v0.7.4

  - Fixed: sockets in CLOSE_WAIT state left by afclient
  - Added: --localname and --localport options
  - Added: --localdesname option
  - Added: kicking user in 'opening' state
  - Fixed: info about kicked user
  - Fixed: TERM signal handling
  - Fixed: id lost after reconnection
  - Fixed: printing wrong client name in 'SSL_accept failed (timeout)' message
  - Fixed: ignored 'certificate' and 'key' options from config file
  - Added: config files for afclient
  - Modified: some options in afserver config file

7 files changed, 329 insertions, 30 deletions

diff --git a/doc/afclient.1 b/doc/afclient.1
index fce6381..32c71ff 100644
--- a/doc/afclient.1
+++ b/doc/afclient.1
@@ -1,4 +1,4 @@
-.TH afclient 1 "apf 0.7.2" Jeremian
+.TH afclient 1 "apf 0.7.4" Jeremian
 .SH NAME
 afclient \- active port forwarder client
 .SH SYNOPSIS
@@ -41,6 +41,15 @@ is running (required)
 .B -p, --portnum PORT
   the port we are forwarding connection to (required)
 
+.B --localname NAME
+  local machine name for connection with afserver (used to bind socket to different interfaces)
+
+.B --localport NAME
+  local port name for connection with afserver (used to bind socket to different addressees)
+
+.B --localdesname NAME
+  local machine name for connections with destination application (used to bind socket to different interfaces)
+
 .B -V, --version
   display version number
 
@@ -63,6 +72,10 @@ is running (required)
 .B -k, --keyfile FILE
   the name of the file with RSA key (default: client.rsa)
 
+.B -f, --cfgfile FILE
+  the name of the file with the configuration for the
+.I afclient
+
 .B -s, --storefile
   the name of the file with stored public keys (default: known_hosts)
   
@@ -92,10 +105,10 @@ is running (required)
 .I Modes
 
 .B -u, --udpmode
-  udp mode - client will use udp protocol to communicate with the hostname:portnum (-p)
+  udp mode - client will use udp protocol to communicate with the hostname:portnum
 
 .B -U, --reverseudp
-  reverse udp forwarding. Udp packets will be forwarded from hostname:portnum (-p) to the server name:portnum (-m)
+  reverse udp forwarding. Udp packets will be forwarded from hostname:portnum to the server name:manageport
   
 .B -r, --remoteadmin
   remote administration mode. (using '-p PORT' will force afclient to use port rather than stdin-stdout)
@@ -302,6 +315,7 @@ options.
 
 .SH "SEE ALSO"
 
+.BR afclient.conf (5),
 .BR afserver (1),
 .BR afserver.conf (5)
   
