Update mans

CMakeLists.txt

@@ -285,6 +285,9 @@ endif()
 set(3PROXY_CORE_SOURCES
     src/3proxy.c
     src/auth.c
+    src/acl.c
+    src/limiter.c
+    src/redirect.c
     src/authradius.c
     src/hash.c
     src/resolve.c
@@ -416,7 +419,7 @@ target_include_directories(3proxy_crypt PRIVATE
 target_link_libraries(3proxy_crypt PRIVATE Threads::Threads)
 
 # Build standalone proxy executables
-foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
+foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm tlspr)
     if(PROXY_NAME STREQUAL "ftppr" OR PROXY_NAME STREQUAL "proxy")
         # ftppr and proxy use ftp_obj
         add_executable(${PROXY_NAME}
@@ -500,7 +503,7 @@ if(PAM_FOUND)
 endif()
 
 # Installation rules
-install(TARGETS 3proxy 3proxy_crypt proxy socks pop3p smtpp ftppr tcppm udppm tlspr
+install(TARGETS 3proxy 3proxy_crypt proxy socks pop3p smtpp ftppr tcppm tlspr
     RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
 )
 

Makefile.Linux

@@ -67,7 +67,6 @@ INSTALL_OBJS	= bin/3proxy \
 		  bin/proxy \
 		  bin/socks \
 		  bin/tcppm \
-		  bin/udppm \
 		  bin/tlspr
 		  
 

Makefile.openwrt-mips

@@ -67,8 +67,7 @@ INSTALL_OBJS	= src/3proxy \
 		  src/pop3p \
 		  src/proxy \
 		  src/socks \
-		  src/tcppm \
-		  src/udppm
+		  src/tcppm
 		  
 
 INSTALL_CFG_OBJS = scripts/3proxy.cfg \

doc/html/man3/3proxy.cfg.3.html

@@ -84,10 +84,10 @@ smtpp</b> [options] <b><br>
 ftppr</b> [options] <b><br>
 admin</b> [options] <b><br>
 dnspr</b> [options] <b><br>
-tcppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
-&lt;DSTPORT&gt; <b><br>
-udppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
-&lt;DSTPORT&gt; <br>
+tcppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
+&lt;DSTPORT&gt;</i> <b><br>
+udppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
+&lt;DSTPORT&gt;</i> <br>
 Descriptions: <b><br>
 proxy</b> HTTP/HTTPS proxy (default port 3128) <b><br>
 socks</b> SOCKS 4/4.5/5 proxy (default port 1080) <b><br>
@@ -111,15 +111,14 @@ specified for syntax compatibility. <b><br>
 udppm</b> UDP portmapper</p>
 
 <p style="margin-left:6%; margin-top: 1em">Options: <b><br>
--pNUMBER</b> change default server port to NUMBER <b><br>
--n</b> disable NTLM authentication (required if passwords
-are stored in Unix crypt format). <b><br>
--n1</b> enable NTLMv1 authentication. <b><br>
--g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)</b> delay GRACE_DELAY
-milliseconds before polling if average polling size is below
-GRACE_TRAFF bytes and GRACE_NUM read operations in a single
-direction are detected within 1 second. Useful to minimize
-polling <b>-s</b> <br>
+-p</b><i>NUMBER</i> change default server port to NUMBER
+<b><br>
+
+-g(</b><i>GRACE_TRAFF</i><b>,</b><i>GRACE_NUM</i><b>,</b><i>GRACE_DELAY</i>)
+delay GRACE_DELAY milliseconds before polling if average
+polling size is below GRACE_TRAFF bytes and GRACE_NUM read
+operations in a single direction are detected within 1
+second. Useful to minimize polling <b>-s</b> <br>
 (for admin) secure, allow only secure operations, currently
 only traffic counters view without ability to reset. <br>
 (for dnspr) simple, do not use resolver and 3proxy cache,
@@ -142,35 +141,37 @@ packed in IPv6 in IPV6_V6ONLY compatible way. <b><br>
 resolvable <b><br>
 -64</b> Resolve IPv4 addresses if IPv6 address is not
 resolvable <b><br>
--RHOST:port</b> listen on given local HOST:port for incoming
-connections instead of making remote outgoing connection.
-Can be used with another 3proxy service running -r option
-for connect back functionality. Most commonly used with
-tcppm. HOST can be given as IP or hostname, useful in case
-of dynamic DNS. <b><br>
--rHOST:port</b> connect to given remote HOST:port instead of
-listening local connection on -p or default port. Can be
-used with another 3proxy service running -R option for
-connect back functionality. Most commonly used with proxy or
-socks. HOST can be given as IP or hostname, useful in case
-of dynamic DNS. <b><br>
--ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS,
--oROPTIONS</b> options for proxy-to-client (oc),
-proxy-to-server (os), proxy listening (ol), connect back
-client (or), connect back listening (oR) sockets. Options
-like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK,
-TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR,
-SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT,
-SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
-<b><br>
--DiINTERFACE, -DeINTERFACE</b> bind internal interface /
-external interface to given INTERFACE (e.g. eth0) if
-SO_BINDTODEVICE is supported by the system. You may need to
-run as root or have CAP_NET_RAW capability in order to bind
-to an interface, depending on the system, so this option may
+-R</b><i>HOST</i><b>:</b><i>port</i> listen on given local
+HOST:port for incoming connections instead of making remote
+outgoing connection. Can be used with another 3proxy service
+running -r option for connect back functionality. Most
+commonly used with tcppm. HOST can be given as IP or
+hostname, useful in case of dynamic DNS. <b><br>
+-r</b><i>HOST</i><b>:</b><i>port</i> connect to given remote
+HOST:port instead of listening local connection on -p or
+default port. Can be used with another 3proxy service
+running -R option for connect back functionality. Most
+commonly used with proxy or socks. HOST can be given as IP
+or hostname, useful in case of dynamic DNS. <b><br>
+-oc</b><i>OPTIONS</i><b>, -os</b><i>OPTIONS</i><b>,
+-ol</b><i>OPTIONS</i><b>, -or</b><i>OPTIONS</i><b>,
+-oR</b><i>OPTIONS</i> options for proxy-to-client
+(<b>-oc</b>), proxy-to-server (<b>-os</b>), proxy listening
+(<b>-ol</b>), connect back client (<b>-or</b>), connect back
+listening (<b>-oR</b>) sockets. Options like TCP_CORK,
+TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS,
+USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT,
+SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE,
+SO_DONTROUTE may be supported depending on OS. <b><br>
+-Di</b><i>INTERFACE</i><b>, -De</b><i>INTERFACE</i> bind
+internal (<b>-Di</b>) / external (<b>-De</b>) interface to
+given INTERFACE (e.g. eth0) if <b>SO_BINDTODEVICE</b> is
+supported by the system. You may need to run as root or have
+<b>CAP_NET_RAW</b> capability in order to bind to an
+interface, depending on the system, so this option may
 require root privileges and can be incompatible with some
-configuration commands like chroot and setuid (and daemon if
-setcap is used). <b><br>
+configuration commands like <b>chroot</b> and <b>setuid</b>
+(and <b>daemon</b> if setcap is used). <b><br>
 -e</b> External address. IP address of the interface the
 proxy should initiate connections from. External IP must be
 specified if you need incoming connections. By default the
@@ -207,10 +208,10 @@ proxy access must be authenticated, you can specify username
 as proxy_username:proxy_password:POP3_username@pop3server
 <br>
 DNS proxy resolves any types of records but only hostnames
-are cached. It requires nserver/nscache to be configured. If
-nserver is configured as TCP, redirections are applied on
-connection, so parent proxy may be used to resolve names to
-IP. <br>
+are cached. It requires <b>nserver</b>/<b>nscache</b> to be
+configured. If <b>nserver</b> is configured as TCP,
+redirections are applied on connection, so parent proxy may
+be used to resolve names to IP. <br>
 FTP proxy can be used as FTP server in any FTP client or
 configured as FTP proxy on a client with FTP proxy support.
 Username format is one of <br>
@@ -224,11 +225,11 @@ authentication use proxyuser:proxypassword:FTPuser as FTP
 username, otherwise do not change original FTP user name</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>include</b>
-&lt;path&gt; <br>
+<i>&lt;path&gt;</i> <br>
 Include config file</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>config</b>
-&lt;path&gt; <br>
+<i>&lt;path&gt;</i> <br>
 Path to configuration file to use on 3proxy restart or to
 save configuration.</p>
 
@@ -244,20 +245,20 @@ using it.</p>
 End of configuration</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>log</b>
-[[@|&amp;]logfile] [&lt;LOGTYPE&gt;] <br>
+[[@|&amp;]<i>logfile</i>] [<i>&lt;LOGTYPE&gt;</i>] <br>
 sets logfile for all gateways <br>
 @ (for Unix) use syslog, filename is used as ident name <br>
 &amp; use ODBC, filename consists of comma-delimited
 datasource,username,password (username and password are
 optional) <br>
 radius - use RADIUS for logging <br>
-LOGTYPE is one of: <br>
-c Minutely <br>
-H Hourly <br>
-D Daily <br>
-W Weekly (starting from Sunday) <br>
-M Monthly <br>
-Y Annually <br>
+LOGTYPE is one of: <b><br>
+c</b> Minutely <b><br>
+H</b> Hourly <b><br>
+D</b> Daily <b><br>
+W</b> Weekly (starting from Sunday) <b><br>
+M</b> Monthly <b><br>
+Y</b> Annually <br>
 if logfile is not specified logging goes to stdout. You can
 specify individual logging options for gateway by using -l
 option in gateway configuration. <br>
@@ -270,12 +271,12 @@ Grinwitch time zone for all time-based format
 specificators.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>rotate</b>
-&lt;n&gt; <br>
+<i>&lt;n&gt;</i> <br>
 how many archived log files to keep</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>logformat</b>
-&lt;format&gt; <br>
+<i>&lt;format&gt;</i> <br>
 Format for log record. First symbol in format must be L
 (local time) or G (absolute Grinwitch time). It can be
 preceeded with -XXX+Y where XXX is list of characters to be
@@ -332,7 +333,8 @@ l_service, l_in, l_out, l_descr) values (&acute;%d-%m-%Y
 &acute;%T&acute;)&quot;</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>logdump</b>
-&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt; <br>
+<i>&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt;</i>
+<br>
 Immediately creates additional log records if given amount
 of incoming/outgoing traffic is achieved for connection,
 without waiting for connection to finish. It may be useful
@@ -341,7 +343,7 @@ server shutdown.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>delimchar</b>
-&lt;char&gt; <br>
+<i>&lt;char&gt;</i> <br>
 Sets the delimiter character used to separate username from
 hostname in proxy authentication strings (e.g. for FTP, POP3
 proxies). Default is &acute;@&acute;. For example, to use
@@ -349,48 +351,50 @@ proxies). Default is &acute;@&acute;. For example, to use
 to contain the &acute;@&acute; character.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>archiver</b>
-&lt;ext&gt; &lt;commandline&gt; <br>
+<i>&lt;ext&gt; &lt;commandline&gt;</i> <br>
 Archiver to use for log files. &lt;ext&gt; is file extension
 produced by archiver. Filename will be last argument to
 archiver, optionally you can use %A as produced archive name
 and %F as filename.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>timeouts</b>
-&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
+<i>&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
 &lt;STRING_LONG&gt; &lt;CONNECTION_SHORT&gt;
 &lt;CONNECTION_LONG&gt; &lt;DNS&gt; &lt;CHAIN&gt;
-&lt;CONNECT&gt; &lt;CONNECTBACK&gt; <br>
+&lt;CONNECT&gt; &lt;CONNECTBACK&gt;</i> <br>
 Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15,
-60, 15, 5. <br>
-BYTE_SHORT short timeout for single byte, is usually used
-for receiving single byte from stream. <br>
-BYTE_LONG long timeout for single byte, is usually used for
-receiving first byte in frame (for example first byte in
-socks request). <br>
-STRING_SHORT short timeout, for character string within
-stream (for example to wait between 2 HTTP headers) <br>
-STRING_LONG long timeout, for first string in stream (for
-example to wait for HTTP request). <br>
-CONNECTION_SHORT inactivity timeout for short connections
-(HTTP, POP3, etc). <br>
-CONNECTION_LONG inactivity timeout for long connection
-(SOCKS, portmappers, etc). <br>
-DNS timeout for DNS request before requesting next server
+60, 15, 5. <b><br>
+BYTE_SHORT</b> short timeout for single byte, is usually
+used for receiving single byte from stream. <b><br>
+BYTE_LONG</b> long timeout for single byte, is usually used
+for receiving first byte in frame (for example first byte in
+socks request). <b><br>
+STRING_SHORT</b> short timeout, for character string within
+stream (for example to wait between 2 HTTP headers) <b><br>
+STRING_LONG</b> long timeout, for first string in stream
+(for example to wait for HTTP request). <b><br>
+CONNECTION_SHORT</b> inactivity timeout for short
+connections (HTTP, POP3, etc). <b><br>
+CONNECTION_LONG</b> inactivity timeout for long connection
+(SOCKS, portmappers, etc). <b><br>
+DNS</b> timeout for DNS request before requesting next
+server <b><br>
+CHAIN</b> timeout for reading data from chained connection
 <br>
-CHAIN timeout for reading data from chained connection <br>
 default timeouts 1 5 30 60 180 1800 15 60 15 5</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>maxseg</b>
-&lt;value&gt; <br>
+<i>&lt;value&gt;</i> <br>
 Sets TCP maximum segment size (MSS) for outgoing
 connections. This can be used to work around path MTU
 discovery issues or to optimize traffic for specific network
 conditions.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>radius</b>
-&lt;NAS_SECRET&gt;
-&lt;radius_server_1[:port][/local_address_1]&gt;
-&lt;radius_server_2[:port][/local_address_2]&gt; <br>
+<i>&lt;NAS_SECRET&gt;
+&lt;radius_server_1</i>[:<i>port</i>][/<i>local_address_1</i>]
+<i>&lt;radius_server_2</i>[:<i>port</i>][/<i>local_address_2</i>]
+<br>
 Configures RADIUS servers to be used for logging and
 authentication (log and auth types must be set to radius).
 port and local address to use with given server may be
@@ -409,12 +413,12 @@ CONNECT), Login-TCP-Port: (requested port), Login-IPv6-Host
 / Login-IP-Host: (requested IP). <br>
 Supported reply attributes for authentication:
 Framed-IP-Address / Framed-IPv6-Address (IP to assign to
-user), Reply-Message. Use authcache to speedup
+user), Reply-Message. Use <b>authcache</b> to speedup
 authentication. RADIUS feature is currently
 experimental.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nserver</b>
-&lt;ipaddr&gt;[:port][/tcp] <br>
+<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
 Nameserver to use for name resolutions. If none specified
 system routines for name resolution is used. Optional port
 number may be specified. If optional /tcp is added to IP
@@ -422,33 +426,36 @@ address, name resolution is performed over TCP.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>authnserver</b>
-&lt;ipaddr&gt;[:port][/tcp] <br>
+<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
 Nameserver to use for DNS-based authentication (e.g. dnsname
 auth type). If not specified, nserver is used. The syntax is
 the same as for nserver.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nscache</b>
-&lt;cachesize&gt; <b>nscache6</b> &lt;cachesize&gt; <br>
-Cache &lt;cachesize&gt; records for name resolution (nscache
-for IPv4, nscache6 for IPv6). The cache size should usually
-be large enough (for example, 65536).</p>
+<i>&lt;cachesize&gt;</i> <b>nscache6</b>
+<i>&lt;cachesize&gt;</i> <br>
+Cache <i>&lt;cachesize&gt;</i> records for name resolution
+(<b>nscache</b> for IPv4, <b>nscache6</b> for IPv6). The
+cache size should usually be large enough (for example,
+65536).</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nsrecord</b>
-&lt;hostname&gt; &lt;hostaddr&gt; <br>
-Adds static record to nscache. nscache must be enabled. If
-0.0.0.0 is used as a hostaddr host will never resolve, it
-can be used to blacklist something or together with
-<b>dialer</b> command to set up UDL for dialing.</p>
+<i>&lt;hostname&gt; &lt;hostaddr&gt;</i> <br>
+Adds static record to nscache. <b>nscache</b> must be
+enabled. If 0.0.0.0 is used as a hostaddr host will never
+resolve, it can be used to blacklist something or together
+with <b>dialer</b> command to set up UDL for dialing.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>fakeresolve</b>
 <br>
 All names are resolved to the 127.0.0.2 address. Useful if
-all requests are redirected to a parent proxy with http,
-socks4+, connect+ or socks5+.</p>
+all requests are redirected to a parent proxy with
+<b>http</b>, <b>socks4+</b>, <b>connect+</b> or
+<b>socks5+</b>.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>dialer</b>
-&lt;progname&gt; <br>
+<i>&lt;progname&gt;</i> <br>
 Execute progname if external name can&acute;t be resolved.
 Hint: if you use nscache, dialer may not work, because names
 will be resolved through cache. In this case you can use
@@ -456,7 +463,7 @@ something like http://dial.right.now/ from browser to set up
 connection.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>internal</b>
-&lt;ipaddr&gt; <br>
+<i>&lt;ipaddr&gt;</i> <br>
 sets ip address of internal interface. This IP address will
 be used to bind gateways. Alternatively you can use -i
 option for individual gateways. Since 0.8 version, IPv6
@@ -470,27 +477,29 @@ using Unix sockets, the socket file is automatically created
 and removed on service start/stop.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>external</b>
-&lt;ipaddr&gt; <br>
+<i>&lt;ipaddr&gt;</i> <br>
 sets ip address of external interface. This IP address will
 be source address for all connections made by proxy.
 Alternatively you can use -e option to specify individual
-address for gateway. Since 0.8 version External or -e can be
-given twice: once with IPv4 and once with IPv6 address.</p>
+address for gateway. Since 0.8 version External or <b>-e</b>
+can be given twice: once with IPv4 and once with IPv6
+address.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>maxconn</b>
-&lt;number&gt; <br>
+<i>&lt;number&gt;</i> <br>
 sets the maximum number of simultaneous connections to each
 service started after this command at the network level.
 Default is 100. <br>
-To limit clients, use connlim instead. maxconn will silently
-ignore new connections, while connlim will report back to
-the client that the connection limit has been reached.</p>
+To limit clients, use <b>connlim</b> instead. <b>maxconn</b>
+will silently ignore new connections, while <b>connlim</b>
+will report back to the client that the connection limit has
+been reached.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>backlog</b>
 <br>
 sets the listening socket backlog of new connections.
-Default is 1 + maxconn/8. Maximum value is capped by kernel
-tunable somaxconn.</p>
+Default is 1 + <b>maxconn</b>/8. Maximum value is capped by
+kernel tunable somaxconn.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>service</b>
 <br>
@@ -504,35 +513,35 @@ reinstall the service.</p>
 <br>
 Should be specified to close the console. Do not use
 &acute;daemon&acute; with &acute;service&acute;. At least
-under FreeBSD, &acute;daemon&acute; should precede any proxy
+under FreeBSD, <b>daemon</b> should precede any proxy
 service and log commands to avoid socket problems. Always
 place it in the beginning of the configuration file.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>auth</b>
-&lt;authtype&gt; [...] <br>
-Type of user authorization. Currently supported: <br>
-none - no authentication or authorization required. <br>
+<i>&lt;authtype&gt;</i> [...] <br>
+Type of user authorization. Currently supported: <b><br>
+none</b> - no authentication or authorization required. <br>
 Note: if auth is none, any IP-based limitation, redirection,
 etc. will not work. This is the default authentication type
-<br>
-iponly - authentication by access control list with username
-ignored. <br>
-Appropriate for most cases <br>
-useronly - authentication by username without checking for
-any password with authorization by ACLs. Useful for e.g.
+<b><br>
+iponly</b> - authentication by access control list with
+username ignored. <br>
+Appropriate for most cases <b><br>
+useronly</b> - authentication by username without checking
+for any password with authorization by ACLs. Useful for e.g.
 SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
-a username) <br>
-dnsname - authentication by DNS hostname with authorization
-by ACLs. The DNS hostname is resolved via a PTR (reverse)
-record and validated (the resolved name must resolve to the
-same IP address). It&acute;s recommended to use authcache by
-IP for this authentication. NB: there is no password check;
-the name may be spoofed. <br>
-strong - username/password authentication required. It will
-work with SOCKSv5, FTP, POP3 and HTTP proxy. <br>
-cache - cached authentication, may be used with
-&acute;authcache&acute;. <br>
-radius - authentication with RADIUS. <br>
+a username) <b><br>
+dnsname</b> - authentication by DNS hostname with
+authorization by ACLs. The DNS hostname is resolved via a
+PTR (reverse) record and validated (the resolved name must
+resolve to the same IP address). It&acute;s recommended to
+use authcache by IP for this authentication. NB: there is no
+password check; the name may be spoofed. <b><br>
+strong</b> - username/password authentication required. It
+will work with SOCKSv5, FTP, POP3 and HTTP proxy. <b><br>
+cache</b> - cached authentication, may be used with
+&acute;authcache&acute;. <b><br>
+radius</b> - authentication with RADIUS. <br>
 Plugins may add additional authentication types.</p>
 
