105 cluding IP-filters, routing issues, wrong interface selection by
3106 the operating system, bridges, or a badly configured switch.
3107
3108 socat UDP:host2:4443 TUN:192.168.255.1/24,up
3109
3110
3111 establishes one side of a virtual (but not private!) network
3112 with host2 where a similar process might run, with UDP-L and tun
3113 address 192.168.255.2. They can reach each other using the ad‐
3114 dresses 192.168.255.1 and 192.168.255.2. Note that streaming
3115 eg.via TCP or SSL does not guarantee to retain packet boundaries
3116 and might thus cause packet loss.
3117
3118 socat - VSOCK-CONNECT:2:1234
3119
3120
3121 establishes a VSOCK connection with the host (host is always
3122 reachable with the well-know CID=2) on 1234 port.
3123
3124 socat - VSOCK-LISTEN:1234
3125
3126
3127 listens for a VSOCK connection on 1234 port.
3128
3129 socat - VSOCK-CONNECT:31:4321,bind:5555
3130
3131
3132 establishes a VSOCK connection with the guest that have CID=31
3133 on 1234 port, binding the local socket to the 5555 port.
3134
3135 socat VSOCK-LISTEN:3333,reuseaddr,fork VSOCK-CONNECT:42,3333
3136
3137
3138 starts a forwarder that accepts VSOCK connections on port 3333,
3139 and directs them to the guest with CID=42 on the same port.
3140
3141 socat VSOCK-LISTEN:22,reuseaddr,fork TCP:localhost:22
3142
3143
3144 forwards VSOCK connections from 22 port to the local SSH server.
3145 Running this in a VM allows you to connect via SSH from the host
3146 using VSOCK, as in the example below.
3147
3148 socat TCP4-LISTEN:22222,reuseaddr,fork VSOCK-CONNECT:33:22
3149
3150
3151 forwards TCP connections from 22222 port to the guest with
3152 CID=33 listening on VSOCK port 22. Running this in the host,
3153 allows you to connect via SSH running "ssh -p 22222 user@local‐
3154 host", if the guest runs the example above.
3155
3156 socat PTY,link=/var/run/ppp,rawer INTERFACE:hdlc0
3157
3158
3159 circumvents the problem that pppd requires a serial device and
3160 thus might not be able to work on a synchronous line that is
3161 represented by a network device. socat creates a PTY to make
3162 pppd happy, binds to the network interface hdlc0, and can trans‐
3163 fer data between both devices. Use pppd on device /var/run/ppp
3164 then.
3165
3166 socat -T 1 -d -d TCP-L:10081,reuseaddr,fork,crlf SYSTEM:"echo -e
3167 \"\\\"HTTP/1.0 200 OK\\\nDocumentType: text/plain\\\n\\\ndate:
3168 \$\(date\)\\\nserver:\$SOCAT_SOCKADDR:\$SOCAT_SOCKPORT\\\nclient: \$SO‐
3169 CAT_PEERADDR:\$SOCAT_PEERPORT\\\n\\\"\"; cat; echo -e \"\\\"\\\n\\\"\""
3170
3171
3172 creates a simple HTTP echo server: each HTTP client that con‐
3173 nects gets a valid HTTP reply that contains information about
3174 the client address and port as it is seen by the server host,
3175 the host address (which might vary on multihomed servers), and
3176 the original client request.
3177
3178 socat -d -d UDP4-RECVFROM:9999,so-broadcast,so-timestamp,ip-pkt‐
3179 info,ip-recverr,ip-recvopts,ip-recvtos,ip-recvttl!!- SYSTEM:’export;
3180 sleep 1’ |grep SOCAT
3181
3182
3183 waits for an incoming UDP packet on port 9999 and prints the en‐
3184 vironment variables provided by socat. On BSD based systems you
3185 have to replace ip-pktinfo with ip-recvdstaddr,ip-recvif. Espe‐
3186 cially interesting is SOCAT_IP_DSTADDR: it contains the target
3187 address of the packet which may be a unicast, multicast, or
3188 broadcast address.
3189
3190 echo -e "M-SEARCH * HTTP/1.1\nHOST: 239.255.255.250:1900\nMAN:
3191 \"ssdp:discover\"\nMX: 4\nST: \"ssdp:all\"\n" |./socat - UDP-DATA‐
3192 GRAM:239.255.255.250:1900,crlf
3193
3194
3195 sends an SSDP (Simple Service Discovery Protocol) query to the
3196 local network and collects and outputs the answers received.