diff --git a/doc/afclient.conf.5 b/doc/afclient.conf.5
new file mode 100644
index 0000000..6137428
--- /dev/null
+++ b/doc/afclient.conf.5
@@ -0,0 +1,149 @@
+.TH afclient.conf 5 "apf 0.7.4" Jeremian
+.SH NAME
+afclient.conf \- Configuration File for afclient
+.SH INTRODUCTION
+.B Afclient
+supports several mechanisms to supply configuration and run-time parameters: command line options,
+.B afclient.conf
+and hard-coded defaults. When the same information is supplied in more than one way, the highest precedence mechanism is used. When configuration file is used (option:
+.IR "-f FILE")
+command line options like
+.IR --reverseudp ,
+.IR --udpmode ,
+.IR --remoteadmin ,
+.IR --load ,
+.I --Load
+and
+.I --pass
+are ignored. Options from configuration file are taken before values from command line (with the exception of
+.IR --keyfile ,
+.IR --storefile ,
+.IR --dateformat ,
+.IR --ignorepkeys
+and the options connected with http proxy and auto-reconnect support). When something is not declared, hard-coded values are used.
+
+.SH DESCRIPTION
+.B Afclient
+uses configuration file, which name is supplied by the
+.I -f FILE
+option. The
+.B afclient.conf
+file is the set of command-line like options, which can be written in any order.
+
+.SH "OPTIONS"
+
+.B servername NAME
+  name of the host, where
+.I afserver
+is running
+
+.B manageport PORT
+  manage port number - server must be listening on it (default: 50126)
+
+.B hostname NAME
+  the name of this host/remote host - the final destination of the packets (default: the name returned by hostname function)
+
+.B portnum PORT
+  the port we are forwarding connection to
+
+.B localname NAME
+  local machine name for connection with afserver (used to bind socket to different interfaces)
+
+.B localport NAME
+  local port name for connection with afserver (used to bind socket to different addressees)
+
+.B localdesname NAME
+  local machine name for connections with destination application (used to bind socket to different interfaces)
+
+.B id STRING
+  sends the id string to afserver
+
+.B pass PASSWORD
+  set the password used for client identification (default: no password)
+
+.B ignorepkeys
+  ignore invalid server's public keys
+
+.B keyfile FILE
+  the name of the file with RSA key (default: client.rsa)
+
+.B storefile FILE
+  the name of the file with stored public keys (default: known_hosts)
+
+.B dateformat FORMAT
+  format of the date printed in logs (see 'man strftime' for details) (default: %d.%m.%Y %H:%M:%S). Format string is trimmed. In order to include white characters into format string, use dots to mark beginning and end of the text. If the dot is first or last character, it's removed. Only one character from the beginning and one from the end can be removed.
+
+.B keep-alive N
+  send keepalive packets every N seconds (default: not send keepalive packets)
+
+.B ar-start
+  enable auto-reconnection when afserver is not reachable on start (default: disabled)
+
+.B ar-quit
+  enable auto-reconnection after normal afserver quit (default: disabled)
+
+.B noar
+  disable auto-reconnection after premature afserver quit (default: enabled)
+
+.B ar-tries N
+  try N times to reconnect (default: unlimited)
+
+.B ar-delay N
+  wait N seconds between reconnect tries (default: 5)
+
+.B udpmode
+  udp mode - client will use udp protocol to communicate with the hostname:portnum
+
+.B reverseudp
+  reverse udp forwarding. Udp packets will be forwarded from hostname:portnum to the server name:manageport
+
+.B remoteadmin
+  remote administration mode. (using '-p PORT' will force afclient to use port rather than stdin-stdout)
+
+.B log LOGCMD
+  log choosen information to file/socket
+
+.B ipv4
+  use ipv4 only
+
+.B ipv6
+  use ipv6 only
+
+.B load FILE
+  load a module for user's packets filtering
+
+.B Load FILE
+  load a module for service's packets filtering
+
+.B use-https
+  use https proxy instead of http proxy
+
+.B proxyname NAME
+  the name of the machine with proxy server
+
+.B proxyport PORT
+  the port used by proxy server (default: 8080)
+
+.B pa-cred  U:P
+  the user (U) and password (P) used in proxy authorization
+
+.B pa-t-basic
+  the Basic type of proxy authorization (default)
+
+.SH "SEE ALSO"
+
+.BR afserver.conf (5),
+.BR afclient (1),
+.BR afserver (1)
+
+.SH AUTHOR
+
+Jeremian <jeremian [at] poczta.fm>
+
+.SH CONTRIBUTIONS
+
+Alex Dyatlov <alex [at] gray-world.net>, Simon <scastro [at] entreelibre.com>, Ilia Perevezentsev <iliaper [at] mail.ru> and Marco Solari <marco.solari [at] koinesistemi.it>
+
+.SH LICENSE
+
+Active Port Forwarder is distributed under the terms of the GNU General Public License v2.0 and is copyright (C) 2003,2004,2005 jeremian <jeremian [at] poczta.fm>. See the file COPYING for details.
diff --git a/doc/afclient_example.conf b/doc/afclient_example.conf
new file mode 100644
index 0000000..45b2556
--- /dev/null
+++ b/doc/afclient_example.conf
@@ -0,0 +1,53 @@
+# This is an example configuration file for active port forwarder (client)
+
+#servername <yourservername>  #name of the server to connect to (required)
+#manageport 50126             #manage port number (default: 50126)
+#hostname <yourhostname>      #the name of the destination host (default:
+                              #  the name returned by hostname function)
+#portnum 22                   #the destination port of the tunnel (required)
+
+#localname <localname>        #local machine name for connection with afserver
+#localport <localport>        #local port name for connection with afserver
+#localdesname <localdesname>  #local machine name for connections with destination application
+
+#id example client's id       #sends the id string to afserver
+#pass password                #set the password used for client identification
+#ignorepkeys                  #ignore invalid server's public keys
+
+#keyfile client.rsa           #the name of the file with RSA key (default: client.rsa)
+#storefile known_hosts        #the name of the file with stored public keys (default: known_hosts)
+#dateformat %Y-%m-%d %H:%M:%S #format of the date printed in logs (default: %Y-%m-%d %H:%M:%S)
+#keep-alive 15                #send keepalive packets every N seconds (default: not send keepalive packets)
+
+#ar-start                     #enable auto-reconnection when afserver is not reachable on start
+                              #  (default: disabled)
+#ar-quit                      #enable auto-reconnection after normal afserver quit (default: disabled)
+#noar                         #disable auto-reconnection after premature afserver quit (default: enabled)
+
+#ar-tries 10                  #try N times to reconnect (default: unlimited)
+#ar-delay 10                  #wait N seconds between reconnect tries (default: 5)
+
+#udpmode                      #udp mode - client will use udp protocol to communicate with
+                              #  the hostname:portnum (-p)
+#reverseudp                   #reverse udp forwarding. Udp packets will be forwarded
+                              #  from hostname:portnum to the server name:manageport
+#remoteadmin                  #remote administration mode. (using '-p #port' will
+                              #  force afclient to use port rather than stdin-stdout)
+
+# Logging can be enabled by log option. The argument to this option must
+# be in the form:
+#     target,description,msgdesc
+
+#log       file,clogfile,LOG_T_ALL,LOG_I_CRIT,LOG_I_ERR,LOG_I_WARNING
+
+#ipv4                         #use ipv4 only
+#ipv6                         #use ipv6 only
+
+#load usermodule              #load a module for user's packets filtering
+#Load servicemodule           #load a module for service's packets filtering
+
+#use-https                    #use https proxy instead of http proxy
+#proxyname httpproxy          #the name of the machine with proxy server
+#proxyport 8080               #the port used by proxy server (default: 8080)
+#pa-cred user:password        #the user (U) and password (P) used in proxy authorization
+#pa-t-basic                   #the Basic type of proxy authorization (default)
diff --git a/doc/afserver.1 b/doc/afserver.1
index 24f9e6d..cb3d5f7 100644
--- a/doc/afserver.1
+++ b/doc/afserver.1
@@ -1,4 +1,4 @@
-.TH afserver 1 "apf 0.7.2" Jeremian
+.TH afserver 1 "apf 0.7.4" Jeremian
 .SH NAME
 afserver \- active port forwarder server
 .SH SYNOPSIS
@@ -211,8 +211,9 @@ written without spaces.
 