 <p style="margin-left:6%; margin-top: 1em">It&acute;s
@@ -550,38 +559,39 @@ shared ones.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>authcache</b>
-&lt;cachtype&gt; &lt;cachtime&gt; <br>
+<i>&lt;cachtype&gt; &lt;cachtime&gt; &lt;cachesize&gt;</i>
+<br>
 Cache authentication information for a given amount of time
-(cachetime) in seconds. Cachetype is one of: <br>
-ip - after successful authentication all connections during
-caching time from same IP are assigned to the same user,
-username is not requested. <br>
-ip,user username is requested and all connections from the
-same IP are assigned to the same user without actual
-authentication. <br>
-user - same as above, but IP is not checked. <br>
-user,password - both username and password are checked
-against cached ones. <br>
-limit - limit user to use only one ip, &acute;ip&acute; and
-&acute;user&acute; are required <br>
-acl - only use cached auth if user access service with same
-ACL <br>
-ext - cache external IP <br>
-Use auth type &acute;cache&acute; for cached
-authentication</p>
+(cachetime) in seconds. cachesize limits number of cache
+entries. Cachetype is one of: <b><br>
+ip</b> - after successful authentication all connections
+during caching time from same IP are assigned to the same
+user, username is not requested. <b><br>
+ip,user</b> username is requested and all connections from
+the same IP are assigned to the same user without actual
+authentication. <b><br>
+user</b> - same as above, but IP is not checked. <b><br>
+user,password</b> - both username and password are checked
+against cached ones. <b><br>
+limit</b> - limit user to use only one ip, &acute;ip&acute;
+and &acute;user&acute; are required <b><br>
+ack</b> - only use cached auth if user access service with
+same ACL <b><br>
+ext</b> - cache external IP <br>
+Use auth type <b>cache</b> for cached authentication</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>allow</b>
-&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
+<i>&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-deny</b> &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+deny</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
-redirect</b> &lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
+&lt;timeperiodslist&gt;</i> <b><br>
+redirect</b> <i>&lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <br>
+&lt;timeperiodslist&gt;</i> <br>
 Access control entries. All lists are comma-separated, no
 spaces are allowed. Usernames are case sensitive (if used
 with authtype nbname username must be in uppercase). Source
@@ -607,27 +617,28 @@ should either bind proxy to appropriate interface only or to
 use ip filters.</p>
 
 <p style="margin-left:6%; margin-top: 1em">Operation is one
-of: <br>
-CONNECT establish outgoing TCP connection <br>
-BIND bind TCP port for listening <br>
-UDPASSOC make UDP association <br>
-ICMPASSOC make ICMP association (for future use) <br>
-HTTP_GET HTTP GET request <br>
-HTTP_PUT HTTP PUT request <br>
-HTTP_POST HTTP POST request <br>
-HTTP_HEAD HTTP HEAD request <br>
-HTTP_CONNECT HTTP CONNECT request <br>
-HTTP_OTHER over HTTP request <br>
-HTTP matches any HTTP request except HTTP_CONNECT <br>
-HTTPS same as HTTP_CONNECT <br>
-FTP_GET FTP get request <br>
-FTP_PUT FTP put request <br>
-FTP_LIST FTP list request <br>
-FTP_DATA FTP data connection. Note: FTP_DATA requires access
-to dynamic non-privileged (1024-65535) ports on the remote
-side. <br>
-FTP matches any FTP/FTP Data request <br>
-ADMIN access to administration interface</p>
+of: <b><br>
+CONNECT</b> establish outgoing TCP connection <b><br>
+BIND</b> bind TCP port for listening <b><br>
+UDPASSOC</b> make UDP association <b><br>
+ICMPASSOC</b> make ICMP association (for future use) <b><br>
+HTTP_GET</b> HTTP GET request <b><br>
+HTTP_PUT</b> HTTP PUT request <b><br>
+HTTP_POST</b> HTTP POST request <b><br>
+HTTP_HEAD</b> HTTP HEAD request <b><br>
+HTTP_CONNECT</b> HTTP CONNECT request <b><br>
+HTTP_OTHER</b> over HTTP request <b><br>
+HTTP</b> matches any HTTP request except HTTP_CONNECT
+<b><br>
+HTTPS</b> same as HTTP_CONNECT <b><br>
+FTP_GET</b> FTP get request <b><br>
+FTP_PUT</b> FTP put request <b><br>
+FTP_LIST</b> FTP list request <b><br>
+FTP_DATA</b> FTP data connection. Note: FTP_DATA requires
+access to dynamic non-privileged (1024-65535) ports on the
+remote side. <b><br>
+FTP</b> matches any FTP/FTP Data request <b><br>
+ADMIN</b> access to administration interface</p>
 
 <p style="margin-left:6%; margin-top: 1em">Weekdays are
 week day numbers or periods, 0 or 7 means Sunday, 1 is
@@ -638,8 +649,8 @@ HH:MM:SS-HH:MM:SS format. For example,
 hours.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>parent</b>
-&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
-&lt;username&gt; &lt;password&gt; <br>
+<i>&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
+&lt;username&gt; &lt;password&gt;</i> <br>
 this command must follow &quot;allow&quot; rule. It extends
 last allow rule to build proxy chain. Proxies may be
 grouped. Proxy inside the group is selected randomly. If few
@@ -668,45 +679,51 @@ pipelined (keep-alive) requests in the same connection use
 the same chain.</p>
 
 <p style="margin-left:6%; margin-top: 1em">type is one of:
-<br>
-extip does not actually redirect the request; it sets the
-external address for this request to &lt;ip&gt;. It can be
-chained with another parent type. It&rsquo;s useful to set
-the external IP based on ACL or make it random. <br>
-tcp simply redirect connection. TCP is always last in chain.
-This type of proxy is a simple TCP redirection, it does not
-support parent authentication. <br>
-http redirect to HTTP proxy. HTTP is always the last chain.
-It should only be used with http (proxy) service, if used
-with different service, it works as tcp redirection. <br>
-pop3 redirect to POP3 proxy (only local redirection is
-supported, can only be used as a first hop in chaining) <br>
-ftp redirect to FTP proxy (only local redirection is
-supported, can only be used as a first hop in chaining) <br>
-connect parent is HTTP CONNECT method proxy <br>
-connect+ parent is HTTP CONNECT proxy with name resolution
-(hostname is used instead of IP if available) <br>
-socks4 parent is SOCKSv4 proxy <br>
-socks4+ parent is SOCKSv4 proxy with name resolution
-(SOCKSv4a) <br>
-socks5 parent is SOCKSv5 proxy <br>
-socks5+ parent is SOCKSv5 proxy with name resolution <br>
-socks4b parent is SOCKS4b (broken SOCKSv4 implementation
+<b><br>
+extip</b> does not actually redirect the request; it sets
+the external address for this request to <i>&lt;ip&gt;</i>.
+It can be chained with another parent type. It&rsquo;s
+useful to set the external IP based on ACL or make it
+random. <b><br>
+tcp</b> simply redirect connection. TCP is always last in
+chain. This type of proxy is a simple TCP redirection, it
+does not support parent authentication. <b><br>
+http</b> redirect to HTTP proxy. HTTP is always the last
+chain. It should only be used with http (proxy) service, if
+used with different service, it works as tcp redirection.
+<b><br>
+pop3</b> redirect to POP3 proxy (only local redirection is
+supported, can only be used as a first hop in chaining)
+<b><br>
+ftp</b> redirect to FTP proxy (only local redirection is
+supported, can only be used as a first hop in chaining)
+<b><br>
+connect</b> parent is HTTP CONNECT method proxy <b><br>
+connect+</b> parent is HTTP CONNECT proxy with name
+resolution (hostname is used instead of IP if available)
+<b><br>
+socks4</b> parent is SOCKSv4 proxy <b><br>
+socks4+</b> parent is SOCKSv4 proxy with name resolution
+(SOCKSv4a) <b><br>
+socks5</b> parent is SOCKSv5 proxy <b><br>
+socks5+</b> parent is SOCKSv5 proxy with name resolution
+<b><br>
+socks4b</b> parent is SOCKS4b (broken SOCKSv4 implementation
 with shortened server reply; I never saw this kind of
 server, but they say there are some). Normally you should
 not use this option. Do not confuse this option with
-SOCKSv4a (socks4+). <br>
-socks5b parent is SOCKS5b (broken SOCKSv5 implementation
+SOCKSv4a (<b>socks4+</b>). <b><br>
+socks5b</b> parent is SOCKS5b (broken SOCKSv5 implementation
 with shortened server reply. I think you will never find it
 useful). Never use this option unless you know exactly you
-need it. <br>
-admin redirect request to local &acute;admin&acute; service
-(with -s parameter). <br>
-ha send HAProxy PROXY protocol v1 header to parent proxy.
-Must be the last in the proxy chain. Useful for passing
-client IP information to the parent proxy. Example: parent
-1000 ha <br>
-Use &quot;+&quot; proxy only with &quot;fakeresolve&quot;
+need it. <b><br>
+admin</b> redirect request to local &acute;admin&acute;
+service (with -s parameter). <b><br>
+ha</b> send HAProxy PROXY protocol v1 header to parent
+proxy. Must be the last in the proxy chain. Useful for
+passing client IP information to the parent proxy. Example:
+parent 1000 ha <br>
+Use &quot;+&quot; proxy only with <b>fakeresolve</b>
 option</p>
 
 <p style="margin-left:6%; margin-top: 1em">IP and port are
@@ -748,26 +765,26 @@ HTTP proxy, local HTTP proxy parses requests and allows only
 GET and POST requests. <br>
 parent 1000 http 1.2.3.4 0 <br>
 Changes the external address for a given connection to
-1.2.3.4 (equivalent to -e1.2.3.4) <br>
+1.2.3.4 (equivalent to <b>-e1.2.3.4</b>) <br>
 Optional username and password are used to authenticate on
 parent proxy. Username of &acute;*&acute; means username
 must be supplied by user.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>parentretries</b>
-&lt;number&gt; <br>
+<i>&lt;number&gt;</i> <br>
 Number of retries to connect to parent proxy. Default is
 1.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nolog</b>
-&lt;n&gt; <br>
+<i>&lt;n&gt;</i> <br>
 extends last allow or deny command to prevent logging, e.g.
 <br>
 allow * * 192.168.1.1 <br>
 nolog</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>weight</b>
-&lt;n&gt; <br>
+<i>&lt;n&gt;</i> <br>
 extends last allow or deny command to set weight for this
 request <br>
 allow * * 192.168.1.1 <br>
@@ -785,30 +802,31 @@ connections.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>bandlimin</b>
-&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
+<i>&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
-nobandlimin</b> &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;timeperiodslist&gt;</i> <b><br>
+nobandlimin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
-bandlimout</b> &lt;rate&gt; &lt;userlist&gt;
+&lt;timeperiodslist&gt;</i> <b><br>
+bandlimout</b> <i>&lt;rate&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
-nobandlimout</b> &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;timeperiodslist&gt;</i> <b><br>
+nobandlimout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <br>
-bandlim sets a bandwidth limitation filter to &lt;rate&gt;
-bps (bits per second). If you want to specify bytes per
-second, multiply your value by 8. bandlim rules act in the
-same manner as allow/deny rules, except for one thing:
-bandwidth limiting is applied to all services, not to some
-specific service. bandlimin and nobandlimin apply to
-incoming traffic <br>
-bandlimout and nobandlimout apply to outgoing traffic <br>
+&lt;timeperiodslist&gt;</i> <br>
+bandlim sets a bandwidth limitation filter to
+<i>&lt;rate&gt;</i> bps (bits per second). If you want to
+specify bytes per second, multiply your value by 8. bandlim
+rules act in the same manner as allow/deny rules, except for
+one thing: bandwidth limiting is applied to all services,
+not to some specific service. <b>bandlimin</b> and
+<b>nobandlimin</b> apply to incoming traffic <b><br>
+bandlimout</b> and <b>nobandlimout</b> apply to outgoing
+traffic <br>
 If you want to ratelimit your clients with IPs
 192.168.10.16/30 (4 addresses) to 57600 bps, you have to
 specify 4 rules like <br>
@@ -826,53 +844,54 @@ nobandlimin * * * 110 <br>
 before the rest of bandlim rules.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>connlim</b>
-&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
+<i>&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
-noconnlim</b> &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;timeperiodslist&gt;</i> <b><br>
+noconnlim</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <br>
+&lt;timeperiodslist&gt;</i> <br>
 connlim sets connections rate limit per time period for
 traffic pattern controlled by ACL. Period is in seconds. If
-period is 0, connlim limits a number of parallel
+period is 0, <b>connlim</b> limits a number of parallel
 connections. <br>
 connlim 100 60 * 127.0.0.1 <br>
 allows 100 connections per minute for 127.0.0.1. <br>
 connlim 20 0 * 127.0.0.1 <br>
 allows 20 simultaneous connections for 127.0.0.1. <br>
-Like with bandlimin, if an individual limit is required per
-client, a separate rule must be added for every client. Like
-with nobandlimin, noconnlim adds an exception.</p>
+Like with <b>bandlimin</b>, if an individual limit is
+required per client, a separate rule must be added for every
+client. Like with nobandlimin, noconnlim adds an
+exception.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>counter</b>
-&lt;filename&gt; &lt;reporttype&gt; &lt;reportname&gt;
-<b><br>
-countin</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
+<i>&lt;filename&gt; &lt;reporttype&gt;
+&lt;reportname&gt;</i> <b><br>
+countin</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-nocountin</b> &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+nocountin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
-countout</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
+&lt;timeperiodslist&gt;</i> <b><br>
+countout</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-nocountout</b> &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+nocountout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
-countall</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
+&lt;timeperiodslist&gt;</i> <b><br>
+countall</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-nocountall</b> &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+nocountall</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</p>
+&lt;timeperiodslist&gt;</i></p>
 
 <p style="margin-left:6%; margin-top: 1em">counter,
 countin, nocountin, countout, nocountout, countall,
@@ -885,48 +904,34 @@ not preserved in the counter file (that is, if the proxy is
 restarted, all counters with 0 are flushed); otherwise, it
 should be a unique sequential number which points to the
 position of the counter within the file. Type specifies a
-type of counter. Type is one of: <br>
-H - counter is reset hourly <br>
-D - counter is reset daily <br>
-W - counter is reset weekly <br>
-M - counter is reset monthly <br>
+type of counter. Type is one of: <b><br>
+H</b> - counter is reset hourly <b><br>
+D</b> - counter is reset daily <b><br>
+W</b> - counter is reset weekly <b><br>
+M</b> - counter is reset monthly <br>
 reporttype/reportname may be used to generate traffic
 reports. Reporttype is one of D, W, M, H (hourly) and
 reportname specifies the filename template for reports. The
 report is a text file with counter values in the format:
-<br>
-&lt;COUNTERNUMBER&gt; &lt;TRAF&gt; <br>
+<i><br>
+&lt;COUNTERNUMBER&gt; &lt;TRAF&gt;</i> <br>
 The rest of parameters is identical to
-bandlim/nobandlim.</p>
+<b>bandlim</b>/<b>nobandlim</b>.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>users</b>
-username[:pwtype:password] ... <br>
+<i>username</i>[:<i>pwtype</i>:<i>password</i>] ... <br>
 pwtype is one of: <br>
-none (empty) - use system authentication <br>
-CL - password is cleartext <br>
-CR - password is crypt-style password <br>
-NT - password is NT password (in hex) <br>
-LM - password is LM password (in hex) <br>
+none (empty) - use system authentication <b><br>
+CL</b> - password is cleartext <b><br>
+CR</b> - password is crypt-style password <b><br>
+NT</b> - password is NT password (in hex) <br>
 example: <br>
 users test1:CL:password1
 &quot;test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49.&quot; <br>
-users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63</p>
-
-<table width="100%" border="0" rules="none" frame="void"
-       cellspacing="0" cellpadding="0">
-<tr valign="top" align="left">
-<td width="6%"></td>
-
-
-<p>Note: double quotes are required because the password
-contains a $ sign.</p></td>
-<td width="88%"></td>
-<td width="6%">
-</td></tr>
-</table>
-
-<p style="margin-left:6%; margin-top: 1em"><b>flush</b>
-<br>
+users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 <br>
+Note: double quotes are required because the password
+contains a $ sign. <b><br>
+flush</b> <br>
 empty the active access list. The access list must be
 flushed every time you create a new access list for a new
 service. For example: <br>
@@ -938,42 +943,43 @@ socks <br>
 sets different ACLs for <b>pop3p</b> and <b>socks</b></p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>system</b>
-&lt;command&gt; <br>
+<i>&lt;command&gt;</i> <br>
 execute system command</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>pidfile</b>
-&lt;filename&gt; <br>
+<i>&lt;filename&gt;</i> <br>
 write pid of current process to file. It can be used to
 manipulate 3proxy with signals under Unix. Currently next
 signals are available:</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>monitor</b>
-&lt;filename&gt; <br>
+<i>&lt;filename&gt;</i> <br>
 If file monitored changes in modification time or size,
 3proxy reloads configuration within one minute. Any number
 of files may be monitored.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>setuid</b>
-&lt;uid&gt; <br>
+<i>&lt;uid&gt;</i> <br>
 calls setuid(uid), uid can be numeric or since 0.9 username.
 Unix only. Warning: under some Linux kernels setuid() works
 for current thread only. It makes it impossible to suid for
 all threads.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>setgid</b>
-&lt;gid&gt; <br>
+<i>&lt;gid&gt;</i> <br>
 calls setgid(gid), gid can be numeric or since 0.9
 groupname. Unix only.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>chroot</b>
-&lt;path&gt; [&lt;uid&gt;] [&lt;gid&gt;] <br>
+<i>&lt;path&gt;</i> [<i>&lt;uid&gt;</i>]
+[<i>&lt;gid&gt;</i>] <br>
 calls chroot(path) and sets gid/uid. Unix only. uid/gid
 supported since 0.9, can be numeric or
 username/groupname</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>stacksize</b>
-&lt;value_to_add_to_default_stack_size&gt; <br>
+<i>&lt;value_to_add_to_default_stack_size&gt;</i> <br>
 Change the default size for thread stacks. May be required
 in some situations, e.g. with non-default plugins, or on
 some platforms (some FreeBSD versions may require adjusting
@@ -992,8 +998,8 @@ negative values.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>plugin</b>
-&lt;path_to_shared_library&gt; &lt;function_to_call&gt;
-[&lt;arg1&gt; ...] <br>
+<i>&lt;path_to_shared_library&gt;
+&lt;function_to_call&gt;</i> [<i>&lt;arg1&gt;</i> ...] <br>
 Loads specified library and calls given export function with
 given arguments, as <br>
 int functions_to_call(struct pluginlink * pl, int argc, char
@@ -1003,7 +1009,7 @@ function_to_call must return 0 in case of success, value
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>filtermaxsize</b>
-&lt;max_size_of_data_to_filter&gt; <br>
+<i>&lt;max_size_of_data_to_filter&gt;</i> <br>
 If Content-length (or another data length) is greater than
 the given value, no data filtering will be performed through
 filtering plugins to avoid data corruption and/or

doc/html/man8/ftppr.8.html

@@ -198,7 +198,7 @@ with FTP proxy support, configure <i>internal_ip</i> and
 FTP proxy support, use <i>internal_ip</i> and <i>port</i> as
 the FTP server. The address of the real FTP server must be
 configured as a part of the FTP username. The format for the
-username is <i>username</i><b>@</b><i>server</i>, where
+username is <i>username</i>@<i>server</i>, where
 <i>server</i> is the address of the FTP server and
 <i>username</i> is the user&acute;s login on this FTP
 server. The login itself may contain an &acute;@&acute;

doc/html/man8/pop3p.8.html

@@ -196,8 +196,8 @@ MUA (Mail User Agent) with POP3 support. Set the client to
 use <i>internal_ip</i> and <i>port</i> as a POP3 server. The
 address of the real POP3 server must be configured as a part
 of the POP3 username. The format for the username is
-<i>username</i><b>@</b><i>server</i>, where <i>server</i> is
-the address of the POP3 server and <i>username</i> is the
+<i>username</i>@<i>server</i>, where <i>server</i> is the
+address of the POP3 server and <i>username</i> is the
 user&acute;s login on this POP3 server. The login itself may
 contain an &acute;@&acute; sign. Only cleartext
 authentication is supported, because challenge-response

doc/html/man8/smtpp.8.html

@@ -196,7 +196,7 @@ MUA (Mail User Agent) with SMTP authentication support. Set
 the client to use <i>internal_ip</i> and <i>port</i> as an
 SMTP server. The address of the real SMTP server must be
 configured as a part of the SMTP username. The format for
-the username is <i>username</i><b>@</b><i>server</i>, where
+the username is <i>username</i>@<i>server</i>, where
 <i>server</i> is the address of the SMTP server and
 <i>username</i> is the user&acute;s login on this SMTP
 server. The login itself may contain an &acute;@&acute;

man/3proxy.cfg.3

@@ -1,4 +1,4 @@
-.TH 3proxy.cfg "8" "January 2019" "3proxy 0.9" "Universal proxy server"
+.TH 3proxy.cfg "5" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B 3proxy.cfg
 3proxy configuration file
@@ -69,11 +69,11 @@ Recursion is not allowed.
 .br
 .B tcppm
 [options]
-<SRCPORT> <DSTADDR> <DSTPORT>
+\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
 .br
 .B udppm
 [options]
-<SRCPORT> <DSTADDR> <DSTPORT>
+\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
 .br
  Descriptions:
 .br
@@ -119,16 +119,10 @@ UDP portmapper
 .br
  Options:
 .br
-.B -pNUMBER
+.B -p\fINUMBER\fR
 change default server port to NUMBER
 .br
-.B -n
-disable NTLM authentication (required if passwords are stored in Unix crypt format).
-.br
-.B -n1
-enable NTLMv1 authentication.
-.br
-.B -g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)
+.B -g(\fIGRACE_TRAFF\fB,\fIGRACE_NUM\fB,\fIGRACE_DELAY\fR)
 delay GRACE_DELAY milliseconds before polling if average polling size is below GRACE_TRAFF bytes and GRACE_NUM read operations in a single direction are detected within 1 second. Useful to minimize polling
 .B -s
  (for admin) secure, allow only secure operations, currently only traffic counters
@@ -165,18 +159,18 @@ Resolve IPv6 addresses if IPv4 address is not resolvable
 .B -64
 Resolve IPv4 addresses if IPv6 address is not resolvable
 .br
-.B -RHOST:port
+.B -R\fIHOST\fB:\fIport\fR
 listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS.
 .br
-.B -rHOST:port
+.B -r\fIHOST\fB:\fIport\fR
 connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS.
 .br
-.B -ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS, -oROPTIONS
-options for proxy-to-client (oc), proxy-to-server (os), proxy listening (ol), connect back client (or), connect back listening (oR) sockets.
+.B -oc\fIOPTIONS\fB, -os\fIOPTIONS\fB, -ol\fIOPTIONS\fB, -or\fIOPTIONS\fB, -oR\fIOPTIONS\fR
+options for proxy-to-client (\fB-oc\fR), proxy-to-server (\fB-os\fR), proxy listening (\fB-ol\fR), connect back client (\fB-or\fR), connect back listening (\fB-oR\fR) sockets.
 Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
 .br
-.B -DiINTERFACE, -DeINTERFACE
-bind internal interface / external interface to given INTERFACE (e.g. eth0) if SO_BINDTODEVICE is supported by the system. You may need to run as root or have CAP_NET_RAW capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like chroot and setuid (and daemon if setcap is used).
+.B -Di\fIINTERFACE\fB, -De\fIINTERFACE\fR
+bind internal (\fB-Di\fR) / external (\fB-De\fR) interface to given INTERFACE (e.g. eth0) if \fBSO_BINDTODEVICE\fR is supported by the system. You may need to run as root or have \fBCAP_NET_RAW\fR capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like \fBchroot\fR and \fBsetuid\fR (and \fBdaemon\fR if setcap is used).
 .br
 .B -e
 External address. IP address of the interface the proxy should initiate connections
@@ -222,7 +216,7 @@ pop3username@pop3server. If POP3 proxy access must be authenticated, you can
 specify username as proxy_username:proxy_password:POP3_username@pop3server
 .br
  DNS proxy resolves any types of records but only hostnames are cached. It
-requires nserver/nscache to be configured. If nserver is configured as TCP,
+requires \fBnserver\fR/\fBnscache\fR to be configured. If \fBnserver\fR is configured as TCP,
 redirections are applied on connection, so parent proxy may be used to resolve
 names to IP.
 .br
@@ -238,14 +232,14 @@ proxy on a client with FTP proxy support. Username format is one of
  Please note, if you use FTP client interface for FTP proxy do not add FTPpassword and FTPServer to username, because FTP client does it for you. That is, if you use 3proxy with authentication use proxyuser:proxypassword:FTPuser as FTP username, otherwise do not change original FTP user name
 
 .br
-.B include
-<path>
+.BR include
+\fI<path>\fR
 .br
  Include config file
 
 .br
-.B config
-<path>
+.BR config
+\fI<path>\fR
 .br
  Path to configuration file to use on 3proxy restart or to save configuration.
 