3197
3198
3199
3200
3202 Socat uses a logging mechanism that allows filtering messages by sever‐
3203 ity. The severities provided are more or less compatible to the appro‐
3204 priate syslog priority. With one or up to four occurrences of the -d
3205 command line option, the lowest priority of messages that are issued
3206 can be selected. Each message contains a single uppercase character
3207 specifying the messages severity (one of F, E, W, N, I, or D)
3208
3209 FATAL: Conditions that require unconditional and immediate program ter‐
3210 mination.
3211
3212 ERROR: Conditions that prevent proper program processing. Usually the
3213 program is terminated (see option -s).
3214
3215 WARNING:
3216 Something did not function correctly or is in a state where cor‐
3217 rect further processing cannot be guaranteed, but might be pos‐
3218 sible.
3219
3220 NOTICE:
3221 Interesting actions of the program, e.g. for supervising socat
3222 in some kind of server mode.
3223
3224 INFO: Description of what the program does, and maybe why it happens.
3225 Allows monitoring the lifecycles of file descriptors.
3226
3227 DEBUG: Description of how the program works, all system or library
3228 calls and their results.
3229
3230
3231 Log messages can be written to stderr, to a file, or to syslog.
3232
3233 On exit, socat gives status 0 if it terminated due to EOF or inactivity
3234 timeout, with a positive value on error, and with a negative value on
3235 fatal error.
3236
3238 /usr/bin/socat
3239 /usr/bin/filan
3240 /usr/bin/procan
3241
3243 Input variables carry information from the environment to socat, output
3244 variables are set by socat for use in executed scripts and programs.
3245
3246 In the output variables beginning with "SOCAT" this prefix is actually
3247 replaced by the upper case name of the executable or the value of op‐
3248 tion -lp.
3249
3250 SOCAT_DEFAULT_LISTEN_IP (input)
3251 (Values 4 or 6) Sets the IP version to be used for listen, recv,
3252 and recvfrom addresses if no pf (protocol-family) option is
3253 given. Is overridden by socat options -4 or -6.
3254
3255 SOCAT_PREFERRED_RESOLVE_IP (input)
3256 (Values 0, 4, or 6) Sets the IP version to be used when resolv‐
3257 ing target host names when version is not specified by address
3258 type, option pf (protocol-family), or address format. If name
3259 resolution does not return a matching entry, the first result
3260 (with differing IP version) is taken. With value 0, socat always
3261 selects the first record and its IP version.
3262
3263 SOCAT_FORK_WAIT (input)
3264 Specifies the time (seconds) to sleep the parent and child pro‐
3265 cesses after successful fork(). Useful for debugging.
3266
3267 SOCAT_VERSION (output)
3268 Socat sets this variable to its version string, e.g. "1.7.0.0"
3269 for released versions or e.g. "1.6.0.1+envvar" for temporary
3270 versions; can be used in scripts invoked by socat.
3271
3272 SOCAT_PID (output)
3273 Socat sets this variable to its process id. In case of fork ad‐
3274 dress option, SOCAT_PID gets the child processes id. Forking for
3275 exec and system does not change SOCAT_PID.
3276
3277 SOCAT_PPID (output)
3278 Socat sets this variable to its process id. In case of fork, SO‐
3279 CAT_PPID keeps the pid of the master process.
3280
3281 SOCAT_PEERADDR (output)
3282 With passive socket addresses (all LISTEN and RECVFROM ad‐
3283 dresses), this variable is set to a string describing the peers
3284 socket address. Port information is not included.
3285
3286 SOCAT_PEERPORT (output)
3287 With appropriate passive socket addresses (TCP, UDP, and SCTP -
3288 LISTEN and RECVFROM), this variable is set to a string contain‐
3289 ing the number of the peer port.
3290
3291 SOCAT_SOCKADDR (output)
3292 With all LISTEN addresses, this variable is set to a string de‐
3293 scribing the local socket address. Port information is not in‐
3294 cluded example
3295
3296 SOCAT_SOCKPORT (output)
3297 With TCP-LISTEN, UDP-LISTEN, and SCTP-LISTEN addresses, this
3298 variable is set to the local port.
3299
3300 SOCAT_TIMESTAMP (output)
3301 With all RECVFROM addresses where address option so-timestamp is
3302 applied, socat sets this variable to the resulting timestamp.
3303
3304 SOCAT_IP_OPTIONS (output)
3305 With all IPv4 based RECVFROM addresses where address option
3306 ip-recvopts is applied, socat fills this variable with the IP
3307 options of the received packet.
3308
3309 SOCAT_IP_DSTADDR (output)
3310 With all IPv4 based RECVFROM addresses where address option
3311 ip-recvdstaddr (BSD) or ip-pktinfo (other platforms) is applied,
3312 socat sets this variable to the destination address of the re‐
3313 ceived packet. This is particularly useful to identify broadcast
3314 and multicast addressed packets.