 .SH "SEE ALSO"
 
+.BR afserver.conf (5),
 .BR afclient (1),
-.BR afserver.conf (5)
+.BR afclient.conf (5)
 
 .SH BUGS
 
diff --git a/doc/afserver.conf.5 b/doc/afserver.conf.5
index b942403..a28625f 100644
--- a/doc/afserver.conf.5
+++ b/doc/afserver.conf.5
@@ -1,4 +1,4 @@
-.TH afserver.conf 5 "apf 0.7.2" Jeremian
+.TH afserver.conf 5 "apf 0.7.4" Jeremian
 .SH NAME
 afserver.conf \- Configuration File for afserver
 .SH INTRODUCTION
@@ -13,7 +13,12 @@ command line options like
 .I --manageport
 and
 .I --pass
-are ignored. Options from configuration file are taken before values from command line. When something is not declared, hard-coded values are used.
+are ignored. Options from configuration file are taken before values from command line (with the exception of
+.IR --cerfile ,
+.I --keyfile
+and
+.I --dateformat
+). When something is not declared, hard-coded values are used.
 
 .SH DESCRIPTION
 .B Afserver
@@ -21,7 +26,7 @@ uses configuration file, which name is supplied by the
 .I -f FILE
 option. The
 .B afserver.conf
-file is composed of two sections which have to be in fixed order. In first section global values like certificates, keys and logging options are set. The second section starts with first
+file is composed of two sections which have to be in fixed order. In first section global values like cerfile, keyfile and logging options are set. The second section starts with first
 .B realm
 command and includes options describing specific realms. There may be several
 .B realm
@@ -29,10 +34,10 @@ commands.
 