@@ -264,8 +258,8 @@ alternate config file. Think twice before using it.
  End of configuration
 
 .br
-.B log
-[[@|&]logfile] [<LOGTYPE>]
+.BR log
+[[@|&]\fIlogfile\fR] [\fI<LOGTYPE>\fR]
 .br
  sets logfile for all gateways
 .br
@@ -277,17 +271,17 @@ alternate config file. Think twice before using it.
 .br
  LOGTYPE is one of:
 .br
-  c Minutely
+  \fBc\fR Minutely
 .br
-  H Hourly
+  \fBH\fR Hourly
 .br
-  D Daily
+  \fBD\fR Daily
 .br
-  W Weekly (starting from Sunday)
+  \fBW\fR Weekly (starting from Sunday)
 .br
-  M Monthly
+  \fBM\fR Monthly
 .br
-  Y Annually
+  \fBY\fR Annually
 .br
  if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using -l
 option in gateway configuration.
@@ -298,13 +292,13 @@ As with "logformat" filename must begin with \'L\' or \'G\' to specify Local or
 Grinwitch time zone for all time-based format specificators.
 
 .br
-.B rotate
-<n>
+.BR rotate
+\fI<n>\fR
  how many archived log files to keep
 
 .br
-.B logformat
-<format>
+.BR logformat
+\fI<format>\fR
 .br
  Format for log record. First symbol in format must be L (local time)
 or G (absolute Grinwitch time). 
@@ -386,8 +380,8 @@ with space and all time based elemnts are in local time zone.
  logformat "-\'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values (\'%d-%m-%Y %H:%M:%S\', \'%U\', \'%N\', %I, %O, \'%T\')"
 
 .br
-.B logdump
-<in_traffic_limit> <out_traffic_limit>
+.BR logdump
+\fI<in_traffic_limit>\fR \fI<out_traffic_limit>\fR
 .br
  Immediately creates additional log records if given amount of incoming/outgoing
 traffic is achieved for connection, without waiting for connection to finish.
@@ -395,56 +389,56 @@ It may be useful to prevent information about long-lasting downloads on server
 shutdown.
 
 .br
-.B delimchar
-<char>
+.BR delimchar
+\fI<char>\fR
 .br
  Sets the delimiter character used to separate username from hostname in proxy
 authentication strings (e.g. for FTP, POP3 proxies). Default is \'@\'. For example,
 to use \'#\' instead: delimchar #. This allows usernames to contain the \'@\' character.
 
 .br
-.B archiver
-<ext> <commandline>
+.BR archiver
+\fI<ext>\fR \fI<commandline>\fR
 .br
  Archiver to use for log files. <ext> is file extension produced by
 archiver. Filename will be last argument to archiver, optionally you
 can use %A as produced archive name and %F as filename.
 
 .br
-.B timeouts
-<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN> <CONNECT> <CONNECTBACK>
+.BR timeouts
+\fI<BYTE_SHORT>\fR \fI<BYTE_LONG>\fR \fI<STRING_SHORT>\fR \fI<STRING_LONG>\fR \fI<CONNECTION_SHORT>\fR \fI<CONNECTION_LONG>\fR \fI<DNS>\fR \fI<CHAIN>\fR \fI<CONNECT>\fR \fI<CONNECTBACK>\fR
 .br
  Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, 60, 15, 5.
 .br
- BYTE_SHORT short timeout for single byte, is usually used for receiving single byte from stream.
+ \fBBYTE_SHORT\fR short timeout for single byte, is usually used for receiving single byte from stream.
 .br
- BYTE_LONG long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
+ \fBBYTE_LONG\fR long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
 .br
- STRING_SHORT short timeout, for character string within stream (for example to wait between 2 HTTP headers)
+ \fBSTRING_SHORT\fR short timeout, for character string within stream (for example to wait between 2 HTTP headers)
 .br
- STRING_LONG long timeout, for first string in stream (for example to wait for HTTP request).
+ \fBSTRING_LONG\fR long timeout, for first string in stream (for example to wait for HTTP request).
 .br
- CONNECTION_SHORT inactivity timeout for short connections (HTTP, POP3, etc).
+ \fBCONNECTION_SHORT\fR inactivity timeout for short connections (HTTP, POP3, etc).
 .br
- CONNECTION_LONG inactivity timeout for long connection (SOCKS, portmappers, etc).
+ \fBCONNECTION_LONG\fR inactivity timeout for long connection (SOCKS, portmappers, etc).
 .br
- DNS timeout for DNS request before requesting next server
+ \fBDNS\fR timeout for DNS request before requesting next server
 .br
- CHAIN timeout for reading data from chained connection
+ \fBCHAIN\fR timeout for reading data from chained connection
 .br
  default timeouts 1 5 30 60 180 1800 15 60 15 5
 
 .br
-.B maxseg
-<value>
+.BR maxseg
+\fI<value>\fR
 .br
  Sets TCP maximum segment size (MSS) for outgoing connections. This can be used
 to work around path MTU discovery issues or to optimize traffic for specific
 network conditions.
 
 .br
-.B radius 
-<NAS_SECRET> <radius_server_1[:port][/local_address_1]> <radius_server_2[:port][/local_address_2]>
+.BR radius
+\fI<NAS_SECRET>\fR \fI<radius_server_1\fR[:\fIport\fR][/\fIlocal_address_1\fR]\fR \fI<radius_server_2\fR[:\fIport\fR][/\fIlocal_address_2\fR]\fR
 .br
  Configures RADIUS servers to be used for logging and authentication (log and auth types
 must be set to radius). port and local address to use with given server may be specified.
@@ -463,11 +457,11 @@ Login-IPv6-Host / Login-IP-Host: (requested IP).
 .br
  Supported reply attributes for authentication:
 Framed-IP-Address / Framed-IPv6-Address (IP to assign to user), Reply-Message.
-Use authcache to speedup authentication. RADIUS feature is currently experimental.
+Use \fBauthcache\fR to speedup authentication. RADIUS feature is currently experimental.
 
 .br
-.B nserver
-<ipaddr>[:port][/tcp]
+.BR nserver
+\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
 .br
  Nameserver to use for name resolutions. If none specified
 system routines for name resolution is
@@ -476,27 +470,27 @@ If optional /tcp is added to IP address, name resolution is
 performed over TCP.
 
 .br
-.B authnserver
-<ipaddr>[:port][/tcp]
+.BR authnserver
+\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
 .br
  Nameserver to use for DNS-based authentication (e.g. dnsname auth type).
 If not specified, nserver is used. The syntax is the same as for nserver.
 
 .br
-.B nscache
-<cachesize>
-.B nscache6
-<cachesize>
+.BR nscache
+\fI<cachesize>\fR
+.BR nscache6
+\fI<cachesize>\fR
 .br
- Cache <cachesize> records for name resolution (nscache for IPv4,
-nscache6 for IPv6). The cache size should usually be large enough
+ Cache \fI<cachesize>\fR records for name resolution (\fBnscache\fR for IPv4,
+\fBnscache6\fR for IPv6). The cache size should usually be large enough
 (for example, 65536).
 
 .br
-.B nsrecord
-<hostname> <hostaddr>
+.BR nsrecord
+\fI<hostname>\fR \fI<hostaddr>\fR
 .br
- Adds static record to nscache. nscache must be enabled. If 0.0.0.0
+ Adds static record to nscache. \fBnscache\fR must be enabled. If 0.0.0.0
 is used as a hostaddr host will never resolve, it can be used to
 blacklist something or together with 
 .B dialer
@@ -506,11 +500,11 @@ command to set up UDL for dialing.
 .B fakeresolve
 .br
  All names are resolved to the 127.0.0.2 address. Useful if all requests are
-redirected to a parent proxy with http, socks4+, connect+ or socks5+.
+redirected to a parent proxy with \fBhttp\fR, \fBsocks4+\fR, \fBconnect+\fR or \fBsocks5+\fR.
 
 .br
-.B dialer
-<progname>
+.BR dialer
+\fI<progname>\fR
 .br
  Execute progname if external name can\'t be resolved.
 Hint: if you use nscache, dialer may not work, because names will
@@ -519,8 +513,8 @@ http://dial.right.now/ from browser to set up connection.
 
 
 .br
-.B internal
-<ipaddr>
+.BR internal
+\fI<ipaddr>\fR
 .br
  sets ip address of internal interface. This IP address will be used
 to bind gateways. Alternatively you can use -i option for individual
@@ -535,30 +529,30 @@ Unix sockets are supported with the syntax
 is automatically created and removed on service start/stop.
 
 .br
-.B external
-<ipaddr>
+.BR external
+\fI<ipaddr>\fR
 .br
  sets ip address of external interface. This IP address will be source
 address for all connections made by proxy. Alternatively you can use -e
 option to specify individual address for gateway. Since 0.8 version
-External or -e can be given twice: once with IPv4 and once with IPv6 address.
+External or \fB-e\fR can be given twice: once with IPv4 and once with IPv6 address.
    
 .br
-.B maxconn
-<number>
+.BR maxconn
+\fI<number>\fR
 .br
  sets the maximum number of simultaneous connections to each service
 started after this command at the network level. Default is 100.
 .br
- To limit clients, use connlim instead. maxconn will silently ignore
-new connections, while connlim will report back to the client that
+ To limit clients, use \fBconnlim\fR instead. \fBmaxconn\fR will silently ignore
+new connections, while \fBconnlim\fR will report back to the client that
 the connection limit has been reached.
 
 .br
 .B backlog
 .br
  sets the listening socket backlog of new connections. Default is
-1 + maxconn/8. Maximum value is capped by kernel tunable somaxconn.
+1 + \fBmaxconn\fR/8. Maximum value is capped by kernel tunable somaxconn.
 
 .br
 .B service
@@ -572,40 +566,40 @@ to reinstall the service.
 .B daemon
 .br
  Should be specified to close the console. Do not use \'daemon\' with \'service\'.
-At least under FreeBSD, \'daemon\' should precede any proxy service
+At least under FreeBSD, \fBdaemon\fR should precede any proxy service
 and log commands to avoid socket problems. Always place it in the beginning
 of the configuration file.
 
 .br
-.B auth
-<authtype> [...]
+.BR auth
+\fI<authtype>\fR [...]
 .br
  Type of user authorization. Currently supported:
 .br
- none - no authentication or authorization required.
+ \fBnone\fR - no authentication or authorization required.
 .br
  Note: if auth is none, any IP-based limitation, redirection, etc. will not work.
 This is the default authentication type
 .br
- iponly - authentication by access control list with username ignored.
+ \fBiponly\fR - authentication by access control list with username ignored.
  Appropriate for most cases
 .br
- useronly - authentication by username without checking for any password with
+ \fBuseronly\fR - authentication by username without checking for any password with
 authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN /
 AOL screen name as a username)
 .br
- dnsname - authentication by DNS hostname with authorization by ACLs.
+ \fBdnsname\fR - authentication by DNS hostname with authorization by ACLs.
 The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved
 name must resolve to the same IP address). It\'s recommended to use authcache by
 IP for this authentication.
 NB: there is no password check; the name may be spoofed.
 .br
- strong - username/password authentication required. It will work with
+ \fBstrong\fR - username/password authentication required. It will work with
 SOCKSv5, FTP, POP3 and HTTP proxy. 
 .br
- cache - cached authentication, may be used with \'authcache\'.
+ \fBcache\fR - cached authentication, may be used with \'authcache\'.
 .br
- radius - authentication with RADIUS.
+ \fBradius\fR - authentication with RADIUS.
 .br
  Plugins may add additional authentication types.
 
@@ -622,43 +616,43 @@ IP-based authentication for dedicated laptops and request a username/password fo
 shared ones.
 
 .br
-.B authcache
-<cachtype> <cachtime> <cachesize>
+.BR authcache
+\fI<cachtype>\fR \fI<cachtime>\fR \fI<cachesize>\fR
 .br
  Cache authentication information for a given amount of time (cachetime) in seconds.
 cachesize limits number of cache entries.
 Cachetype is one of:
 .br
- ip - after successful authentication all connections during caching time
+ \fBip\fR - after successful authentication all connections during caching time
 from same IP are assigned to the same user, username is not requested.
 .br
- ip,user username is requested and all connections from the same IP are
+ \fBip,user\fR username is requested and all connections from the same IP are
 assigned to the same user without actual authentication.
 .br
- user - same as above, but IP is not checked. 
+ \fBuser\fR - same as above, but IP is not checked.
 .br
- user,password - both username and password are checked against cached ones.
+ \fBuser,password\fR - both username and password are checked against cached ones.
 .br
- limit - limit user to use only one ip, \'ip\' and \'user\' are required
+ \fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required
 .br
- acl - only use cached auth if user access service with same ACL 
+ \fBack\fR - only use cached auth if user access service with same ACL
 .br
- ext - cache external IP
+ \fBext\fR - cache external IP
 .br
-Use auth type \'cache\' for cached authentication
+Use auth type \fBcache\fR for cached authentication
 
 .br
-.B allow
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR allow
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B deny
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR deny
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B redirect
-<ip> <port> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR redirect
+\fI<ip>\fR \fI<port>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
  Access control entries. All lists are comma-separated, no spaces are
 allowed. Usernames are case sensitive (if used with authtype nbname
@@ -687,42 +681,42 @@ to appropriate interface only or to use ip filters.
 .br
  Operation is one of:
 .br
- CONNECT establish outgoing TCP connection
+ \fBCONNECT\fR establish outgoing TCP connection
 .br
- BIND bind TCP port for listening
+ \fBBIND\fR bind TCP port for listening
 .br
- UDPASSOC make UDP association
+ \fBUDPASSOC\fR make UDP association
 .br
- ICMPASSOC make ICMP association (for future use)
+ \fBICMPASSOC\fR make ICMP association (for future use)
 .br
- HTTP_GET HTTP GET request
+ \fBHTTP_GET\fR HTTP GET request
 .br
- HTTP_PUT HTTP PUT request
+ \fBHTTP_PUT\fR HTTP PUT request
 .br
- HTTP_POST HTTP POST request
+ \fBHTTP_POST\fR HTTP POST request
 .br
- HTTP_HEAD HTTP HEAD request
+ \fBHTTP_HEAD\fR HTTP HEAD request
 .br
- HTTP_CONNECT HTTP CONNECT request
+ \fBHTTP_CONNECT\fR HTTP CONNECT request
 .br
- HTTP_OTHER over HTTP request
+ \fBHTTP_OTHER\fR over HTTP request
 .br
- HTTP matches any HTTP request except HTTP_CONNECT
+ \fBHTTP\fR matches any HTTP request except HTTP_CONNECT
 .br
- HTTPS same as HTTP_CONNECT
+ \fBHTTPS\fR same as HTTP_CONNECT
 .br
- FTP_GET FTP get request
+ \fBFTP_GET\fR FTP get request
 .br
- FTP_PUT FTP put request
+ \fBFTP_PUT\fR FTP put request
 .br
- FTP_LIST FTP list request
+ \fBFTP_LIST\fR FTP list request
 .br
- FTP_DATA FTP data connection. Note: FTP_DATA requires access to dynamic
+ \fBFTP_DATA\fR FTP data connection. Note: FTP_DATA requires access to dynamic
 non-privileged (1024-65535) ports on the remote side.
 .br
- FTP matches any FTP/FTP Data request
+ \fBFTP\fR matches any FTP/FTP Data request
 .br
- ADMIN access to administration interface
+ \fBADMIN\fR access to administration interface
 
 .br
  Weekdays are week day numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday.
@@ -731,8 +725,8 @@ non-privileged (1024-65535) ports on the remote side.
 periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
 
 .br
-.B parent
-<weight> <type> <ip> <port> <username> <password>
+.BR parent
+\fI<weight>\fR \fI<type>\fR \fI<ip>\fR \fI<port>\fR \fI<username>\fR \fI<password>\fR
 .br
  this command must follow "allow" rule. It extends last allow rule to
 build proxy chain. Proxies may be grouped. Proxy inside the
@@ -769,45 +763,45 @@ with probability of 0.7) for outgoing web connections. Chains are only applied t
 .br
  type is one of:
 .br
- extip does not actually redirect the request; it sets the external address for this request to <ip>. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
+ \fBextip\fR does not actually redirect the request; it sets the external address for this request to \fI<ip>\fR. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
 .br
- tcp simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
+ \fBtcp\fR simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
 .br
- http redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
+ \fBhttp\fR redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
 if used with different service, it works as tcp redirection.
 .br
- pop3 redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
+ \fBpop3\fR redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
- ftp redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
+ \fBftp\fR redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
- connect parent is HTTP CONNECT method proxy
+ \fBconnect\fR parent is HTTP CONNECT method proxy
 .br
- connect+ parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
+ \fBconnect+\fR parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
 .br
- socks4 parent is SOCKSv4 proxy
+ \fBsocks4\fR parent is SOCKSv4 proxy
 .br
- socks4+ parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
+ \fBsocks4+\fR parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
 .br
- socks5 parent is SOCKSv5 proxy
+ \fBsocks5\fR parent is SOCKSv5 proxy
 .br
- socks5+ parent is SOCKSv5 proxy with name resolution
+ \fBsocks5+\fR parent is SOCKSv5 proxy with name resolution
 .br
- socks4b parent is SOCKS4b (broken SOCKSv4 implementation with shortened
+ \fBsocks4b\fR parent is SOCKS4b (broken SOCKSv4 implementation with shortened
 server reply; I never saw this kind of server, but they say there are some).
 Normally you should not use this option. Do not confuse this option with
-SOCKSv4a (socks4+).
+SOCKSv4a (\fBsocks4+\fR).
 .br
- socks5b parent is SOCKS5b (broken SOCKSv5 implementation with shortened
+ \fBsocks5b\fR parent is SOCKS5b (broken SOCKSv5 implementation with shortened
 server reply. I think you will never find it useful). Never use this option
 unless you know exactly you need it.
 .br
- admin redirect request to local \'admin\' service (with -s parameter).
+ \fBadmin\fR redirect request to local \'admin\' service (with -s parameter).
 .br
-ha send HAProxy PROXY protocol v1 header to parent proxy. Must be the last
+\fBha\fR send HAProxy PROXY protocol v1 header to parent proxy. Must be the last
 in the proxy chain. Useful for passing client IP information to the parent proxy.
 Example: parent 1000 ha
 .br
-Use "+" proxy only with "fakeresolve" option
+Use "+" proxy only with \fBfakeresolve\fR option
 .br
 
  IP and port are ip addres and port of parent proxy server.
@@ -859,21 +853,21 @@ local HTTP proxy parses requests and allows only GET and POST requests.
 .br
  parent 1000 http 1.2.3.4 0
 .br
- Changes the external address for a given connection to 1.2.3.4 (equivalent to -e1.2.3.4)
+ Changes the external address for a given connection to 1.2.3.4 (equivalent to \fB-e1.2.3.4\fR)
 .br
  Optional username and password are used to authenticate on parent
 proxy. Username of \'*\' means username must be supplied by user.
 
 .br
-.B parentretries
-<number>
+.BR parentretries
+\fI<number>\fR
 .br
  Number of retries to connect to parent proxy. Default is 1.
 
 
 .br
-.B nolog
-<n>
+.BR nolog
+\fI<n>\fR
 .br
  extends last allow or deny command to prevent logging, e.g.
 .br
@@ -883,8 +877,8 @@ nolog
 
 
 .br
-.B weight
-<n>
+.BR weight
+\fI<n>\fR
 .br
  extends last allow or deny command to set weight for this request
 .br
@@ -906,30 +900,30 @@ is removed, old connections which do not match current are closed.
 noforce allows to keep previously authenticated connections.
 