3315
3316 SOCAT_IP_IF (output)
3317 With all IPv4 based RECVFROM addresses where address option
3318 ip-recvif (BSD) or ip-pktinfo (other platforms) is applied, so‐
3319 cat sets this variable to the name of the interface where the
3320 packet was received.
3321
3322 SOCAT_IP_LOCADDR (output)
3323 With all IPv4 based RECVFROM addresses where address option
3324 ip-pktinfo is applied, socat sets this variable to the address
3325 of the interface where the packet was received.
3326
3327 SOCAT_IP_TOS (output)
3328 With all IPv4 based RECVFROM addresses where address option
3329 ip-recvtos is applied, socat sets this variable to the TOS (type
3330 of service) of the received packet.
3331
3332 SOCAT_IP_TTL (output)
3333 With all IPv4 based RECVFROM addresses where address option
3334 ip-recvttl is applied, socat sets this variable to the TTL (time
3335 to live) of the received packet.
3336
3337 SOCAT_IPV6_HOPLIMIT (output)
3338 With all IPv6 based RECVFROM addresses where address option
3339 ipv6-recvhoplimit is applied, socat sets this variable to the
3340 hoplimit value of the received packet.
3341
3342 SOCAT_IPV6_DSTADDR (output)
3343 With all IPv6 based RECVFROM addresses where address option
3344 ipv6-recvpktinfo is applied, socat sets this variable to the
3345 destination address of the received packet.
3346
3347 SOCAT_IPV6_TCLASS (output)
3348 With all IPv6 based RECVFROM addresses where address option
3349 ipv6-recvtclass is applied, socat sets this variable to the
3350 transfer class of the received packet.
3351
3352 SOCAT_OPENSSL_X509_ISSUER (output)
3353 Issuer field from peer certificate
3354
3355 SOCAT_OPENSSL_X509_SUBJECT (output)
3356 Subject field from peer certificate
3357
3358 SOCAT_OPENSSL_X509_COMMONNAME (output)
3359 commonName entries from peer certificates subject. Multiple val‐
3360 ues are separated by " // ".
3361
3362 SOCAT_OPENSSL_X509_* (output)
3363 all other entries from peer certificates subject
3364
3365 SOCAT_OPENSSL_X509V3_DNS (output)
3366 DNS entries from peer certificates extensions - subjectAltName
3367 field. Multiple values are separated by " // ".
3368
3369 HOSTNAME (input)
3370 Is used to determine the hostname for logging (see -lh).
3371
3372 LOGNAME (input)
3373 Is used as name for the socks client user name if no socksuser
3374 is given.
3375 With options su and su-d, LOGNAME is set to the given user name.
3376
3377 USER (input)
3378 Is used as name for the socks client user name if no socksuser
3379 is given and LOGNAME is empty.
3380 With options su and su-d, USER is set to the given user name.
3381
3382 SHELL (output)
3383 With options su and su-d, SHELL is set to the login shell of the
3384 given user.
3385
3386 PATH (output)
3387 Can be set with option path for exec and system addresses.
3388
3389 HOME (output)
3390 With options su and su-d, HOME is set to the home directory of
3391 the given user.
3392
3394 The work of the following groups and organizations was invaluable for
3395 this project:
3396
3397 The FSF (GNU, http://www.fsf.org/) project with their free and portable
3398 development software and lots of other useful tools and libraries.
3399
3400 The Linux developers community (http://www.linux.org/) for providing a
3401 free, open source operating system.
3402
3403 The Open Group (http://www.unix-systems.org/) for making their standard
3404 specifications available on the Internet for free.
3405
3407 This man page describes version 1.7.4 of socat.
3408
3410 Addresses cannot be nested, so a single socat process cannot, e.g.,
3411 drive ssl over socks.
3412
3413 Address option ftruncate without value uses default 1 instead of 0.
3414
3415 Verbose modes (-x and/or -v) display line termination characters incon‐
3416 sistently when address options cr or crnl are used: They show the data
3417 after conversion in either direction.
3418
3419 The data transfer blocksize setting (-b) is ignored with address read‐
3420 line.
3421
3422 Send bug reports to <socat@dest-unreach.org>
3423
3425 nc(1), rinetd(8), openssl(1), stunnel(8), rlwrap(1), setsid(1)
3426
3427 Socat home page http://www.dest-unreach.org/socat/
3428
3430 Gerhard Rieger <rieger@dest-unreach.org> and contributors
3431
3432
3433
3434 socat(1)