 .SH "GLOBAL OPTIONS"
 
-.B certificate FILE
+.B cerfile FILE
   the name of the file with certificate (default: cacert.pem)
 
-.B key FILE
+.B keyfile FILE
   the name of the file with RSA key (default: server.rsa)
 
 .B log LOGCMD
@@ -49,10 +54,10 @@ commands.
 .B hostname NAME
   used when creating listening sockets (default: '')
 
-.B listen PORT
+.B listenport PORT
   listening port number - users connect to it (required at least one)
 
-.B manage PORT
+.B manageport PORT
   manage port number - afclient connects to it (required at least one)
 
 .B pass PASSWORD
@@ -107,6 +112,7 @@ commands.
 
 .SH "SEE ALSO"
 
+.BR afclient.conf (5),
 .BR afclient (1),
 .BR afserver (1)
 
diff --git a/doc/afserver_example.conf b/doc/afserver_example.conf
index f7c0be8..e96ec02 100644
--- a/doc/afserver_example.conf
+++ b/doc/afserver_example.conf
@@ -1,16 +1,15 @@
-# This is an example configuration file for active port forwarder
+# This is an example configuration file for active port forwarder (server)
 # Firstly, we have to declare our files with key and certificate
 
-certificate	cacert.pem
+cerfile	cacert.pem
 
 # Please note, that we can place only blank characters between words
 
-key		server.rsa
+keyfile		server.rsa
 
-# when we want to log some information, we specify file for lightlog
-# when we want to log everything - we do this by using heavylog option
-
-# type		name of file
+# Logging can be enabled by log option. The argument to this option must
+# be in the form:
+#     target,description,msgdesc
 
 log	      file,logfile,LOG_T_ALL,LOG_I_CRIT,LOG_I_ERR,LOG_I_WARNING
 
@@ -29,8 +28,8 @@ realm my realm
 #options        values
 
 #hostname  <yourhostname> #this is the name of the server (used to choose interface)
-listen    50127          #portnumber on which server is listening for users
-manage    50126         #portnumber on which server is listening for afclient
+listenport    50127      #portnumber on which server is listening for users
+manageport    50126     #portnumber on which server is listening for afclient
 #users     5           #amount of users we are allowing to connect (>0) (default: 5)
 #timeout   5          #timeout value for the client's connection (>0) (default: 5)
 #clients   1          #number of allowed clients for this realm (>0) (default: 1)
@@ -51,5 +50,5 @@ manage    50126         #portnumber on which server is listening for afclient
 # and now the second realm
 
 realm
-listen    50125
-manage    50124
+listenport    50125
+manageport    50124
diff --git a/doc/en/README b/doc/en/README
index fab53ae..c36ea47 100644
--- a/doc/en/README
+++ b/doc/en/README
@@ -1,4 +1,4 @@
-AF - Active Port Forwarder 0.7.2 - README
+AF - Active Port Forwarder 0.7.4 - README
 Copyright (C) 2003,2004,2005 jeremian - <jeremian [at] poczta.fm>
 =================================================================
 
@@ -30,6 +30,12 @@ INTRO
   2.1 afserver
   2.2 afclient
 3. REMOTE ADMINISTRATION
+  3.1 Usage
+  3.2 Commands
+  3.3 States
+    3.3.1 Users
+    3.3.2 Clients
+  3.4 Relay mode
 4. HTTP PROXY TUNNELS
 5. LOGGING
 6. MODULES
@@ -184,6 +190,12 @@ Multiple clients allow to create more sophisticated tunneling scheme.
                         destination of the packets (default: the name
                         returned by hostname function)
   -p, --portnum       - the port we are forwarding connection to (required)
+  --localname         - local machine name for connection with afserver
+                        (used to bind socket to different interfaces)
+  --localport         - local port name for connection with afserver
+                        (used to bind socket to different addressees)
+  --localdesname      - local machine name for connections with destination
+                        application (used to bind socket to different interfaces)
   -V, --version       - display version number
   -h, --help          - prints this help
 