 .br
-.B bandlimin
-<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR bandlimin
+\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nobandlimin
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR nobandlimin
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B bandlimout
-<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR bandlimout
+\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nobandlimout
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR nobandlimout
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
- bandlim sets a bandwidth limitation filter to <rate> bps (bits per second).
+ bandlim sets a bandwidth limitation filter to \fI<rate>\fR bps (bits per second).
 If you want to specify bytes per second, multiply your value by 8.
 bandlim rules act in the same manner as allow/deny rules, except for
 one thing: bandwidth limiting is applied to all services, not to some
 specific service. 
-bandlimin and nobandlimin apply to incoming traffic
+\fBbandlimin\fR and \fBnobandlimin\fR apply to incoming traffic
 .br
-bandlimout and nobandlimout apply to outgoing traffic
+\fBbandlimout\fR and \fBnobandlimout\fR apply to outgoing traffic
 .br
 If you want to ratelimit your clients with IPs 192.168.10.16/30 (4
 addresses) to 57600 bps, you have to specify 4 rules like
@@ -954,17 +948,17 @@ If you want, for example, to limit all speed except access to POP3, you can use
  before the rest of bandlim rules.
 
 .br
-.B connlim
-<rate> <period> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR connlim
+\fI<rate>\fR \fI<period>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B noconnlim
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR noconnlim
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
  connlim sets connections rate limit per time period for traffic
 pattern controlled by ACL. Period is in seconds. If period is 0,
-connlim limits a number of parallel connections.
+\fBconnlim\fR limits a number of parallel connections.
 .br
  connlim 100 60 * 127.0.0.1
 .br
@@ -974,39 +968,39 @@ connlim limits a number of parallel connections.
 .br
  allows 20 simultaneous connections for 127.0.0.1.
 .br
- Like with bandlimin, if an individual limit is required per client, a separate
+ Like with \fBbandlimin\fR, if an individual limit is required per client, a separate
 rule must be added for every client. Like with nobandlimin, noconnlim adds an
 exception.
 
 
 
 .br
-.B counter
-<filename> <reporttype> <reportname>
+.BR counter
+\fI<filename>\fR \fI<reporttype>\fR \fI<reportname>\fR
 .br
-.B countin
-<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR countin
+\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nocountin
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR nocountin
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B countout
-<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR countout
+\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nocountout
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR nocountout
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B countall
-<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR countall
+\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nocountall
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
+.BR nocountall
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
 
  counter, countin, nocountin, countout, nocountout, countall,
@@ -1020,38 +1014,36 @@ should be a unique sequential number which points to the position of
 the counter within the file.
 Type specifies a type of counter. Type is one of:
 .br
- H - counter is reset hourly
+ \fBH\fR - counter is reset hourly
 .br
- D - counter is reset daily
+ \fBD\fR - counter is reset daily
 .br
- W - counter is reset weekly
+ \fBW\fR - counter is reset weekly
 .br
- M - counter is reset monthly
+ \fBM\fR - counter is reset monthly
 .br
  reporttype/reportname may be used to generate traffic reports.
 Reporttype is one of D, W, M, H (hourly) and reportname specifies the filename
 template for reports. The report is a text file with counter values in
 the format:
 .br
- <COUNTERNUMBER> <TRAF>
+ \fI<COUNTERNUMBER>\fR \fI<TRAF>\fR
 .br
- The rest of parameters is identical to bandlim/nobandlim.
+ The rest of parameters is identical to \fBbandlim\fR/\fBnobandlim\fR.
 
 .br
-.B users
-username[:pwtype:password] ...
+.BR users
+\fIusername\fR[:\fIpwtype\fR:\fIpassword\fR] ...
 .br
  pwtype is one of:
 .br
  none (empty) - use system authentication
 .br
- CL - password is cleartext
+ \fBCL\fR - password is cleartext
 .br
- CR - password is crypt-style password
+ \fBCR\fR - password is crypt-style password
 .br
- NT - password is NT password (in hex)
-.br
- LM - password is LM password (in hex)
+ \fBNT\fR - password is NT password (in hex)
 .br
  example:
 .br
@@ -1059,7 +1051,7 @@ username[:pwtype:password] ...
 .br
  users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
 .br
- Note: double quotes are required because the password contains a $ sign.	
+ Note: double quotes are required because the password contains a $ sign.
 
 .br
 .B flush
@@ -1083,48 +1075,48 @@ and
 .B socks
 
 .br
-.B system
-<command>
+.BR system
+\fI<command>\fR
 .br
  execute system command
 
 .br
-.B pidfile
-<filename>
+.BR pidfile
+\fI<filename>\fR
 .br
  write pid of current process to file. It can be used to manipulate
 3proxy with signals under Unix. Currently next signals are available:
 
 .br
-.B monitor
-<filename>
+.BR monitor
+\fI<filename>\fR
 .br
  If file monitored changes in modification time or size, 3proxy reloads
 configuration within one minute. Any number of files may be monitored.
 
 .br
-.B setuid
-<uid>
+.BR setuid
+\fI<uid>\fR
 .br
  calls setuid(uid), uid can be numeric or since 0.9 username. Unix only. Warning: under some Linux
 kernels setuid() works for current thread only. It makes it impossible to suid
 for all threads.
 
 .br
-.B setgid
-<gid>
+.BR setgid
+\fI<gid>\fR
 .br
  calls setgid(gid), gid can be numeric or since 0.9 groupname. Unix only.
 
 .br
-.B chroot
-<path> [<uid>] [<gid>]
+.BR chroot
+\fI<path>\fR [\fI<uid>\fR] [\fI<gid>\fR]
 .br
  calls chroot(path) and sets gid/uid. Unix only. uid/gid supported since 0.9, can be numeric or username/groupname
 
 .br
-.B stacksize
-<value_to_add_to_default_stack_size>
+.BR stacksize
+\fI<value_to_add_to_default_stack_size>\fR
 .br
  Change the default size for thread stacks. May be required in some situations,
 e.g. with non-default plugins, or on some platforms (some FreeBSD versions
@@ -1139,8 +1131,8 @@ memory shortage, you can try to experiment with negative values.
 .SH PLUGINS
 
 .br
-.B plugin
-<path_to_shared_library> <function_to_call> [<arg1> ...]
+.BR plugin
+\fI<path_to_shared_library>\fR \fI<function_to_call>\fR [\fI<arg1>\fR ...]
 .br
  Loads specified library and calls given export function with given arguments,
 as 
@@ -1150,8 +1142,8 @@ as
  function_to_call must return 0 in case of success, value > 0 to indicate error.
 
 .br
-.B filtermaxsize
-<max_size_of_data_to_filter>
+.BR filtermaxsize
+\fI<max_size_of_data_to_filter>\fR
 .br
  If Content-length (or another data length) is greater than the given value, no
 data filtering will be performed through filtering plugins to avoid data

man/ftppr.8

@@ -73,7 +73,7 @@ and
 .IR port
 as the FTP server. The address of the real FTP server must be configured as a part of
 the FTP username. The format for the username is
-.IR username \fB@ server ,
+.IR username @ server ,
 where
 .I server
 is the address of the FTP server and

man/pop3p.8

@@ -67,7 +67,7 @@ and
 .IR port
 as a POP3 server. The address of the real POP3 server must be configured as a part of
 the POP3 username. The format for the username is
-.IR username \fB@ server ,
+.IR username @ server ,
 where
 .I server
 is the address of the POP3 server and

man/smtpp.8

@@ -68,7 +68,7 @@ and
 .IR port
 as an SMTP server. The address of the real SMTP server must be configured as a part of
 the SMTP username. The format for the username is
-.IR username \fB@ server ,
+.IR username @ server ,
 where
 .I server
 is the address of the SMTP server and

scripts/rh/3proxy.spec

@@ -38,7 +38,6 @@ make clean
 /bin/proxy
 /bin/socks
 /bin/tcppm
-/bin/udppm
 /bin/tlspr
 %config(noreplace) /etc/3proxy/3proxy.cfg
 /etc/3proxy/conf

src/3proxy.c

@@ -141,8 +141,10 @@ int timechanged (time_t oldtime, time_t newtime, ROTATION lt){
 	struct tm tmold;
 	struct tm *tm;
 	tm = localtime(&oldtime);
+	if(!tm) return 0;
 	tmold = *tm;
 	tm = localtime(&newtime);
+	if(!tm) return 0;
 	switch(lt){
 		case MINUTELY:
 			if(tm->tm_min != tmold.tm_min)return 1;
@@ -214,17 +216,17 @@ void dumpcounters(struct trafcount *tlin, int counterd){
 
 
 	cheader.updated = conf.time;
-	lseek(counterd, 0, SEEK_SET);
-	if(write(counterd, &cheader, sizeof(struct counter_header))){}
+	if(lseek(counterd, 0, SEEK_SET) >= 0 && write(counterd, &cheader, sizeof(struct counter_header))){}
 	for(tl=tlin; tl; tl = tl->next){
 		if(tl->number){
-			lseek(counterd, 
+			if(lseek(counterd, 
 				sizeof(struct counter_header) + (tl->number - 1) * sizeof(struct counter_record),
-				SEEK_SET);
-			crecord.traf64 = tl->traf64;
-			crecord.cleared = tl->cleared;
-			crecord.updated = tl->updated;
-			if(write(counterd, &crecord, sizeof(struct counter_record))){}
+				SEEK_SET) >= 0){
+			    crecord.traf64 = tl->traf64;
+			    crecord.cleared = tl->cleared;
+			    crecord.updated = tl->updated;
+			    if(write(counterd, &crecord, sizeof(struct counter_record))){}
+			}
 		}
 		if(tl->type!=NEVER && timechanged(tl->cleared, conf.time, tl->type)){
 			tl->cleared = conf.time;
@@ -267,9 +269,11 @@ void cyclestep(void){
 	}
 	if(timechanged(basetime, conf.time, DAILY)) {
 		tm = localtime(&conf.time);
-		wday = (1 << tm->tm_wday);
-		tm->tm_hour = tm->tm_min = tm->tm_sec = 0;
-		basetime = mktime(tm);
+		if(tm){
+			wday = (1 << tm->tm_wday);
+			tm->tm_hour = tm->tm_min = tm->tm_sec = 0;
+			basetime = mktime(tm);
+		}
 	}
 	if(conf.logname) {
 		if(timechanged(conf.logtime, conf.time, conf.logtype)) {
@@ -511,7 +515,6 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
   pthread_mutex_init(&config_mutex, NULL);
   pthread_mutex_init(&bandlim_mutex, NULL);
   pthread_mutex_init(&connlim_mutex, NULL);
-  pthread_mutex_init(&hash_mutex, NULL);
   pthread_mutex_init(&tc_mutex, NULL);
   pthread_mutex_init(&log_mutex, NULL);
 #ifndef NORADIUS
@@ -531,7 +534,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
   conf.version++;
 
   if(res) RETURN(res);
-  if(!writable)fclose(fp);
+  if(!writable){fclose(fp); fp = NULL;}
 
 #ifdef _WIN32
   
@@ -562,6 +565,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 
 CLEARRETURN:
 
+ if(fp && fp != stdin) {fclose(fp); fp = NULL;}
  return 0;
 
 }

src/Makefile.inc

@@ -2,7 +2,7 @@
 # 3 proxy common Makefile
 #
 
-all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)3proxy_crypt$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)tlspr$(EXESUFFICS) $(BUILDDIR)udppm$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
+all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)3proxy_crypt$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)tlspr$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
 
 
 sockmap$(OBJSUFFICS): sockmap.c proxy.h structures.h
@@ -48,9 +48,6 @@ tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
 socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP socks.c
 
-udppm$(OBJSUFFICS): udppm.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP udppm.c
-
 3proxy$(OBJSUFFICS): 3proxy.c proxy.h structures.h
 	$(CC) $(CFLAGS) 3proxy.c
 
@@ -75,14 +72,9 @@ $(BUILDDIR)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcp
 $(BUILDDIR)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
 	$(LN) $(LNOUT)$(BUILDDIR)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
-
 mainfunc$(OBJSUFFICS): proxy.h structures.h proxymain.c
 	$(CC) $(COUT)mainfunc$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)MODULEMAINFUNC=mainfunc proxymain.c
 
-
-
 srvproxy$(OBJSUFFICS): proxy.c proxy.h structures.h
 	$(CC) $(COUT)srvproxy$(OBJSUFFICS) $(CFLAGS) proxy.c
 
@@ -119,6 +111,15 @@ srvdnspr$(OBJSUFFICS): dnspr.c proxy.h structures.h
 auth$(OBJSUFFICS): auth.c proxy.h structures.h
 	$(CC) $(COUT)auth$(OBJSUFFICS) $(CFLAGS) auth.c
 
+acl$(OBJSUFFICS): acl.c proxy.h structures.h
+	$(CC) $(COUT)acl$(OBJSUFFICS) $(CFLAGS) acl.c
+
+limiter$(OBJSUFFICS): limiter.c proxy.h structures.h
+	$(CC) $(COUT)limiter$(OBJSUFFICS) $(CFLAGS) limiter.c
+
+redirect$(OBJSUFFICS): redirect.c proxy.h structures.h
+	$(CC) $(COUT)redirect$(OBJSUFFICS) $(CFLAGS) redirect.c
+
 hash$(OBJSUFFICS): hash.c proxy.h structures.h
 	$(CC) $(COUT)hash$(OBJSUFFICS) $(CFLAGS) hash.c
 
@@ -158,6 +159,6 @@ $(BUILDDIR)3proxy_crypt$(EXESUFFICS): md4$(OBJSUFFICS) blake2$(OBJSUFFICS) 3prox
 stringtable$(OBJSUFFICS):  stringtable.c
 	$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
 
-$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
-	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
+	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 

src/acl.c

@@ -0,0 +1,168 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
+	int addrlen;
+	unsigned char *ip, *ipf, *ipt;
+
+
+	if(!sa || ! ipentry || *SAFAMILY(sa) != ipentry->family) return 0;
+
+	ip = (unsigned char *)SAADDR(sa);
+	ipf = (unsigned char *)&ipentry->ip_from;
+	ipt = (unsigned char *)&ipentry->ip_to;
+
+
+	addrlen = SAADDRLEN(sa);
+
+	if(memcmp(ip,ipf,addrlen) < 0 || memcmp(ip,ipt,addrlen) > 0) return 0;
+	return 1;
+
+}
+
+int ACLmatches(struct ace* acentry, struct clientparam * param){
+	struct userlist * userentry;
+	struct iplist *ipentry;
+	struct portlist *portentry;
+	struct period *periodentry;
+	unsigned char * username;
+	struct hostname * hstentry=NULL;
+	int i;
+	int match = 0;
+
+	username = param->username?param->username:(unsigned char *)"-";
+	if(acentry->src) {
+	 for(ipentry = acentry->src; ipentry; ipentry = ipentry->next)
+		if(IPInentry((struct sockaddr *)&param->sincr, ipentry)) {
+			break;
+		}
+	 if(!ipentry) return 0;
+	}
+	if((acentry->dst && (!SAISNULL(&param->req) || param->operation == UDPASSOC || param->operation==BIND)) || (acentry->dstnames && param->hostname)) {
+	 for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
+		if(IPInentry((struct sockaddr *)&param->req, ipentry)) {
+			break;
+		}
+	 if(!ipentry) {
+		 if(acentry->dstnames && param->hostname){
+			for(i=0; param->hostname[i]; i++){
+				param->hostname[i] = tolower(param->hostname[i]);
+			}
+			while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
+			for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
+				int lname, lhost;
+				switch(hstentry->matchtype){
+					case 0:
+#ifndef _WIN32
+					if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#else
+					if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#endif
+					break;
+
+					case 1:
+					if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
+						match = 1;
+					break;
+
+					case 2:
+					lname = strlen((char *)hstentry->name);
+					lhost = strlen((char *)param->hostname);
+					if(lhost > lname){
+						if(!strncasecmp((char *)param->hostname + (lhost - lname),
+							(char *)hstentry->name,
+							lname))
+								match = 1;
+					}
+					break;
+
+					default:
+					if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
+					break;
+        			}
+				if(match) break;
+			}
+		 }
+	 }
+	 if(!ipentry && !hstentry) return 0;
+	}
+	if(acentry->ports && (*SAPORT(&param->req) || param->operation == UDPASSOC || param->operation == BIND)) {
+	 for (portentry = acentry->ports; portentry; portentry = portentry->next)
+		if(ntohs(*SAPORT(&param->req)) >= portentry->startport &&
+			   ntohs(*SAPORT(&param->req)) <= portentry->endport) {
+			break;
+		}
+		if(!portentry) return 0;
+	}
+	if(acentry->wdays){
+		if(!(acentry -> wdays & wday)) return 0;
+	}
+	if(acentry->periods){
+	 int start_time = (int)(param->time_start - basetime);
+	 for(periodentry = acentry->periods; periodentry; periodentry = periodentry -> next)
+		if(start_time >= periodentry->fromtime && start_time < periodentry->totime){
+			break;
+		}
+		if(!periodentry) return 0;
+	}
+	if(acentry->users){
+	 for(userentry = acentry->users; userentry; userentry = userentry->next)
+		if(!strcmp((char *)username, (char *)userentry->user)){
+			break;
+		}
+	 if(!userentry) return 0;
+	}
+	if(acentry->operation) {
+		if((acentry->operation & param->operation) != param->operation){
+				 return 0;
+		}
+	}
+	if(acentry->weight && (acentry->weight < param->weight)) return 0;
+	return 1;
+}
+
+
+int checkACL(struct clientparam * param){
+	struct ace* acentry;
+
+	if(!param->srv->acl) {
+		return 0;
+	}
+	for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
+		if(ACLmatches(acentry, param)) {
+			param->nolog = acentry->nolog;
+			param->weight = acentry->weight;
+			if(acentry->action == 2) {
+				struct ace dup;
+				int res=60,i=0;
+
+				if(param->operation < 256 && !(param->operation & CONNECT)){
+					continue;
+				}
+				if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
+					continue;
+				}
+				if(param->remsock != INVALID_SOCKET) {
+					return 0;
+				}
+				for(; i < conf.parentretries; i++){
+					dup = *acentry;
+					res = handleredirect(param, &dup);
+					if(!res) break;
+					if(param->remsock != INVALID_SOCKET) param->srv->so._closesocket(param->sostate, param->remsock);
+					param->remsock = INVALID_SOCKET;
+				}
+				return res;
+			}
+			return acentry->action;
+		}
+	}
+	return 3;
+}

src/auth.c

@@ -8,676 +8,7 @@
 
 #include "proxy.h"
 
-static FILTER_ACTION (*ext_ssl_parent)(struct clientparam * param) = NULL;
-
-static FILTER_ACTION ssl_parent(struct clientparam * param){
-    if(ext_ssl_parent) return ext_ssl_parent(param);
-    ext_ssl_parent = pluginlink.findbyname("ssl_parent");
-    if(ext_ssl_parent) return ext_ssl_parent(param);
-    return REJECT;
-}
-
-int clientnegotiate(struct chain * redir, struct clientparam * param, struct sockaddr * addr, unsigned char * hostname){
-	unsigned char *buf;
-	unsigned char *username;
-	int res;
-	int len=0;
-	unsigned char * user, *pass;
-
-
-	user = redir->extuser;
-	pass = redir->extpass;
-	if (!param->srvbufsize){
-		param->srvbufsize = SRVBUFSIZE;
-		param->srvbuf = myalloc(param->srvbufsize);
-		if(!param->srvbuf) return 21;
-	}
-	buf = param->srvbuf;
-	username = buf + 2048;
-	if(user) {
-		if (*user == '*') {
-			if(!param->username) return 4;
-			user = param->username;
-			pass = param->password;
-		}
-	}
-	if(redir->secure){
-	    res = ssl_parent(param);
-	    if(res != PASS) return res;
-	}
-	switch(redir->type){
-		case R_TCP:
-		case R_HTTP:
-			return 0;
-		case R_CONNECT:
-		case R_CONNECTP:
-		{
-			len = sprintf((char *)buf, "CONNECT ");
-			if(redir->type == R_CONNECTP && hostname) {
-				char * needreplace;
-				needreplace = strchr((char *)hostname, ':');
-				if(needreplace) buf[len++] = '[';
-				len += sprintf((char *)buf + len, "%.256s", (char *)hostname);
-				if(needreplace) buf[len++] = ']';
-			}
-			else {
-				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = '[';
-				len += myinet_ntop(*SAFAMILY(addr), SAADDR(addr), (char *)buf+len, 256);
-				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = ']';
-			}
-			len += sprintf((char *)buf + len,
-				":%hu HTTP/1.0\r\nConnection: keep-alive\r\n", ntohs(*SAPORT(addr)));
-			if(user){
-				len += sprintf((char *)buf + len, "Proxy-Authorization: Basic ");
-				sprintf((char *)username, "%.128s:%.128s", user, pass?pass:(unsigned char *)"");
-				en64(username, buf+len, (int)strlen((char *)username));
-				len = (int)strlen((char *)buf);
-				len += sprintf((char *)buf + len, "\r\n");
-			}
-			len += sprintf((char *)buf + len, "\r\n");
-			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != (int)strlen((char *)buf))
-				return 31;
-			param->statssrv64+=len;
-			param->nwrites++;
-			if((res = sockgetlinebuf(param, SERVER,buf,13,'\n',conf.timeouts[CHAIN_TO])) < 13)
-				return 32;
-			if(buf[9] != '2') return 33;
-			while((res = sockgetlinebuf(param, SERVER,buf,1023,'\n', conf.timeouts[CHAIN_TO])) > 2);
-			if(res <= 0) return 34;
-			return 0;
-		}
-		case R_SOCKS4:
-		case R_SOCKS4P:
-		case R_SOCKS4B:
-		{
-
-			if(*SAFAMILY(addr) != AF_INET) return 44;
-			buf[0] = 4;
-			buf[1] = 1;
-			memcpy(buf+2, SAPORT(addr), 2);
-			if(redir->type == R_SOCKS4P && hostname) {
-				buf[4] = buf[5] = buf[6] = 0;
-				buf[7] = 3;
-			}
-			else memcpy(buf+4, SAADDR(addr), 4);
-			if(!user)user = (unsigned char *)"anonymous";
-			len = (int)strlen((char *)user) + 1;
-			memcpy(buf+8, user, len);
-			len += 8;
-			if(redir->type == R_SOCKS4P && hostname) {
-				int hostnamelen;
-
-				hostnamelen = (int)strlen((char *)hostname) + 1;
-				if(hostnamelen > 255) hostnamelen = 255;
-				memcpy(buf+len, hostname, hostnamelen);
-				len += hostnamelen;
-			}
-			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) < len){
-				return 41;
-			}
-			param->statssrv64+=len;
-			param->nwrites++;
-			if((len = sockgetlinebuf(param, SERVER, buf, (redir->type == R_SOCKS4B)? 3:8, EOF, conf.timeouts[CHAIN_TO])) != ((redir->type == R_SOCKS4B)? 3:8)){
-				return 42;
-			}
-			if(buf[1] != 90) {
-				return 43;
-			}
-
-		}
-		return 0;
-
-		case R_SOCKS5:
-		case R_SOCKS5P:
-		case R_SOCKS5B:
-		{
-		 int inbuf = 0;
-			buf[0] = 5;
-			buf[1] = 1;
-			buf[2] = user? 2 : 0;
-			if(socksend(param, param->remsock, buf, 3, conf.timeouts[CHAIN_TO]) != 3){
-				return 51;
-			}
-			param->statssrv64+=len;
-			param->nwrites++;
-			if(sockgetlinebuf(param, SERVER, buf, 2, EOF, conf.timeouts[CHAIN_TO]) != 2){
-				return 52;
-			}
-			if(buf[0] != 5) {
-				return 53;
-			}
-			if(buf[1] != 0 && !(buf[1] == 2 && user)){
-				return 54;
-			}
-			if(buf[1] == 2){
-				buf[inbuf++] = 1;
-				buf[inbuf] = (unsigned char)strlen((char *)user);
-				memcpy(buf+inbuf+1, user, buf[inbuf]);
-				inbuf += buf[inbuf] + 1;
-				buf[inbuf] = pass?(unsigned char)strlen((char *)pass):0;
-				if(pass)memcpy(buf+inbuf+1, pass, buf[inbuf]);
-				inbuf += buf[inbuf] + 1;
-				if(socksend(param, param->remsock, buf, inbuf, conf.timeouts[CHAIN_TO]) != inbuf){
-					return 51;
-				}
-				param->statssrv64+=inbuf;
-				param->nwrites++;
-				if(sockgetlinebuf(param, SERVER, buf, 2, EOF, 60) != 2){
-					return 55;
-				}
-				if(buf[0] != 1 || buf[1] != 0) {
-					return 56;
-				}
-			}
-			buf[0] = 5;
-			buf[1] = 1;
-			buf[2] = 0;
-			if(redir->type == R_SOCKS5P && hostname) {
-				buf[3] = 3;
-				len = (int)strlen((char *)hostname);
-				if(len > 255) len = 255;
-				buf[4] = len;
-				memcpy(buf + 5, hostname, len);
-				len += 5;
-			}
-			else {
-				len = 3;
-				buf[len++] = (*SAFAMILY(addr) == AF_INET)? 1 : 4;
-				memcpy(buf+len, SAADDR(addr), SAADDRLEN(addr));
-				len += SAADDRLEN(addr);
-			}
-			memcpy(buf+len, SAPORT(addr), 2);
-			len += 2;
-			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != len){
-				return 51;
-			}
-			param->statssrv64+=len;
-			param->nwrites++;
-			if(sockgetlinebuf(param, SERVER, buf, 4, EOF, conf.timeouts[CHAIN_TO]) != 4){
-				return 57;
-			}
-			if(buf[0] != 5) {
-				return 53;
-			}
-			if(buf[1] != 0) {
-				return 60 + (buf[1] % 10);
-			}
-			switch (buf[3]) {
-			case 1:
-			    if (redir->type == R_SOCKS5B ||  sockgetlinebuf(param, SERVER, buf, 6, EOF, conf.timeouts[CHAIN_TO]) == 6)
-				    break;
-			    return 59;
-			case 3:
-			    if (sockgetlinebuf(param, SERVER, buf, 1, EOF, conf.timeouts[CHAIN_TO]) != 1) return 59;
-			    len = (unsigned char)buf[0];
-			    if (sockgetlinebuf(param, SERVER, buf, len + 2, EOF, conf.timeouts[CHAIN_TO]) != len + 2) return 59;
-			    break;
-			case 4:
-			    if (sockgetlinebuf(param, SERVER, buf, 18, EOF, conf.timeouts[CHAIN_TO]) == 18)
-				    break;
-			    return 59;
-			default:
-			    return 58;
-			}
-			return 0;
-		}
-
-		default:
-
-			return 30;
-	}
-}
-
-
-int handleredirect(struct clientparam * param, struct ace * acentry){
-	int connected = 0;
-	int weight = 1000;
-	int res;
-	int done = 0;
-	int ha = 0;
-	struct chain * cur;
-	struct chain * redir = NULL;
-	int r2;
-
-	if(param->remsock != INVALID_SOCKET) {
-		return 0;
-	}
-	if(SAISNULL(&param->req) || !*SAPORT(&param->req)) {
-		return 100;
-	}
-
-	r2 = (myrand(param, sizeof(struct clientparam))%1000);
-
-	for(cur = acentry->chains; cur; cur=cur->next){
-		if(((weight = weight - cur->weight) > r2)|| done) {
-			if(weight <= 0) {
-				weight += 1000;
-				done = 0;
-				r2 = (myrand(param, sizeof(struct clientparam))%1000);
-			}
-			continue;
-		}
-		param->redirected++;
-		done = 1;
-		if(weight <= 0) {
-			weight += 1000;
-			done = 0;
-			r2 = (myrand(param, sizeof(struct clientparam))%1000);
-		}
-		if(!connected){
-			if(cur->type == R_EXTIP){
-				param->sinsl = cur->addr;
-				if(SAISNULL(&param->sinsl) && (*SAFAMILY(&param->sincr) == AF_INET || *SAFAMILY(&param->sincr) == AF_INET6))param->sinsl = param->sincr;
-#ifndef NOIPV6
-				else if(cur->cidr && *SAFAMILY(&param->sinsl) == AF_INET6){
-					uint16_t c;
-					int i;
-
-					for(i = 0; i < 8; i++){
-						if(i==4)myrand(&param->sincr, sizeof(param->sincr));
-						else if(i==6) myrand(&param->req, sizeof(param->req));
-
-						if(i*16 >= cur->cidr) ((uint16_t *)SAADDR(&param->sinsl))[i] |= rand();
-						else if ((i+1)*16 >  cur->cidr){
-							c = rand();
-							c >>= (cur->cidr - (i*16));
-							c |= ntohs(((uint16_t *)SAADDR(&param->sinsl))[i]);
-							((uint16_t *)SAADDR(&param->sinsl))[i] = htons(c);
-						}
-					}
-				}
-#endif
-				if(cur->next)continue;
-				return 0;
-			}
-			else if(SAISNULL(&cur->addr) && !*SAPORT(&cur->addr)){
-				int i;
-				if(cur->extuser){
-					if(param->extusername)
-						myfree(param->extusername);
-					param->extusername = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
-					if(cur->extpass){
-						if(param->extpassword)
-							myfree(param->extpassword);
-						param->extpassword = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
-					}
-					if(*cur->extuser == '*' && !param->username) return 4;
-				}
-				
-				for(i=0; redirs[i].name; i++){
-				    if(cur->type == redirs[i].redir) {
-					param->redirectfunc = redirs[i].func;
-					break;
-				    }
-				}
-				if(cur->type == R_HA){
-				    ha = 1;
-				}
-				if(cur->next)continue;
-				if(!ha) return 0;
-			}
-			else if(!*SAPORT(&cur->addr) && !SAISNULL(&cur->addr)) {
-				uint16_t port = *SAPORT(&param->sinsr);
-				param->sinsr = cur->addr;
-				*SAPORT(&param->sinsr) = port;
-			}
-			else if(SAISNULL(&cur->addr) && *SAPORT(&cur->addr)) *SAPORT(&param->sinsr) = *SAPORT(&cur->addr);
-			else {
-				param->sinsr = cur->addr;
-			}
-
-			if((res = alwaysauth(param))){
-				return (res >= 10)? res : 60+res;
-			}
-			if(ha) {
-			    char buf[128];
-			    int len; 
-			    len = sprintf(buf, "PROXY %s ",
-				*SAFAMILY(&param->sincr) == AF_INET6 ? "TCP6" : "TCP4");
-			    len += myinet_ntop(*SAFAMILY(&param->sincr), SAADDR(&param->sincr), buf+len, sizeof(param->sincr));
-			    buf[len++] = ' ';
-			    len += myinet_ntop(*SAFAMILY(&param->sincl), SAADDR(&param->sincl), buf+len, sizeof(param->sincl));
-			    len += sprintf(buf + len, " %hu %hu\r\n",
-				ntohs(*SAPORT(&param->sincr)),
-				ntohs(*SAPORT(&param->sincl))
-			    );
-			    if(socksend(param, param->remsock, (unsigned char *)buf, len, conf.timeouts[CHAIN_TO])!=len) return 39;
-			    return 0;
-			}
-		}
-		else {
-			res = (redir)?clientnegotiate(redir, param, (struct sockaddr *)&cur->addr, cur->exthost):0;
-			if(res) return res;
-		}
-		redir = cur;
-		param->redirtype = redir->type;
-		if(redir->type == R_TCP || redir->type ==R_HTTP) {
-			if(cur->extuser){
-				if(*cur -> extuser == '*' && !param->username) return 4;
-				if(param->extusername)
-					myfree(param->extusername);
-				param->extusername = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
-				if(cur->extpass){
-					if(param->extpassword)
-						myfree(param->extpassword);
-					param->extpassword = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
-				}
-			}
-			if(redir->secure) return ssl_parent(param);
-			return 0;
-		}
-		connected = 1;
-	}
-
-	if(!connected || !redir) return 0;
-	return clientnegotiate(redir, param, (struct sockaddr *)&param->req, param->hostname);
-}
-
-int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
-	int addrlen;
-	unsigned char *ip, *ipf, *ipt;
-
-
-	if(!sa || ! ipentry || *SAFAMILY(sa) != ipentry->family) return 0;
-
-	ip = (unsigned char *)SAADDR(sa);
-	ipf = (unsigned char *)&ipentry->ip_from;
-	ipt = (unsigned char *)&ipentry->ip_to;
-
-
-	addrlen = SAADDRLEN(sa);
-	
-	if(memcmp(ip,ipf,addrlen) < 0 || memcmp(ip,ipt,addrlen) > 0) return 0;
-	return 1;
-	
-}
-
-int ACLmatches(struct ace* acentry, struct clientparam * param){
-	struct userlist * userentry;
-	struct iplist *ipentry;
-	struct portlist *portentry;
-	struct period *periodentry;
-	unsigned char * username;
-	struct hostname * hstentry=NULL;
-	int i;
-	int match = 0;
-	
-	username = param->username?param->username:(unsigned char *)"-";
-	if(acentry->src) {
-	 for(ipentry = acentry->src; ipentry; ipentry = ipentry->next)
-		if(IPInentry((struct sockaddr *)&param->sincr, ipentry)) {
-			break;
-		}
-	 if(!ipentry) return 0;
-	}
-	if((acentry->dst && (!SAISNULL(&param->req) || param->operation == UDPASSOC || param->operation==BIND)) || (acentry->dstnames && param->hostname)) {
-	 for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
-		if(IPInentry((struct sockaddr *)&param->req, ipentry)) {
-			break;
-		}
-	 if(!ipentry) {
-		 if(acentry->dstnames && param->hostname){
-			for(i=0; param->hostname[i]; i++){
-				param->hostname[i] = tolower(param->hostname[i]);
-			}
-			while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
-			for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
-				int lname, lhost;
-				switch(hstentry->matchtype){
-					case 0:
-#ifndef _WIN32
-					if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
-#else
-					if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
-#endif
-					break;
-
-					case 1:
-					if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
-						match = 1;
-					break;
-
-					case 2:
-					lname = strlen((char *)hstentry->name);
-					lhost = strlen((char *)param->hostname);
-					if(lhost > lname){
-						if(!strncasecmp((char *)param->hostname + (lhost - lname),
-							(char *)hstentry->name,
-							lname))
-								match = 1;
-					}
-					break;
-
-					default:
-					if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
-					break;
-        			}
-				if(match) break;
-			}
-		 }
-	 }
-	 if(!ipentry && !hstentry) return 0;
-	}
-	if(acentry->ports && (*SAPORT(&param->req) || param->operation == UDPASSOC || param->operation == BIND)) {
-	 for (portentry = acentry->ports; portentry; portentry = portentry->next)
-		if(ntohs(*SAPORT(&param->req)) >= portentry->startport &&
-			   ntohs(*SAPORT(&param->req)) <= portentry->endport) {
-			break;
-		}
-		if(!portentry) return 0;
-	}
-	if(acentry->wdays){
-		if(!(acentry -> wdays & wday)) return 0;
-	}
-	if(acentry->periods){
-	 int start_time = (int)(param->time_start - basetime);
-	 for(periodentry = acentry->periods; periodentry; periodentry = periodentry -> next)
-		if(start_time >= periodentry->fromtime && start_time < periodentry->totime){
-			break;
-		}
-		if(!periodentry) return 0;
-	}
-	if(acentry->users){
-	 for(userentry = acentry->users; userentry; userentry = userentry->next)
-		if(!strcmp((char *)username, (char *)userentry->user)){
-			break;
-		}
-	 if(!userentry) return 0;
-	}
-	if(acentry->operation) {
-		if((acentry->operation & param->operation) != param->operation){
-				 return 0;
-		}
-	}
-	if(acentry->weight && (acentry->weight < param->weight)) return 0;
-	return 1;
-}
-
-
-int startconnlims (struct clientparam *param){
-	struct connlim * ce;
-	time_t delta;
-	uint64_t rating;
-	int ret = 0;
-
-	param->connlim = 1;
-	pthread_mutex_lock(&connlim_mutex);
-	for(ce = conf.connlimiter; ce; ce = ce->next) {
-		if(ACLmatches(ce->ace, param)){
-			if(ce->ace->action == NOCONNLIM)break;
-			if(!ce->period){
-				if(ce->rate <= ce->rating) {
-					ret = 1;
-					break;
-				}
-				ce->rating++;
-				continue;
-			}
-			delta = conf.time - ce->basetime;
-			if(ce->period <= delta || ce->basetime > conf.time){
-				ce->basetime = conf.time;
-				ce->rating = 0x100000;
-				continue;
-			}
-			rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
-			if (rating > (ce->rate<<20)) {
-				ret = 2;
-				break;
-			}
-			ce->rating = rating;
-			ce->basetime = conf.time;
-		}
-	}
-	pthread_mutex_unlock(&connlim_mutex);
-	return ret;
-}
-
-void stopconnlims (struct clientparam *param){
-	struct connlim * ce;
-
-	pthread_mutex_lock(&connlim_mutex);
-	for(ce = conf.connlimiter; ce; ce = ce->next) {
-		if(ACLmatches(ce->ace, param)){
-			if(ce->ace->action == NOCONNLIM)break;
-			if(!ce->period && ce->rating){
-				ce->rating--;
-				continue;
-			}
-		}
-	}
-	pthread_mutex_unlock(&connlim_mutex);
-}
-
-static void initbandlims (struct clientparam *param){
-	struct bandlim * be;
-	int i;
-
-	param->bandlimfunc = NULL;
-	param->bandlims[0] = NULL;
-	param->bandlimsout[0] = NULL;
-	if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
-	for(i=0, be = conf.bandlimiter; be && i<MAXBANDLIMS; be = be->next) {
-		if(ACLmatches(be->ace, param)){
-			if(be->ace->action == NOBANDLIM) {
-				break;
-			}
-			param->bandlims[i++] = be;
-			param->bandlimfunc = conf.bandlimfunc;
-		}
-	}
-	if(i<MAXBANDLIMS)param->bandlims[i] = NULL;
-	for(i=0, be = conf.bandlimiterout; be && i<MAXBANDLIMS; be = be->next) {
-		if(ACLmatches(be->ace, param)){
-			if(be->ace->action == NOBANDLIM) {
-				break;
-			}
-			param->bandlimsout[i++] = be;
-			param->bandlimfunc = conf.bandlimfunc;
-		}
-	}
-	if(i<MAXBANDLIMS)param->bandlimsout[i] = NULL;
-	param->bandlimver = conf.bandlimver;
-}
-
-unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
-	unsigned sleeptime = 0, nsleeptime;
-	time_t sec;
-	unsigned msec;
-	unsigned now;
-	int i;
-
-#ifdef _WIN32
-	struct timeb tb;
-
-	ftime(&tb);
-	sec = (unsigned)tb.time;
-	msec = (unsigned)tb.millitm*1000;
-#else
-	struct timeval tv;
-	gettimeofday(&tv, NULL);
-
-	sec = tv.tv_sec;
-	msec = tv.tv_usec;
-#endif
-	
-	if(!nbytesin && !nbytesout) return 0;
-	pthread_mutex_lock(&bandlim_mutex);
-	if(param->bandlimver != conf.bandlimver){
-		initbandlims(param);
-		param->bandlimver = conf.bandlimver;
-	}
-	for(i=0; nbytesin&& i<MAXBANDLIMS && param->bandlims[i]; i++){
-		if( !param->bandlims[i]->basetime || 
-			param->bandlims[i]->basetime > sec ||
-			param->bandlims[i]->basetime < (sec - 120)
-		  )
-		{
-			param->bandlims[i]->basetime = sec;
-			param->bandlims[i]->nexttime = 0;
-			continue;
-		}
-		now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
-		nsleeptime = (param->bandlims[i]->nexttime > now)?
-			param->bandlims[i]->nexttime - now : 0;
-		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
-		param->bandlims[i]->basetime = sec;
-		param->bandlims[i]->nexttime = msec + nsleeptime + (((uint64_t)nbytesin * 8 * 1000000) / param->bandlims[i]->rate);
-	}
-	for(i=0; nbytesout && i<MAXBANDLIMS && param->bandlimsout[i]; i++){
-		if( !param->bandlimsout[i]->basetime || 
-			param->bandlimsout[i]->basetime > sec ||
-			param->bandlimsout[i]->basetime < (sec - 120)
-		  )
-		{
-			param->bandlimsout[i]->basetime = sec;
-			param->bandlimsout[i]->nexttime = 0;
-			continue;
-		}
-		now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
-		nsleeptime = (param->bandlimsout[i]->nexttime > now)?
-			param->bandlimsout[i]->nexttime - now : 0;
-		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
-		param->bandlimsout[i]->basetime = sec;
-		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
-	}
-	pthread_mutex_unlock(&bandlim_mutex);
-	return sleeptime/1000;
-}
-
-void trafcountfunc(struct clientparam *param){
-	struct trafcount * tc;
-	int countout = 0;
-
-	pthread_mutex_lock(&tc_mutex);
-	for(tc = conf.trafcounter; tc; tc = tc->next) {
-		if(ACLmatches(tc->ace, param)){
-
-			if(tc->ace->action == NOCOUNTIN) {
-				countout = 1;
-				break;
-			}
-			if(tc->ace->action == NOCOUNTALL) break;
-			if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
-				countout = 1;
-				continue;
-			}
-			tc->traf64 += param->statssrv64;
-			tc->updated = conf.time;
-		}
-	}
-	if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
-		if(ACLmatches(tc->ace, param)){
-			if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
-			if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
-				continue;
-			}
-			tc->traf64 += param->statscli64;
-			tc->updated = conf.time;
-		}
-	}
-
-	pthread_mutex_unlock(&tc_mutex);
-}
+void initbandlims(struct clientparam *param);
 
 int alwaysauth(struct clientparam * param){
 	int res;
@@ -713,7 +44,7 @@ int alwaysauth(struct clientparam * param){
 					    return 10;
 					}
 					param->trafcountfunc = conf.trafcountfunc;
-					param->maxtrafin64 = tc->traflim64 - tc->traf64; 
+					param->maxtrafin64 = tc->traflim64 - tc->traf64;
 				}
 			}
 			if(countout)for(tc = conf.trafcounter; tc; tc = tc->next) {
@@ -728,7 +59,7 @@ int alwaysauth(struct clientparam * param){
 					    return 10;
 					}
 					param->trafcountfunc = conf.trafcountfunc;
-					param->maxtrafout64 = tc->traflim64 - tc->traf64; 
+					param->maxtrafout64 = tc->traflim64 - tc->traf64;
 				}
 			}
 			pthread_mutex_unlock(&tc_mutex);
@@ -737,49 +68,11 @@ int alwaysauth(struct clientparam * param){
 	return res;
 }
 
-int checkACL(struct clientparam * param){
-	struct ace* acentry;
-
-	if(!param->srv->acl) {
-		return 0;
-	}
-	for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
-		if(ACLmatches(acentry, param)) {
-			param->nolog = acentry->nolog;
-			param->weight = acentry->weight;
-			if(acentry->action == 2) {
-				struct ace dup;
-				int res=60,i=0;
-
-				if(param->operation < 256 && !(param->operation & CONNECT)){
-					continue;
-				}
-				if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
-					continue;
-				}
-				if(param->remsock != INVALID_SOCKET) {
-					return 0;
-				}
-				for(; i < conf.parentretries; i++){
-					dup = *acentry;
-					res = handleredirect(param, &dup);
-					if(!res) break;
-					if(param->remsock != INVALID_SOCKET) param->srv->so._closesocket(param->sostate, param->remsock);
-					param->remsock = INVALID_SOCKET;
-				}
-				return res;
-			}
-			return acentry->action;
-		}
-	}
-	return 3;
-}
-
 int cacheauth(struct clientparam * param){
 	struct authcache ac;
 	uint32_t ttl;
-	
-	
+
+
 	if(
 	((conf.authcachetype & 2) && !param->username) ||
 	((conf.authcachetype & 4) && !param->password) ||
@@ -797,7 +90,7 @@ int cacheauth(struct clientparam * param){
 	)) {
 	    return 10;
 	}
-	 
+
 	if(!(conf.authcachetype&2) && *ac.username){
 	    if(param->username) myfree(param->username);
 	    param->username = (unsigned char *)mystrdup((char *)ac.username);
@@ -824,8 +117,11 @@ int doauth(struct clientparam * param){
 					return res;
 			if(conf.authcachetype && authfuncs->authenticate && authfuncs->authenticate != cacheauth && param->username && (!(conf.authcachetype&4) || (!param->pwtype && param->password))){
 			    struct authcache ac={.username=""};
-			    
-			    if(param->username) strncpy((char *)ac.username, (char *)param->username, 64);
+
+			    if(param->username) {
+				strncpy((char *)ac.username, (char *)param->username, 64);
+				ac.username[63] = 0;
+			    }
 			    if(*SAFAMILY(&param->sincr) == AF_INET
 #ifndef NOIPv6
 				 || *SAFAMILY(&param->sincr) == AF_INET6
@@ -834,7 +130,7 @@ int doauth(struct clientparam * param){
 				ac.sincr_family = *SAFAMILY(&param->sincr);
 				memcpy(ac.sincr_addr, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
 			    }
-			    
+
 			    if(*SAFAMILY(&param->sinsl) == AF_INET
 #ifndef NOIPv6
 				 || *SAFAMILY(&param->sinsl) == AF_INET6
@@ -854,7 +150,7 @@ int doauth(struct clientparam * param){
 		ret = alwaysauth(param);
 		if (param->afterauthfilters){
 		    FILTER_ACTION action;
-    
+
 		    action = handleafterauthflt(param);
 		    if(action != PASS) return 19;
 		}
@@ -901,12 +197,12 @@ int dnsauth(struct clientparam * param){
 	else {
 		u = ntohl(*(uint32_t *)SAADDR(&param->sincr));
 