@@ -197,6 +209,8 @@ Multiple clients allow to create more sophisticated tunneling scheme.
  Configuration:
 
   -k, --keyfile       - the name of the file with RSA key (default: client.rsa)
+  -f, --cfgfile       - the name of the file with the configuration for the
+                        active forwarder (client)
   -s, --storefile     - the name of the file with stored public keys
                         (default: known_hosts)
   -D, --dateformat    - format of the date printed in logs (see 'man strftime'
@@ -218,10 +232,9 @@ Multiple clients allow to create more sophisticated tunneling scheme.
  Modes:
 
   -u, --udpmode       - udp mode - client will use udp protocol to
-                        communicate with the hostname:portnum (-p)
+                        communicate with the hostname:portnum
   -U, --reverseudp    - reverse udp forwarding. Udp packets will be forwarded
-                        from hostname:portnum (-p) to the server name:portnum
-                        (-m)
+                        from hostname:portnum to the server name:manageport
   -r, --remoteadmin   - remote administration mode. (using '-p #port' will
                         force afclient to use port rather than stdin-stdout)
 
@@ -257,12 +270,18 @@ Multiple clients allow to create more sophisticated tunneling scheme.
 3. REMOTE ADMINISTRATION
 ========================
 
+  3.1 Usage
+  ---------
+  
 Afclient can be started in remote administration  mode  by  '-r,  --remoteadmin'
 option. Required option: '-n, --servername NAME'.
 
 After successful authorization stdin/stdout is used to  communicate  with  user.
 All the commands parsing is done by afserver.
 
+  3.2 Commands
+  ------------
+  
 Currently available commands are:
 
        help
@@ -305,6 +324,64 @@ Currently available commands are:
          kick client with number N
 
 
+  3.3 States
+  ----------
+  
+    3.3.1 Users
+    -----------
+    
+    Connected users can be in several states:
+    
+       running
+         user is properly connected and can send/receive data
+         
+       opening
+         user is connected to afserver, but afclient hasn't confirmed connection
+         with the destination. There is no traffic allowed in this situation.
+         
+       opening (closed)
+         user was in 'opening' state, but 'kuser' command has been used and it's
+         now queued for closing as soon as afclient will be ready to confirm
+         this
+         
+       stopped
+         user wasn't responsible, so all the packets addressed to it are queued.
+         Afclient is informed to not receive any packets for this user.
+         
+       closing
+         connection with user has been lost. Afclient has to confirm user
+         deletion
+         
+       unknown
+         probably afserver internal state has been corrupted.
+         
+         
+    3.3.2 Clients
+    -------------
+
+    Connected clients can be in several states:
+    
+       running
+         client is properly connected and can serve user's requests
+         
+       ssl handshake
+         connection with client has been initialized and now ssl routines are
+         negotiating all the details needed to establish secure tunnel. This
+         stage with 'authorization' must not exceed the time set by 'timeout'
+         option.
+         
+       authorization
+         ssl tunnel is ready and afclient has to authorize itself to the
+         afserver. This stage with 'ssl handshake' must not exceed the time set
+         by 'timeout' option.
+         
+       unknown
+         probably afserver internal state has been corrupted.
+
+
+  3.4 Relay mode
+  --------------
+
 Afclient with '-p, --portnum PORT' option listens for connection  from  user  at
 NAME:PORT.  NAME is set by '-d, --hostname' option or hostname() function,  when
 the option is missing.
@@ -317,12 +394,12 @@ When user quits (close the connection or send 'quit' command),  afclient  exits.
 4. HTTP PROXY TUNNELS
 =====================
 
-Afclient can communicate with afserver via HTTP proxy. In order to use this
+Afclient can communicate with afserver via HTTP proxy.  In  order  to  use  this
 feature, afserver must be started with '-P, --enableproxy' option. Afclient must
-specify the proxy host ('-P, --proxyname' option) and port ('-X, --proxyport'
+specify the proxy host ('-P, --proxyname' option) and  port  ('-X,  --proxyport'
 option).
 
-Afclient with HTTP proxy mode enabled can still accept connections from
+Afclient with  HTTP  proxy  mode  enabled  can  still  accept  connections  from
 afclients, which don't use HTTP proxy mode.
 
 ================================================================================