-		sprintf(buf, "%u.%u.%u.%u.in-addr.arpa", 
+		sprintf(buf, "%u.%u.%u.%u.in-addr.arpa",
 			((u&0x000000FF)),
 			((u&0x0000FF00)>>8),
 			((u&0x00FF0000)>>16),
 			((u&0xFF000000)>>24));
-	
+
 	}
 	if(!udpresolve(*SAFAMILY(&param->sincr), (unsigned char *)buf, (unsigned char *)addr, NULL, param, 1)) {
 		return 3;

src/common.c

@@ -22,10 +22,15 @@ int randomizer = 1;
 
 
  void daemonize(void){
-	if(fork() > 0) {
+	pid_t pid = fork();
+	if(pid > 0) {
 		usleep(SLEEPTIME);
 		_exit(0); 
 	}
+	if(pid < 0) {
+		perror("fork()");
+		return;
+	}
 	setsid();
  }
 
@@ -244,6 +249,7 @@ int
 	FD_ZERO(&writefd);
 	FD_ZERO(&oobfd);
 	for(i=0; i<nfds; i++){
+		if(fds[i].fd >= FD_SETSIZE) continue;
 		if((fds[i].events&POLLIN))FD_SET(fds[i].fd, &readfd);
 		if((fds[i].events&POLLOUT))FD_SET(fds[i].fd, &writefd);
 		if((fds[i].events&POLLPRI))FD_SET(fds[i].fd, &oobfd);
@@ -252,6 +258,7 @@ int
 	}
 	if((num = select(((int)(maxfd))+1, &readfd, &writefd, &oobfd, &tv)) < 1) return num;
 	for(i=0; i<nfds; i++){
+		if(fds[i].fd >= FD_SETSIZE) continue;
 		if(FD_ISSET(fds[i].fd, &readfd)) fds[i].revents |= POLLIN;
 		if(FD_ISSET(fds[i].fd, &writefd)) fds[i].revents |= POLLOUT;
 		if(FD_ISSET(fds[i].fd, &oobfd)) fds[i].revents |= POLLPRI;

src/conf.c

@@ -23,7 +23,6 @@
 pthread_mutex_t bandlim_mutex;
 pthread_mutex_t connlim_mutex;
 pthread_mutex_t tc_mutex;
-pthread_mutex_t hash_mutex;
 pthread_mutex_t config_mutex;
 
 int haveerror = 0;
@@ -445,18 +444,6 @@ static int h_counter(int argc, unsigned char **argv){
 			fprintf(stderr, "Not a counter file %s, line %d\n", argv[1], linenum);
 			return 2;
 		}
-#ifdef _TIME64_T_DEFINED
-#ifdef _MAX__TIME64_T
-#define MAX_COUNTER_TIME (_MAX__TIME64_T)
-#elif defined (MAX__TIME64_T)
-#define MAX_COUNTER_TIME (MAX__TIME64_T)
-#else
-#define MAX_COUNTER_TIME (0x793406fff)
-#endif 
-#else
-#define MAX_COUNTER_TIME ((sizeof(time_t)>4)?(time_t)0x793406fff:(time_t)0x7fffffff)
-#endif
-
 		if(ch1.updated < 0 || ch1.updated >= MAX_COUNTER_TIME){
 			fprintf(stderr, "Invalid or corrupted counter file %s. Use countersutil utility to convert from older version\n", argv[1]);
 			return 3;
@@ -595,7 +582,7 @@ static int h_maxconn(int argc, unsigned char **argv){
 
 static int h_backlog(int argc, unsigned char **argv){
 	conf.backlog = atoi((char *)argv[1]);
-	if(conf.maxchild < 0) {
+	if(conf.backlog < 0) {
 		return(1);
 	}
 	return 0;
@@ -791,6 +778,7 @@ static int h_parent(int argc, unsigned char **argv){
 	chains->weight = (unsigned)atoi((char *)argv[1]);
 	if(chains->weight == 0 || chains->weight >1000) {
 		fprintf(stderr, "Chaining error: bad chain weight %u line %d\n", chains->weight, linenum);
+		myfree(chains);
 		return(3);
 	}
 	for(i = 0; redirs[i].name ; i++){
@@ -806,6 +794,7 @@ static int h_parent(int argc, unsigned char **argv){
 	}
 	if(!redirs[i].name) {
 		fprintf(stderr, "Chaining error: bad chain type (%s)\n", argv[2]);
+		myfree(chains);
 		return(4);
 	}
 #ifdef WITH_UN
@@ -816,12 +805,18 @@ static int h_parent(int argc, unsigned char **argv){
 #endif
 	cidr = strchr((char *)argv[3], '/');
 	if(cidr) *cidr = 0;
-	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) return (5);
+	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) {
+		myfree(chains);
+		return (5);
+	}
 #ifdef WITH_UN
 	}
 #endif
 	chains->exthost = (unsigned char *)mystrdup((char *)argv[3]);
-	if(!chains->exthost) return 21;
+	if(!chains->exthost) {
+		myfree(chains);
+		return 21;
+	}
 	if(cidr){
 		*cidr = '/';
 		chains->cidr = atoi(cidr + 1);
@@ -1234,7 +1229,10 @@ static int h_ace(int argc, unsigned char **argv){
 		}
 		memset(acl->chains, 0, sizeof(struct chain));
 		acl->chains->type = R_HTTP;
-		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) return 5;
+		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) {
+			freeacl(acl);
+			return 5;
+		}
 		*SAPORT(&acl->chains->addr) = htons((uint16_t)atoi((char *)argv[2]));
 		acl->chains->weight = 1000;
 	case ALLOW:
@@ -1418,7 +1416,7 @@ static int h_radius(int argc, unsigned char **argv){
 			s++;
 		}
 		if( !getip46(46, argv[nradservers + 2], (struct sockaddr *)&radiuslist[nradservers].authaddr)) return 1;
-		if( s && !getip46(46, (unsigned char *)s+1, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
+		if( s && !getip46(46, (unsigned char *)s, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
 		if(!*SAPORT(&radiuslist[nradservers].authaddr))*SAPORT(&radiuslist[nradservers].authaddr) = htons(1812);
 		port = ntohs(*SAPORT(&radiuslist[nradservers].authaddr));
 		radiuslist[nradservers].logaddr = radiuslist[nradservers].authaddr;
@@ -1722,8 +1720,8 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 				*str = 0;
 				space = 1;
 				if(incbegin){
-					argc--;
-					if((fd = open((char *)incbegin+1, O_RDONLY)) <= 0){
+					if(argc) argc--;
+					if((fd = open((char *)incbegin+1, O_RDONLY)) < 0){
 						fprintf(stderr, "Failed to open %s\n", incbegin+1);
 						return -1;
 					}
@@ -1736,7 +1734,7 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 						}
 					}
 					len = 0;
-					if(argm[argc]!=(incbegin+1)) {
+					if(argc > 0 && argm[argc]!=(incbegin+1)) {
 						len = (int)strlen((char *)argm[argc]);
 						memmove(buf+*inbuf, argm[argc], len);
 					}

src/hash.c

@@ -1,7 +1,6 @@
 #include "proxy.h"
 #include "libs/blake2.h"
 
-
 struct hashentry {
         time_t expires;
         uint32_t inext;
@@ -14,7 +13,7 @@ static uint32_t hashindex(unsigned tablesize, const uint8_t* hash){
 
 
 void destroyhashtable(struct hashtable *ht){
-    pthread_mutex_lock(&hash_mutex);
+    pthread_mutex_lock(&ht->hash_mutex);
     if(ht->ihashtable){
 	myfree(ht->ihashtable);
 	ht->ihashtable = NULL;
@@ -30,7 +29,8 @@ void destroyhashtable(struct hashtable *ht){
     ht->poolsize = 0;
     ht->tablesize = 0;
     ht->ihashempty = 0;
-    pthread_mutex_unlock(&hash_mutex);
+    pthread_mutex_unlock(&ht->hash_mutex);
+    pthread_mutex_destroy(&ht->hash_mutex);
 }
 
 #define hvalue(ht,I) ((struct hashentry *)(ht->hashvalues + (I-1)*(sizeof(struct hashentry) + ht->recsize - 4)))
@@ -53,21 +53,27 @@ int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, u
     c = clock();
 
     if(tablesize < 2 || poolsize < tablesize || growlimit < poolsize) return 1;
-    pthread_mutex_lock(&hash_mutex);
     if(ht->ihashtable){
-	myfree(ht->ihashtable);
-	ht->ihashtable = NULL;
+        pthread_mutex_lock(&ht->hash_mutex);
+	if(ht->ihashtable){
+	    myfree(ht->ihashtable);
+	    ht->ihashtable = NULL;
+	}
+	if(ht->hashvalues){
+	    myfree(ht->hashvalues);
+	    ht->hashvalues = NULL;
+	}
+	if(ht->hashhashvalues){
+	    myfree(ht->hashhashvalues);
+	    ht->hashhashvalues = NULL;
+	}
+	ht->poolsize = 0;
+	ht->tablesize = 0;
     }
-    if(ht->hashvalues){
-	myfree(ht->hashvalues);
-	ht->hashvalues = NULL;
+    else {
+	pthread_mutex_init(&ht->hash_mutex, NULL);
+        pthread_mutex_lock(&ht->hash_mutex);
     }
-    if(ht->hashhashvalues){
-	myfree(ht->hashhashvalues);
-	ht->hashhashvalues = NULL;
-    }
-    ht->poolsize = 0;
-    ht->tablesize = 0;
     if(!(ht->ihashtable = myalloc(tablesize *  sizeof(uint32_t)))
     || !(ht->hashvalues = myalloc(poolsize * (sizeof(struct hashentry) + (ht->recsize-4))))
     || !(ht->hashhashvalues = myalloc(poolsize * ht->hash_size))
@@ -76,7 +82,7 @@ int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, u
 	ht->ihashtable = NULL;
 	myfree(ht->hashvalues);
 	ht->hashvalues = NULL;
-	pthread_mutex_unlock(&hash_mutex);
+	pthread_mutex_unlock(&ht->hash_mutex);
 	return 3;
     }
     ht->poolsize = poolsize;
@@ -89,7 +95,7 @@ int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, u
 	hvalue(ht,i)->inext = i+1;
     }
     ht->ihashempty = 1;
-    pthread_mutex_unlock(&hash_mutex);
+    pthread_mutex_unlock(&ht->hash_mutex);
     return 0;
 }
 
@@ -174,7 +180,7 @@ void hashadd(struct hashtable *ht, void* name, void* value, time_t expires){
     }
 
     ht->index2hash_add(ht, name, hash);
-    pthread_mutex_lock(&hash_mutex);
+    pthread_mutex_lock(&ht->hash_mutex);
     index = hashindex(ht->tablesize, hash);
 
     for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
@@ -209,7 +215,7 @@ void hashadd(struct hashtable *ht, void* name, void* value, time_t expires){
 	hvalue(ht,hen)->expires = expires;
     }
 
-    pthread_mutex_unlock(&hash_mutex);
+    pthread_mutex_unlock(&ht->hash_mutex);
 }
 
 int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl){
@@ -222,7 +228,7 @@ int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl){
 	return 0;
     }
     ht->index2hash_search(ht,name, hash);
-    pthread_mutex_lock(&hash_mutex);
+    pthread_mutex_lock(&ht->hash_mutex);
     index = hashindex(ht->tablesize, hash);
     for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
 	if(hvalue(ht, he)->expires < conf.time) {
@@ -234,15 +240,39 @@ int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl){
 	else if(!memcmp(hash, hhash(ht,he), ht->hash_size)){
 	    if(ttl) *ttl = (uint32_t)(hvalue(ht,he)->expires - conf.time);
 	    memcpy(value, hvalue(ht,he)->value, ht->recsize);
-	    pthread_mutex_unlock(&hash_mutex);
+	    pthread_mutex_unlock(&ht->hash_mutex);
 	    return 1;
 	}
 	else hep=&(hvalue(ht,he)->inext);
     }
-    pthread_mutex_unlock(&hash_mutex);
+    pthread_mutex_unlock(&ht->hash_mutex);
     return 0;
 }
 
+void hashdelete(struct hashtable *ht, void *name){
+    uint8_t hash[MAX_HASH_SIZE];
+    uint32_t *hep;
+    uint32_t he;
+    uint32_t index;
+
+    if(!ht || !ht->ihashtable || !name) {
+	return;
+    }
+    ht->index2hash_search(ht, name, hash);
+    pthread_mutex_lock(&ht->hash_mutex);
+    index = hashindex(ht->tablesize, hash);
+    for(hep = ht->ihashtable + index; (he = *hep) != 0; ){
+	if((hvalue(ht, he)->expires && hvalue(ht, he)->expires < conf.time) || !memcmp(hash, hhash(ht, he), ht->hash_size)) {
+	    (*hep) = hvalue(ht, he)->inext;
+	    hvalue(ht, he)->expires = 0;
+	    hvalue(ht, he)->inext = ht->ihashempty;
+	    ht->ihashempty = he;
+	}
+	else hep = &(hvalue(ht, he)->inext);
+    }
+    pthread_mutex_unlock(&ht->hash_mutex);
+}
+
 static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *hash){
     char* name = index;
 
@@ -269,6 +299,28 @@ static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *has
     memcpy(param->hash, hash, ht->hash_size);
 }
 
+void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+
+    memcpy(hash, param->hash, ht->hash_size);
+}
+
+static void user2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+    blake2b(hash, ht->hash_size, param->username, strlen((const char *)param->username), NULL, 0);
+}
+
+static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+    blake2b_state S;
+    blake2b_init(&S, ht->hash_size);
+    blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
+    blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
+    blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
+    blake2b_update(&S, SAPORT(&param->sincr), 2);
+    blake2b_final(&S, hash, ht->hash_size);
+}
+
 static void pw2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
     char ** pw = (char **)index;
     blake2b_state S;
@@ -308,18 +360,7 @@ static void pwnt2hash_search(const struct hashtable *ht, void *index, uint8_t *h
     pwnt2hash_add(ht, pw, hash);
 }
 
-void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
-    struct clientparam *param = (struct clientparam *)index;
 
-    memcpy(hash, param->hash, ht->hash_size);
-}
-
-
-
-static void user2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
-    struct clientparam *param = (struct clientparam *)index;
-    blake2b(hash, ht->hash_size, param->username, strlen((const char *)param->username), NULL, 0);
-}
 
 struct hashtable dns_table = {char_index2hash, char_index2hash, 4, 12};
 struct hashtable dns6_table = {char_index2hash, char_index2hash, 16, 12};
@@ -327,3 +368,4 @@ struct hashtable auth_table = {param2hash_add, param2hash_search, sizeof(struct
 struct hashtable pw_table = {pw2hash_add, pw2hash_search, 0, 12};
 struct hashtable pwnt_table = {pwnt2hash_add, pwnt2hash_search, 0, 12};
 struct hashtable pwcr_table = {char_index2hash, user2hash_search, 64, 12};
+struct hashtable udp_table =  {udpparam2hash, udpparam2hash, sizeof(struct clientparam *), 12};

src/limiter.c

@@ -0,0 +1,204 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+int startconnlims (struct clientparam *param){
+	struct connlim * ce;
+	time_t delta;
+	uint64_t rating;
+	int ret = 0;
+
+	param->connlim = 1;
+	pthread_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period){
+				if(ce->rate <= ce->rating) {
+					ret = 1;
+					break;
+				}
+				ce->rating++;
+				continue;
+			}
+			delta = conf.time - ce->basetime;
+			if(ce->period <= delta || ce->basetime > conf.time){
+				ce->basetime = conf.time;
+				ce->rating = 0x100000;
+				continue;
+			}
+			rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
+			if (rating > (ce->rate<<20)) {
+				ret = 2;
+				break;
+			}
+			ce->rating = rating;
+			ce->basetime = conf.time;
+		}
+	}
+	if(ret) {
+		struct connlim * cee;
+		for(cee = conf.connlimiter; cee != ce; cee = cee->next) {
+			if(ACLmatches(cee->ace, param) && !cee->period && cee->rating) {
+				cee->rating--;
+			}
+		}
+		param->connlim = 0;
+	}
+	pthread_mutex_unlock(&connlim_mutex);
+	return ret;
+}
+
+void stopconnlims (struct clientparam *param){
+	struct connlim * ce;
+
+	pthread_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period && ce->rating){
+				ce->rating--;
+				continue;
+			}
+		}
+	}
+	pthread_mutex_unlock(&connlim_mutex);
+}
+
+void initbandlims (struct clientparam *param){
+	struct bandlim * be;
+	int i;
+
+	param->bandlimfunc = NULL;
+	param->bandlims[0] = NULL;
+	param->bandlimsout[0] = NULL;
+	if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
+	for(i=0, be = conf.bandlimiter; be && i<MAXBANDLIMS; be = be->next) {
+		if(ACLmatches(be->ace, param)){
+			if(be->ace->action == NOBANDLIM) {
+				break;
+			}
+			param->bandlims[i++] = be;
+			param->bandlimfunc = conf.bandlimfunc;
+		}
+	}
+	if(i<MAXBANDLIMS)param->bandlims[i] = NULL;
+	for(i=0, be = conf.bandlimiterout; be && i<MAXBANDLIMS; be = be->next) {
+		if(ACLmatches(be->ace, param)){
+			if(be->ace->action == NOBANDLIM) {
+				break;
+			}
+			param->bandlimsout[i++] = be;
+			param->bandlimfunc = conf.bandlimfunc;
+		}
+	}
+	if(i<MAXBANDLIMS)param->bandlimsout[i] = NULL;
+	param->bandlimver = conf.bandlimver;
+}
+
+unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
+	unsigned sleeptime = 0, nsleeptime;
+	time_t sec;
+	unsigned msec;
+	unsigned now;
+	int i;
+
+#ifdef _WIN32
+	struct timeb tb;
+
+	ftime(&tb);
+	sec = (unsigned)tb.time;
+	msec = (unsigned)tb.millitm*1000;
+#else
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+
+	sec = tv.tv_sec;
+	msec = tv.tv_usec;
+#endif
+
+	if(!nbytesin && !nbytesout) return 0;
+	pthread_mutex_lock(&bandlim_mutex);
+	if(param->bandlimver != conf.bandlimver){
+		initbandlims(param);
+		param->bandlimver = conf.bandlimver;
+	}
+	for(i=0; nbytesin&& i<MAXBANDLIMS && param->bandlims[i]; i++){
+		if( !param->bandlims[i]->basetime ||
+			param->bandlims[i]->basetime > sec ||
+			param->bandlims[i]->basetime < (sec - 120)
+		  )
+		{
+			param->bandlims[i]->basetime = sec;
+			param->bandlims[i]->nexttime = 0;
+			continue;
+		}
+		now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
+		nsleeptime = (param->bandlims[i]->nexttime > now)?
+			param->bandlims[i]->nexttime - now : 0;
+		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
+		param->bandlims[i]->basetime = sec;
+		param->bandlims[i]->nexttime = msec + nsleeptime + (((uint64_t)nbytesin * 8 * 1000000) / param->bandlims[i]->rate);
+	}
+	for(i=0; nbytesout && i<MAXBANDLIMS && param->bandlimsout[i]; i++){
+		if( !param->bandlimsout[i]->basetime ||
+			param->bandlimsout[i]->basetime > sec ||
+			param->bandlimsout[i]->basetime < (sec - 120)
+		  )
+		{
+			param->bandlimsout[i]->basetime = sec;
+			param->bandlimsout[i]->nexttime = 0;
+			continue;
+		}
+		now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
+		nsleeptime = (param->bandlimsout[i]->nexttime > now)?
+			param->bandlimsout[i]->nexttime - now : 0;
+		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
+		param->bandlimsout[i]->basetime = sec;
+		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
+	}
+	pthread_mutex_unlock(&bandlim_mutex);
+	return sleeptime/1000;
+}
+
+void trafcountfunc(struct clientparam *param){
+	struct trafcount * tc;
+	int countout = 0;
+
+	pthread_mutex_lock(&tc_mutex);
+	for(tc = conf.trafcounter; tc; tc = tc->next) {
+		if(ACLmatches(tc->ace, param)){
+
+			if(tc->ace->action == NOCOUNTIN) {
+				countout = 1;
+				break;
+			}
+			if(tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
+				countout = 1;
+				continue;
+			}
+			tc->traf64 += param->statssrv64;
+			tc->updated = conf.time;
+		}
+	}
+	if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
+		if(ACLmatches(tc->ace, param)){
+			if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
+				continue;
+			}
+			tc->traf64 += param->statscli64;
+			tc->updated = conf.time;
+		}
+	}
+
+	pthread_mutex_unlock(&tc_mutex);
+}
+

src/plugins.c

@@ -47,31 +47,30 @@ struct symbol symbols[] = {
 	{symbols+22, "udpresolve", (void *) udpresolve},
 	{symbols+23, "bandlim_mutex", (void *) &bandlim_mutex},
 	{symbols+24, "tc_mutex", (void *) &tc_mutex},
-	{symbols+25, "hash_mutex", (void *) &hash_mutex},
-	{symbols+26, "linenum", (void *) &linenum},
-	{symbols+27, "proxy_stringtable", (void *) proxy_stringtable},
-	{symbols+28, "en64", (void *) en64},
-	{symbols+29, "de64", (void *) de64},
-	{symbols+30, "tohex", (void *) tohex},
-	{symbols+31, "fromhex", (void *) fromhex},
-	{symbols+32, "dnspr", (void *) dnsprchild},
-	{symbols+33, "pop3p", (void *) pop3pchild},
-	{symbols+34, "proxy", (void *) proxychild},
-	{symbols+35, "socks", (void *) sockschild},
-	{symbols+36, "tcppm", (void *) tcppmchild},
-	{symbols+37, "udppm", (void *) udppmchild},
-	{symbols+38, "admin", (void *) adminchild},
-	{symbols+39, "ftppr", (void *) ftpprchild},
-	{symbols+40, "smtpp", (void *) smtppchild},
-	{symbols+41, "auto", (void *) smtppchild},
-	{symbols+42, "tlspr", (void *) smtppchild},
-	{symbols+43, "authfuncs", (void *) &authfuncs},
-	{symbols+44, "commandhandlers", (void *) &commandhandlers},
-	{symbols+45, "decodeurl", (void *) decodeurl},
-	{symbols+46, "parsestr", (void *) parsestr},
-	{symbols+47, "make_ace", (void *) make_ace},
-	{symbols+48, "freeacl", (void *) freeacl},
-	{symbols+49, "handleredirect", (void *) handleredirect},
+	{symbols+25, "linenum", (void *) &linenum},
+	{symbols+26, "proxy_stringtable", (void *) proxy_stringtable},
+	{symbols+27, "en64", (void *) en64},
+	{symbols+28, "de64", (void *) de64},
+	{symbols+29, "tohex", (void *) tohex},
+	{symbols+30, "fromhex", (void *) fromhex},
+	{symbols+31, "dnspr", (void *) dnsprchild},
+	{symbols+32, "pop3p", (void *) pop3pchild},
+	{symbols+33, "proxy", (void *) proxychild},
+	{symbols+34, "socks", (void *) sockschild},
+	{symbols+35, "tcppm", (void *) tcppmchild},
+	{symbols+36, "udppm", (void *) udppmchild},
+	{symbols+37, "admin", (void *) adminchild},
+	{symbols+38, "ftppr", (void *) ftpprchild},
+	{symbols+39, "smtpp", (void *) smtppchild},
+	{symbols+40, "auto", (void *) smtppchild},
+	{symbols+41, "tlspr", (void *) smtppchild},
+	{symbols+42, "authfuncs", (void *) &authfuncs},
+	{symbols+43, "commandhandlers", (void *) &commandhandlers},
+	{symbols+44, "decodeurl", (void *) decodeurl},
+	{symbols+45, "parsestr", (void *) parsestr},
+	{symbols+46, "make_ace", (void *) make_ace},
+	{symbols+47, "freeacl", (void *) freeacl},
+	{symbols+48, "handleredirect", (void *) handleredirect},
 	{NULL, "", NULL}
 };
 

src/proxy.c

@@ -337,7 +337,10 @@ for(;;){
 	if(su) {
 		su = (unsigned char *)mystrdup((char *)sb);
 		decodeurl(su, 0);
-		if(parseconnusername((char *)su, (struct clientparam *)param, 1, (uint16_t)((ftp)?21:80))) RETURN (100);
+		if(parseconnusername((char *)su, (struct clientparam *)param, 1, (uint16_t)((ftp)?21:80))) {
+			myfree(su);
+			RETURN (100);
+		}
 		myfree(su);
 	}
 	else if(parsehostname((char *)sb, (struct clientparam *)param, (uint16_t)((ftp)? 21:80))) RETURN(100);
@@ -1077,11 +1080,13 @@ REQUESTEND:
 CLEANRET:
 
  if(param->res != 555 && param->res && param->clisock != INVALID_SOCKET && (param->res < 90 || param->res >=800 || param->res == 100 ||(param->res > 500 && param->res< 800))) {
-	if((param->res>=509 && param->res < 517) || param->res > 900) while( (i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, '\n', conf.timeouts[STRING_S])) > 2);
+	if((param->res>=509 && param->res < 517) || param->res > 900) {
+		if(buf) while( (i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, '\n', conf.timeouts[STRING_S])) > 2);
+	}
 	if(param->res == 10) {
 		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[2], (int)strlen(proxy_stringtable[2]), conf.timeouts[STRING_S]);
 	}
-	else if (res == 700 || res == 701){
+	else if (param->res == 700 || param->res == 701){
 		socksend(param, param->clisock, (unsigned char *)proxy_stringtable[16], (int)strlen(proxy_stringtable[16]), conf.timeouts[STRING_S]);
 		socksend(param, param->clisock, (unsigned char *)ftpbuf, inftpbuf, conf.timeouts[STRING_S]);
 	}

src/proxy.h

@@ -146,6 +146,18 @@ void daemonize(void);
 #define myrealloc realloc
 #define mystrdup strdup
 
+#ifdef _TIME64_T_DEFINED
+#ifdef _MAX__TIME64_T
+#define MAX_COUNTER_TIME (_MAX__TIME64_T)
+#elif defined (MAX__TIME64_T)
+#define MAX_COUNTER_TIME (MAX__TIME64_T)
+#else
+#define MAX_COUNTER_TIME (0x793406fff)
+#endif 
+#else
+#define MAX_COUNTER_TIME ((sizeof(time_t)>4)?(time_t)0x793406fff:(time_t)0x7fffffff)
+#endif
+
 extern RESOLVFUNC resolvfunc;
 
 extern int wday;
@@ -246,6 +258,7 @@ void mschap(const unsigned char *win_password,
 void destroyhashtable(struct hashtable *ht);
 int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, unsigned growlimit);
 void hashadd(struct hashtable *ht, void* name, void* value, time_t expires);
+void hashdelete(struct hashtable *ht, void* name);
 int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl);
 
 int parsehost(int family, unsigned char *host, struct sockaddr *sa);
@@ -312,7 +325,6 @@ struct property;
 extern pthread_mutex_t config_mutex;
 extern pthread_mutex_t bandlim_mutex;
 extern pthread_mutex_t connlim_mutex;
-extern pthread_mutex_t hash_mutex;
 extern pthread_mutex_t tc_mutex;
 extern pthread_mutex_t log_mutex;
 extern pthread_mutex_t rad_mutex;

src/proxymain.c

@@ -101,7 +101,7 @@ void * threadfunc (void *p) {
 		if(token){
 		    sscanf(token,"%hu%hu", &u1, &u2);
 		    if(u1) *SAPORT(&param->sincr) = htons(u1);
-		    if(u2) *SAPORT(&param->sincl) = htons(u1);
+		    if(u2) *SAPORT(&param->sincl) = htons(u2);
 		}
 	    }
 	}
@@ -210,6 +210,16 @@ void setopts(SOCKET s, int opts){
 	}
 }
 
+static void freesrvstrings(struct srvparam *srv, unsigned char *cbc_string, unsigned char *cbl_string) {
+	if(cbc_string) myfree(cbc_string);
+	if(cbl_string) myfree(cbl_string);
+	if(srv->logtarget) myfree(srv->logtarget);
+	if(srv->logformat) myfree(srv->logformat);
+#if defined SO_BINDTODEVICE || defined IP_BOUND_IF
+	if(srv->ibindtodevice) myfree(srv->ibindtodevice);
+	if(srv->obindtodevice) myfree(srv->obindtodevice);
+#endif
+}
 
 #ifndef MODULEMAINFUNC
 #define MODULEMAINFUNC main
@@ -251,6 +261,8 @@ int MODULEMAINFUNC (int argc, char** argv){
  unsigned char buf[256];
  char *hostname=NULL;
  int opt = 1, isudp = 0, iscbl = 0, iscbc = 0;
+ unsigned char udpbuf[UDPBUFSIZE];
+ int udplen = 0;
  unsigned char *cbc_string = NULL, *cbl_string = NULL;
  PROXYSOCKADDRTYPE cbsa;
  FILE *fp = NULL;
@@ -336,6 +348,11 @@ int MODULEMAINFUNC (int argc, char** argv){
  srvinit(&srv, &defparam);
  srv.pf = childdef.pf;
  isudp = childdef.isudp;
+#ifndef STDMAIN
+ if(isudp) {
+	if(!udp_table.ihashtable)inithashtable(&udp_table, 64, 256, 65536);
+ }
+#endif
  srv.service = defparam.service = childdef.service;
  
 #ifndef STDMAIN
@@ -723,6 +740,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 		sleeptime = (sleeptime<<1);
 		if(!sleeptime) {
 			srv.so._closesocket(srv.so.state, sock);
+			freesrvstrings(&srv, cbc_string, cbl_string);
 			return -3;
 		}
 	}
@@ -730,6 +748,8 @@ int MODULEMAINFUNC (int argc, char** argv){
 		if(srv.so._listen (srv.so.state, sock, srv.backlog?srv.backlog : 1+(srv.maxchild>>3))==-1) {
 			sprintf((char *)buf, "listen(): %s", strerror(errno));
 			if(!srv.silent)dolog(&defparam, buf);
+			srv.so._closesocket(srv.so.state, sock);
+			freesrvstrings(&srv, cbc_string, cbl_string);
 			return -4;
 		}
 	}
@@ -745,6 +765,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 	parsehost(srv.family, cbl_string, (struct sockaddr *)&cbsa);
 	if((srv.cbsock=srv.so._socket(srv.so.state, SASOCK(&cbsa), SOCK_STREAM, IPPROTO_TCP))==INVALID_SOCKET) {
 		dolog(&defparam, (unsigned char *)"Failed to allocate connect back socket");
+		freesrvstrings(&srv, cbc_string, cbl_string);
 		return -6;
 	}
 	opt = 1;
@@ -758,10 +779,14 @@ int MODULEMAINFUNC (int argc, char** argv){
 
 	if(srv.so._bind(srv.so.state, srv.cbsock, (struct sockaddr*)&cbsa, SASIZE(&cbsa))==-1) {
 		dolog(&defparam, (unsigned char *)"Failed to bind connect back socket");
+		srv.so._closesocket(srv.so.state, srv.cbsock);
+		freesrvstrings(&srv, cbc_string, cbl_string);
 		return -7;
 	}
 	if(srv.so._listen(srv.so.state, srv.cbsock, 1 + (srv.maxchild>>4))==-1) {
 		dolog(&defparam, (unsigned char *)"Failed to listen connect back socket");
+		srv.so._closesocket(srv.so.state, srv.cbsock);
+		freesrvstrings(&srv, cbc_string, cbl_string);
 		return -8;
 	}
  }
@@ -884,6 +909,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 		if(srv.so._getsockname(srv.so.state, new_sock, (struct sockaddr *)&defparam.sincl, &size)){
 			sprintf((char *)buf, "getsockname(): %s", strerror(errno));
 			if(!srv.silent)dolog(&defparam, buf);
+			srv.so._closesocket(srv.so.state, new_sock);
 			continue;
 		}
 #ifdef WITH_UN
@@ -900,9 +926,22 @@ int MODULEMAINFUNC (int argc, char** argv){
 		srv.so._setsockopt(srv.so.state, new_sock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
 		srv.so._setsockopt(srv.so.state, new_sock, SOL_SOCKET, SO_OOBINLINE, (char *)&opt, sizeof(int));
 	}
+#ifndef STDMAIN
 	else {
-		srv.fds.events = 0;
+		struct clientparam *toparam;
+		udplen = sockrecvfrom(NULL, srv.srvsock, (struct sockaddr *)&defparam.sincr, udpbuf, UDPBUFSIZE, 0);
+		if(udplen <= 0) continue;
+		pthread_mutex_lock(&srv.counter_mutex);
+		if(hashresolv(&udp_table, &defparam, &toparam, NULL)) {
+			socksendto(toparam, toparam->remsock, (struct sockaddr *)&toparam->sinsr, udpbuf, udplen, 0);
+			toparam->statscli64 += udplen;
+			toparam->nwrites++;
+			pthread_mutex_unlock(&srv.counter_mutex);
+			continue;
+		}
+		pthread_mutex_unlock(&srv.counter_mutex);
 	}
+#endif
 	if(! (newparam = myalloc (sizeof(defparam)))){
 		if(!isudp) srv.so._closesocket(srv.so.state, new_sock);
 		defparam.res = 21;
@@ -916,9 +955,36 @@ int MODULEMAINFUNC (int argc, char** argv){
 	if(!isudp) newparam->clisock = new_sock;
 #ifndef STDMAIN
 	if(makefilters(&srv, newparam) > CONTINUE){
-		freeparam(newparam);		
+		freeparam(newparam);
 		continue;
 	}
+	if(isudp) {
+		int authres;
+
+		if(parsehostname((char *)srv.target, newparam, ntohs(srv.targetport))) { freeparam(newparam); continue; }
+#ifndef NOIPV6
+		memcpy(&newparam->sinsl, *SAFAMILY(&newparam->req) == AF_INET6 ? (struct sockaddr *)&srv.extsa6 : (struct sockaddr *)&srv.extsa, SASIZE(&newparam->req));
+#else
+		memcpy(&newparam->sinsl, (struct sockaddr *)&srv.extsa, SASIZE(&newparam->req));
+#endif
+		*SAPORT(&newparam->sinsl) = 0;
+		newparam->remsock = srv.so._socket(srv.so.state, SASOCK(&newparam->sinsl), SOCK_DGRAM, IPPROTO_UDP);
+		if(newparam->remsock == INVALID_SOCKET) { freeparam(newparam); continue; }
+		if(srv.so._bind(srv.so.state, newparam->remsock, (struct sockaddr *)&newparam->sinsl, SASIZE(&newparam->sinsl))) { freeparam(newparam); continue; }
+#ifdef _WIN32
+		{ unsigned long ul2 = 1; ioctlsocket(newparam->remsock, FIONBIO, &ul2); }
+#else
+		fcntl(newparam->remsock, F_SETFL, O_NONBLOCK | fcntl(newparam->remsock, F_GETFL));
+#endif
+		memcpy(&newparam->sinsr, &newparam->req, sizeof(newparam->req));
+		newparam->operation = UDPASSOC;
+		authres = (*srv.authfunc)(newparam);
+		if(authres) { freeparam(newparam); continue; }
+		if(!srv.singlepacket)hashadd(&udp_table, newparam, &newparam, MAX_COUNTER_TIME);
+		socksendto(newparam, newparam->remsock, (struct sockaddr *)&newparam->sinsr, udpbuf, udplen, 0);
+		newparam->statscli64 += udplen;
+		newparam->nwrites++;
+	}
 #endif
 	newparam->prev = newparam->next = NULL;
 	error = 0;
@@ -946,24 +1012,30 @@ int MODULEMAINFUNC (int argc, char** argv){
 		if(!srv.silent)dolog(&defparam, buf);
 		error = 1;
 	}
+	pthread_mutex_unlock(&srv.counter_mutex);
+	if(error) freeparam(newparam);
 #else
 
 	error = pthread_create(&thread, &pa, threadfunc, (void *)newparam);
-	srv.childcount++;
 	if(error){
 		sprintf((char *)buf, "pthread_create(): %s", strerror(error));
 		if(!srv.silent)dolog(&defparam, buf);
+		if(newparam->prev) newparam->prev->next = newparam->next;
+		else srv.child = newparam->next;
+		if(newparam->next) newparam->next->prev = newparam->prev;
+		pthread_mutex_unlock(&srv.counter_mutex);
+		newparam->srv = NULL;
+		freeparam(newparam);
 	}
 	else {
+		srv.childcount++;
 		newparam->threadid = (uint64_t)thread;
+		pthread_mutex_unlock(&srv.counter_mutex);
 	}
 #endif
-	pthread_mutex_unlock(&srv.counter_mutex);
-	if(error) freeparam(newparam);
 
 	memset(&defparam.sincl, 0, sizeof(defparam.sincl));
 	memset(&defparam.sincr, 0, sizeof(defparam.sincr));
-	if(isudp) while(!srv.fds.events)usleep(SLEEPTIME);
  }
 
 
@@ -1101,23 +1173,42 @@ void srvfree(struct srvparam * srv){
 
 void freeparam(struct clientparam * param) {
 	if(param->res == 2) return;
+	if(param->srv){
+		if(param->srv->so.freefunc) param->srv->so.freefunc(param->sostate);
+		pthread_mutex_lock(&param->srv->counter_mutex);
+#ifndef STDMAIN
+		if(param->srv->service == S_UDPPM) hashdelete(&udp_table, param);
+#endif
+		if(param->prev){
+			param->prev->next = param->next;
+		}
+		else
+			param->srv->child = param->next;
+		if(param->next){
+			param->next->prev = param->prev;
+		}
+		(param->srv->childcount)--;
+		pthread_mutex_unlock(&param->srv->counter_mutex);
+	}
 	if(param->clibuf) myfree(param->clibuf);
 	if(param->srvbuf) myfree(param->srvbuf);
-	if(param->ctrlsocksrv != INVALID_SOCKET && param->ctrlsocksrv != param->remsock) {
-		param->srv->so._shutdown(param->sostate, param->ctrlsocksrv, SHUT_RDWR);
-		param->srv->so._closesocket(param->sostate, param->ctrlsocksrv);
-	}
-	if(param->ctrlsock != INVALID_SOCKET && param->ctrlsock != param->clisock) {
-		param->srv->so._shutdown(param->sostate, param->ctrlsock, SHUT_RDWR);
-		param->srv->so._closesocket(param->sostate, param->ctrlsock);
-	}
-	if(param->remsock != INVALID_SOCKET) {
-		param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
-		param->srv->so._closesocket(param->sostate, param->remsock);
-	}
-	if(param->clisock != INVALID_SOCKET) {
-		param->srv->so._shutdown(param->sostate, param->clisock, SHUT_RDWR);
-		param->srv->so._closesocket(param->sostate, param->clisock);
+	if(param->srv) {
+		if(param->ctrlsocksrv != INVALID_SOCKET && param->ctrlsocksrv != param->remsock) {
+			param->srv->so._shutdown(param->sostate, param->ctrlsocksrv, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->ctrlsocksrv);
+		}
+		if(param->ctrlsock != INVALID_SOCKET && param->ctrlsock != param->clisock) {
+			param->srv->so._shutdown(param->sostate, param->ctrlsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->ctrlsock);
+		}
+		if(param->remsock != INVALID_SOCKET) {
+			param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->remsock);
+		}
+		if(param->clisock != INVALID_SOCKET) {
+			param->srv->so._shutdown(param->sostate, param->clisock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->clisock);
+		}
 	}
 	if(param->datfilterssrv) myfree(param->datfilterssrv);
 #ifndef STDMAIN
@@ -1137,20 +1228,6 @@ void freeparam(struct clientparam * param) {
 	}
 	if(param->connlim) stopconnlims(param);
 #endif
-	if(param->srv){
-		if(param->srv->so.freefunc) param->srv->so.freefunc(param->sostate);
-		pthread_mutex_lock(&param->srv->counter_mutex);
-		if(param->prev){
-			param->prev->next = param->next;
-		}
-		else
-			param->srv->child = param->next;
-		if(param->next){
-			param->next->prev = param->prev;
-		}
-		(param->srv->childcount)--;
-		pthread_mutex_unlock(&param->srv->counter_mutex);
-	}
 	if(param->hostname) myfree(param->hostname);
 	if(param->username) myfree(param->username);
 	if(param->password) myfree(param->password);

src/redirect.c

@@ -0,0 +1,374 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+static FILTER_ACTION (*ext_ssl_parent)(struct clientparam * param) = NULL;
+
+static FILTER_ACTION ssl_parent(struct clientparam * param){
+    if(ext_ssl_parent) return ext_ssl_parent(param);
+    ext_ssl_parent = pluginlink.findbyname("ssl_parent");
+    if(ext_ssl_parent) return ext_ssl_parent(param);
+    return REJECT;
+}
+
+int clientnegotiate(struct chain * redir, struct clientparam * param, struct sockaddr * addr, unsigned char * hostname){
+	unsigned char *buf;
+	unsigned char *username;
+	int res;
+	int len=0;
+	unsigned char * user, *pass;
+
+
+	user = redir->extuser;
+	pass = redir->extpass;
+	if (!param->srvbufsize){
+		param->srvbufsize = SRVBUFSIZE;
+		param->srvbuf = myalloc(param->srvbufsize);
+		if(!param->srvbuf) return 21;
+	}
+	buf = param->srvbuf;
+	username = buf + 2048;
+	if(user) {
+		if (*user == '*') {
+			if(!param->username) return 4;
+			user = param->username;
+			pass = param->password;
+		}
+	}
+	if(redir->secure){
+	    res = ssl_parent(param);
+	    if(res != PASS) return res;
+	}
+	switch(redir->type){
+		case R_TCP:
+		case R_HTTP:
+			return 0;
+		case R_CONNECT:
+		case R_CONNECTP:
+		{
+			len = sprintf((char *)buf, "CONNECT ");
+			if(redir->type == R_CONNECTP && hostname) {
+				char * needreplace;
+				needreplace = strchr((char *)hostname, ':');
+				if(needreplace) buf[len++] = '[';
+				len += sprintf((char *)buf + len, "%.256s", (char *)hostname);
+				if(needreplace) buf[len++] = ']';
+			}
+			else {
+				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = '[';
+				len += myinet_ntop(*SAFAMILY(addr), SAADDR(addr), (char *)buf+len, 256);
+				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = ']';
+			}
+			len += sprintf((char *)buf + len,
+				":%hu HTTP/1.0\r\nConnection: keep-alive\r\n", ntohs(*SAPORT(addr)));
+			if(user){
+				len += sprintf((char *)buf + len, "Proxy-Authorization: Basic ");
+				sprintf((char *)username, "%.128s:%.128s", user, pass?pass:(unsigned char *)"");
+				en64(username, buf+len, (int)strlen((char *)username));
+				len = (int)strlen((char *)buf);
+				len += sprintf((char *)buf + len, "\r\n");
+			}
+			len += sprintf((char *)buf + len, "\r\n");
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != (int)strlen((char *)buf))
+				return 31;
+			param->statssrv64+=len;
+			param->nwrites++;
+			if((res = sockgetlinebuf(param, SERVER,buf,13,'\n',conf.timeouts[CHAIN_TO])) < 13)
+				return 32;
+			if(buf[9] != '2') return 33;
+			while((res = sockgetlinebuf(param, SERVER,buf,1023,'\n', conf.timeouts[CHAIN_TO])) > 2);
+			if(res <= 0) return 34;
+			return 0;
+		}
+		case R_SOCKS4:
+		case R_SOCKS4P:
+		case R_SOCKS4B:
+		{
+
+			if(*SAFAMILY(addr) != AF_INET) return 44;
+			buf[0] = 4;
+			buf[1] = 1;
+			memcpy(buf+2, SAPORT(addr), 2);
+			if(redir->type == R_SOCKS4P && hostname) {
+				buf[4] = buf[5] = buf[6] = 0;
+				buf[7] = 3;
+			}
+			else memcpy(buf+4, SAADDR(addr), 4);
+			if(!user)user = (unsigned char *)"anonymous";
+			len = (int)strlen((char *)user) + 1;
+			memcpy(buf+8, user, len);
+			len += 8;
+			if(redir->type == R_SOCKS4P && hostname) {
+				int hostnamelen;
+
+				hostnamelen = (int)strlen((char *)hostname) + 1;
+				if(hostnamelen > 255) hostnamelen = 255;
+				memcpy(buf+len, hostname, hostnamelen);
+				len += hostnamelen;
+			}
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) < len){
+				return 41;
+			}
+			param->statssrv64+=len;
+			param->nwrites++;
+			if((len = sockgetlinebuf(param, SERVER, buf, (redir->type == R_SOCKS4B)? 3:8, EOF, conf.timeouts[CHAIN_TO])) != ((redir->type == R_SOCKS4B)? 3:8)){
+				return 42;
+			}
+			if(buf[1] != 90) {
+				return 43;
+			}
+
+		}
+		return 0;
+
+		case R_SOCKS5:
+		case R_SOCKS5P:
+		case R_SOCKS5B:
+		{
+		 int inbuf = 0;
+			buf[0] = 5;
+			buf[1] = 1;
+			buf[2] = user? 2 : 0;
+			if(socksend(param, param->remsock, buf, 3, conf.timeouts[CHAIN_TO]) != 3){
+				return 51;
+			}
+			param->statssrv64+=3;
+			param->nwrites++;
+			if(sockgetlinebuf(param, SERVER, buf, 2, EOF, conf.timeouts[CHAIN_TO]) != 2){
+				return 52;
+			}
+			if(buf[0] != 5) {
+				return 53;
+			}
+			if(buf[1] != 0 && !(buf[1] == 2 && user)){
+				return 54;
+			}
+			if(buf[1] == 2){
+				buf[inbuf++] = 1;
+				buf[inbuf] = (unsigned char)strlen((char *)user);
+				memcpy(buf+inbuf+1, user, buf[inbuf]);
+				inbuf += buf[inbuf] + 1;
+				buf[inbuf] = pass?(unsigned char)strlen((char *)pass):0;
+				if(pass)memcpy(buf+inbuf+1, pass, buf[inbuf]);
+				inbuf += buf[inbuf] + 1;
+				if(socksend(param, param->remsock, buf, inbuf, conf.timeouts[CHAIN_TO]) != inbuf){
+					return 51;
+				}
+				param->statssrv64+=inbuf;
+				param->nwrites++;
+				if(sockgetlinebuf(param, SERVER, buf, 2, EOF, 60) != 2){
+					return 55;
+				}
+				if(buf[0] != 1 || buf[1] != 0) {
+					return 56;
+				}
+			}
+			buf[0] = 5;
+			buf[1] = 1;
+			buf[2] = 0;
+			if(redir->type == R_SOCKS5P && hostname) {
+				buf[3] = 3;
+				len = (int)strlen((char *)hostname);
+				if(len > 255) len = 255;
+				buf[4] = len;
+				memcpy(buf + 5, hostname, len);
+				len += 5;
+			}
+			else {
+				len = 3;
+				buf[len++] = (*SAFAMILY(addr) == AF_INET)? 1 : 4;
+				memcpy(buf+len, SAADDR(addr), SAADDRLEN(addr));
+				len += SAADDRLEN(addr);
+			}
+			memcpy(buf+len, SAPORT(addr), 2);
+			len += 2;
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != len){
+				return 51;
+			}
+			param->statssrv64+=len;
+			param->nwrites++;
+			if(sockgetlinebuf(param, SERVER, buf, 4, EOF, conf.timeouts[CHAIN_TO]) != 4){
+				return 57;
+			}
+			if(buf[0] != 5) {
+				return 53;
+			}
+			if(buf[1] != 0) {
+				return 60 + (buf[1] % 10);
+			}
+			switch (buf[3]) {
+			case 1:
+			    if (redir->type == R_SOCKS5B ||  sockgetlinebuf(param, SERVER, buf, 6, EOF, conf.timeouts[CHAIN_TO]) == 6)
+				    break;
+			    return 59;
+			case 3:
+			    if (sockgetlinebuf(param, SERVER, buf, 1, EOF, conf.timeouts[CHAIN_TO]) != 1) return 59;
+			    len = (unsigned char)buf[0];
+			    if (sockgetlinebuf(param, SERVER, buf, len + 2, EOF, conf.timeouts[CHAIN_TO]) != len + 2) return 59;
+			    break;
+			case 4:
+			    if (sockgetlinebuf(param, SERVER, buf, 18, EOF, conf.timeouts[CHAIN_TO]) == 18)
+				    break;
+			    return 59;
+			default:
+			    return 58;
+			}
+			return 0;
+		}
+
+		default:
+
+			return 30;
+	}
+}
+
+
+int handleredirect(struct clientparam * param, struct ace * acentry){
+	int connected = 0;
+	int weight = 1000;
+	int res;
+	int done = 0;
+	int ha = 0;
+	struct chain * cur;
+	struct chain * redir = NULL;
+	int r2;
+
+	if(param->remsock != INVALID_SOCKET) {
+		return 0;
+	}
+	if(SAISNULL(&param->req) || !*SAPORT(&param->req)) {
+		return 100;
+	}
+
+	r2 = (myrand(param, sizeof(struct clientparam))%1000);
+
+	for(cur = acentry->chains; cur; cur=cur->next){
+		if(((weight = weight - cur->weight) > r2)|| done) {
+			if(weight <= 0) {
+				weight += 1000;
+				done = 0;
+				r2 = (myrand(param, sizeof(struct clientparam))%1000);
+			}
+			continue;
+		}
+		param->redirected++;
+		done = 1;
+		if(weight <= 0) {
+			weight += 1000;
+			done = 0;
+			r2 = (myrand(param, sizeof(struct clientparam))%1000);
+		}
+		if(!connected){
+			if(cur->type == R_EXTIP){
+				param->sinsl = cur->addr;
+				if(SAISNULL(&param->sinsl) && (*SAFAMILY(&param->sincr) == AF_INET || *SAFAMILY(&param->sincr) == AF_INET6))param->sinsl = param->sincr;
+#ifndef NOIPV6
+				else if(cur->cidr && *SAFAMILY(&param->sinsl) == AF_INET6){
+					uint16_t c;
+					int i;
+
+					for(i = 0; i < 8; i++){
+						if(i==4)myrand(&param->sincr, sizeof(param->sincr));
+						else if(i==6) myrand(&param->req, sizeof(param->req));
+
+						if(i*16 >= cur->cidr) ((uint16_t *)SAADDR(&param->sinsl))[i] |= rand();
+						else if ((i+1)*16 >  cur->cidr){
+							c = rand();
+							c >>= (cur->cidr - (i*16));
+							c |= ntohs(((uint16_t *)SAADDR(&param->sinsl))[i]);
+							((uint16_t *)SAADDR(&param->sinsl))[i] = htons(c);
+						}
+					}
+				}
+#endif
+				if(cur->next)continue;
+				return 0;
+			}
+			else if(SAISNULL(&cur->addr) && !*SAPORT(&cur->addr)){
+				int i;
+				if(cur->extuser){
+					if(param->extusername)
+						myfree(param->extusername);
+					param->extusername = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
+					if(cur->extpass){
+						if(param->extpassword)
+							myfree(param->extpassword);
+						param->extpassword = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
+					}
+					if(*cur->extuser == '*' && !param->username) return 4;
+				}
+
+				for(i=0; redirs[i].name; i++){
+				    if(cur->type == redirs[i].redir) {
+					param->redirectfunc = redirs[i].func;
+					break;
+				    }
+				}
+				if(cur->type == R_HA){
+				    ha = 1;
+				}
+				if(cur->next)continue;
+				if(!ha) return 0;
+			}
+			else if(!*SAPORT(&cur->addr) && !SAISNULL(&cur->addr)) {
+				uint16_t port = *SAPORT(&param->sinsr);
+				param->sinsr = cur->addr;
+				*SAPORT(&param->sinsr) = port;
+			}
+			else if(SAISNULL(&cur->addr) && *SAPORT(&cur->addr)) *SAPORT(&param->sinsr) = *SAPORT(&cur->addr);
+			else {
+				param->sinsr = cur->addr;
+			}
+
+			if((res = alwaysauth(param))){
+				return (res >= 10)? res : 60+res;
+			}
+			if(ha) {
+			    char buf[128];
+			    int len;
+			    len = sprintf(buf, "PROXY %s ",
+				*SAFAMILY(&param->sincr) == AF_INET6 ? "TCP6" : "TCP4");
+			    len += myinet_ntop(*SAFAMILY(&param->sincr), SAADDR(&param->sincr), buf+len, sizeof(buf) - len);
+			    buf[len++] = ' ';
+			    len += myinet_ntop(*SAFAMILY(&param->sincl), SAADDR(&param->sincl), buf+len, sizeof(buf) - len);
+			    len += sprintf(buf + len, " %hu %hu\r\n",
+				ntohs(*SAPORT(&param->sincr)),
+				ntohs(*SAPORT(&param->sincl))
+			    );
+			    if(socksend(param, param->remsock, (unsigned char *)buf, len, conf.timeouts[CHAIN_TO])!=len) return 39;
+			    return 0;
+			}
+		}
+		else {
+			res = (redir)?clientnegotiate(redir, param, (struct sockaddr *)&cur->addr, cur->exthost):0;
+			if(res) return res;
+		}
+		redir = cur;
+		param->redirtype = redir->type;
+		if(redir->type == R_TCP || redir->type ==R_HTTP) {
+			if(cur->extuser){
+				if(*cur -> extuser == '*' && !param->username) return 4;
+				if(param->extusername)
+					myfree(param->extusername);
+				param->extusername = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->username)? param->username : cur->extuser));
+				if(cur->extpass){
+					if(param->extpassword)
+						myfree(param->extpassword);
+					param->extpassword = (unsigned char *)mystrdup((char *)((*cur->extuser == '*' && param->password)?param->password : cur->extpass));
+				}
+			}
+			if(redir->secure) return ssl_parent(param);
+			return 0;
+		}
+		connected = 1;
+	}
+
+	if(!connected || !redir) return 0;
+	return clientnegotiate(redir, param, (struct sockaddr *)&param->req, param->hostname);
+}

src/sockmap.c

@@ -57,7 +57,7 @@ int sockmap(struct clientparam * param, int timeo, int usesplice){
  int fdsc = 0;
  int sleeptime = 0;
  FILTER_ACTION action;
- int res;
+ int res = 0;
  SASIZETYPE sasize;
  int needaction = 0;
  int graceclinum=0, gracesrvnum=0, graceclitraf=0, gracesrvtraf=0;
@@ -95,10 +95,6 @@ int sockmap(struct clientparam * param, int timeo, int usesplice){
 	TOSERVER = 0;
 	FROMCLIENT = 0;
  }
- if(param->operation == UDPASSOC && param->srv->singlepacket){
-	fromclient = inclientbuf;
-	FROMCLIENT = 0;
- }
  if(inserverbuf >= fromserver) FROMSERVER = 0;
  if(inclientbuf >= fromclient) FROMCLIENT = 0;
 #ifdef WITHSPLICE
@@ -279,6 +275,7 @@ log("done send to client from buf");
 			if(param->srvoffset == param->srvinbuf)param->srvoffset = param->srvinbuf =0;
 			if(param->srvinbuf < param->srvbufsize) TOSERVERBUF = 1;
 			needaction = 0;
+			if(param->srv->singlepacket) RETURN(0);
 			continue;
 		}
 	}
@@ -417,10 +414,6 @@ log("done read from server to pipe\n");
 					sl1 = (*param->bandlimfunc)(param, res, 0);
 					if(sl1 > sleeptime) sleeptime = sl1;
 		    		}
- 				if(param->operation == UDPASSOC && param->srv->singlepacket){
-					fromserver = inserverpipe;
-					FROMSERVER = 0;
-				}
 				needaction = 0;
 				continue;
 			}
@@ -487,10 +480,6 @@ log("done read from server to buf");
 					if(sl1 > sleeptime) sleeptime = sl1;
 		    		}
 				if(param->srvbufsize == param->srvinbuf) TOSERVERBUF = 0;
- 				if(param->operation == UDPASSOC && param->srv->singlepacket){
-					fromserver = inserverbuf;
-					FROMSERVER = 0;
-				}
 				needaction = 0;
 				continue;
 			}

src/socks.c

@@ -98,7 +98,7 @@ void * sockschild(struct clientparam* param) {
 	buf[0] = (unsigned char) res;
 	if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(441);}
 	buf[1] = (unsigned char) res;
-	port = *(uint16_t*)buf;
+	memcpy(&port, buf, 2);
 	c = 1;
  }
  
@@ -158,16 +158,16 @@ void * sockschild(struct clientparam* param) {
 	 buf[0] = (unsigned char) res;
 	 if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(441);}
 	 buf[1] = (unsigned char) res;
-	 port = *(uint16_t*)buf;
+	 memcpy(&port, buf, 2);
 
  }
  else {
-	sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]);
+	if(sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]) < 0) {RETURN(441);}
 	buf[127] = 0;
 	if(param->srv->needuser && *buf && !param->username)param->username = (unsigned char *)mystrdup((char *)buf);
 	if(!memcmp(SAADDR(&param->req), "\0\0\0", 3)){
 		param->service = S_SOCKS45;
-		sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]);
+		if(sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]) < 0) {RETURN(441);}
 		buf[127] = 0;
 		if(param->hostname)myfree(param->hostname);
 		param->hostname = (unsigned char *)mystrdup((char *)buf);
@@ -314,8 +314,13 @@ fflush(stderr);
 	else{
 		buf[0] = 0;
 		buf[1] = 90 + !!(repcode);
-		memcpy(buf+2, SAPORT(&sin), 2);
-		memcpy(buf+4, SAADDR(&sin), 4);
+		if(*SAFAMILY(&sin) == AF_INET){
+			memcpy(buf+2, SAPORT(&sin), 2);
+			memcpy(buf+4, SAADDR(&sin), 4);
+		} else {
+			memset(buf+2, 0, 6);
+			param->res = 997;
+		}
 		socksend(param, param->clisock, buf, 8, conf.timeouts[STRING_S]);
 	}
 
@@ -336,8 +341,9 @@ fflush(stderr);
 		switch(command) {
 			case 1:
 				if(param->redirectfunc){
+					void *ret = (*param->redirectfunc)(param);
 					if(buf)myfree(buf);
-					return (*param->redirectfunc)(param);
+					return ret;
 				}
 				param->res = mapsocket(param, conf.timeouts[CONNECTION_L]);
 				break;
@@ -370,7 +376,10 @@ fflush(stderr);
                     		    unsigned long ul=1;
                     		    ioctlsocket(param->remsock, FIONBIO, &ul);
 #else
-                    		    fcntl(param->remsock,F_SETFL,O_NONBLOCK | fcntl(param->remsock,F_GETFL));
+                    		    {
+					int flags = fcntl(param->remsock, F_GETFL);
+					if(flags != -1) fcntl(param->remsock, F_SETFL, O_NONBLOCK | flags);
+				    }
 #endif
             			}
 

src/structures.h

@@ -500,6 +500,23 @@ struct sockfuncs {
 
 extern struct sockfuncs so;
 
+struct hashtable {
+	void (*index2hash_add)(const struct hashtable *ht, void *index, uint8_t *hash);
+	void (*index2hash_search)(const struct hashtable *ht, void *index, uint8_t *hash);
+	unsigned recsize;
+	unsigned hash_size;
+	unsigned poolsize;
+	unsigned tablesize;
+	unsigned growlimit;
+	uint32_t * ihashtable;
+	uint8_t * hashvalues;
+	uint8_t * hashhashvalues;
+	pthread_mutex_t hash_mutex;
+	time_t compacted;
+	uint32_t ihashhashempty;
+	uint32_t ihashempty;
+};
+
 struct srvparam {
 	struct sockfuncs so;
 	struct srvparam *next;
@@ -760,28 +777,13 @@ struct child {
 };
 
 
-struct hashtable {
-	void (*index2hash_add)(const struct hashtable *ht, void *index, uint8_t *hash);
-	void (*index2hash_search)(const struct hashtable *ht, void *index, uint8_t *hash);
-	unsigned recsize;
-	unsigned hash_size;
-	unsigned poolsize;
-	unsigned tablesize;
-	unsigned growlimit;
-	uint32_t * ihashtable;
-	uint8_t * hashvalues;
-	uint8_t * hashhashvalues;
-	time_t compacted;
-	uint32_t ihashhashempty;
-	uint32_t ihashempty;
-};
-
 extern struct hashtable dns_table;
 extern struct hashtable dns6_table;
 extern struct hashtable auth_table;
 extern struct hashtable pw_table;
 extern struct hashtable pwnt_table;
 extern struct hashtable pwcr_table;
+extern struct hashtable udp_table;
 
 struct authcache {
         unsigned char username[64];

src/udppm.c

@@ -18,81 +18,15 @@
 
 
 void * udppmchild(struct clientparam* param) {
- unsigned char *buf = NULL;
- int res, i;
-#ifdef _WIN32
- SASIZETYPE size;
- unsigned long ul = 1;
-#endif
 
-
- if(!param->hostname && parsehostname((char *)param->srv->target, param, ntohs(param->srv->targetport))) RETURN(100);
- if (SAISNULL(&param->req)) {
-	param->srv->fds.events = POLLIN;
-	RETURN (100);
- }
- if(!param->clibuf && (!(param->clibuf=myalloc(UDPBUFSIZE)) || !(param->clibufsize = UDPBUFSIZE))){
-	param->srv->fds.events = POLLIN;
-	RETURN (21);
- }
- param->cliinbuf = param->clioffset = 0;
- i = sockrecvfrom(param, param->srv->srvsock, (struct sockaddr *)&param->sincr, param->clibuf, param->clibufsize, 0);
- if(i<=0){
-	param->srv->fds.events = POLLIN;
-	RETURN (214);
- }
- param->cliinbuf = i;
-
-#ifdef _WIN32
-	if((param->clisock=param->srv->so._socket(param->sostate, SASOCK(&param->sincr), SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {
-		RETURN(818);
-	}
-	if(param->srv->so._setsockopt(param->sostate, param->clisock, SOL_SOCKET, SO_REUSEADDR, (char *)&ul, sizeof(int))) {RETURN(820);};
-	ul = 1;
-	ioctlsocket(param->clisock, FIONBIO, &ul);
-	size = sizeof(param->sinsl);
-	if(param->srv->so._getsockname(param->sostate, param->srv->srvsock, (struct sockaddr *)&param->sinsl, &size)) {RETURN(21);};
-	if(param->srv->so._bind(param->sostate, param->clisock,(struct sockaddr *)&param->sinsl,SASIZE(&param->sinsl))) {
-		RETURN(822);
-	}
-#else
-	param->clisock = param->srv->srvsock;
-#endif
-
-#ifndef NOIPV6
- memcpy(&param->sinsl, *SAFAMILY(&param->req) == AF_INET? (struct sockaddr *)&param->srv->extsa : (struct sockaddr *)&param->srv->extsa6, SASIZE(&param->req));
-#else
- memcpy(&param->sinsl, &param->srv->extsa, SASIZE(&param->req));
-#endif
- *SAPORT(&param->sinsl) = 0;
- if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsl), SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {RETURN (11);}
- if(param->srv->so._bind(param->sostate, param->remsock,(struct sockaddr *)&param->sinsl,SASIZE(&param->sinsl))) {RETURN (12);}
-#ifdef _WIN32
-	ul = 1;
-	ioctlsocket(param->remsock, FIONBIO, &ul);
-#else
-	fcntl(param->remsock,F_SETFL,O_NONBLOCK | fcntl(param->remsock,F_GETFL));
-#endif
- memcpy(&param->sinsr, &param->req, sizeof(param->req));
-
- param->operation = UDPASSOC;
- if((res = (*param->srv->authfunc)(param))) {RETURN(res);}
- if(param->srv->singlepacket) {
-	param->srv->fds.events = POLLIN;
- }
-
- param->res = mapsocket(param, conf.timeouts[(param->srv->singlepacket)?SINGLEBYTE_L:STRING_L]);
- if(!param->srv->singlepacket) {
-	param->srv->fds.events = POLLIN;
- }
+ param->clisock = param->srv->srvsock;
+ param->waitserver64 = 0x7fffffffffffffff;
+ param->res = mapsocket(param, conf.timeouts[STRING_L]);
 
 CLEANRET:
 
- if(buf)myfree(buf);
  dolog(param, NULL);
-#ifndef _WIN32
  param->clisock = INVALID_SOCKET;
-#endif
  freeparam(param);
  return (NULL);
 }