2017-09-24 14:11:26 +02:00
|
|
|
import socket
|
|
|
|
from socket import AF_INET, AF_INET6
|
|
|
|
|
2021-01-16 01:59:28 +01:00
|
|
|
from unittest.mock import Mock, patch, call
|
2015-11-17 06:51:22 +01:00
|
|
|
|
|
|
|
from sshuttle.methods import get_method
|
|
|
|
|
|
|
|
|
2021-11-10 21:57:42 +01:00
|
|
|
def test_get_supported_features():
|
2015-11-17 06:51:22 +01:00
|
|
|
method = get_method('tproxy')
|
|
|
|
features = method.get_supported_features()
|
|
|
|
assert features.ipv6
|
|
|
|
assert features.udp
|
2015-12-15 01:40:55 +01:00
|
|
|
assert features.dns
|
|
|
|
|
|
|
|
|
2015-11-17 06:51:22 +01:00
|
|
|
def test_get_tcp_dstip():
|
|
|
|
sock = Mock()
|
|
|
|
sock.getsockname.return_value = ('127.0.0.1', 1024)
|
|
|
|
method = get_method('tproxy')
|
|
|
|
assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
|
|
|
|
assert sock.mock_calls == [call.getsockname()]
|
|
|
|
|
|
|
|
|
|
|
|
@patch("sshuttle.methods.tproxy.recv_udp")
|
|
|
|
def test_recv_udp(mock_recv_udp):
|
|
|
|
mock_recv_udp.return_value = ("127.0.0.1", "127.0.0.2", "11111")
|
|
|
|
|
|
|
|
sock = Mock()
|
|
|
|
method = get_method('tproxy')
|
|
|
|
result = method.recv_udp(sock, 1024)
|
|
|
|
assert sock.mock_calls == []
|
|
|
|
assert mock_recv_udp.mock_calls == [call(sock, 1024)]
|
|
|
|
assert result == ("127.0.0.1", "127.0.0.2", "11111")
|
|
|
|
|
|
|
|
|
|
|
|
@patch("sshuttle.methods.socket.socket")
|
|
|
|
def test_send_udp(mock_socket):
|
|
|
|
sock = Mock()
|
|
|
|
method = get_method('tproxy')
|
|
|
|
method.send_udp(sock, "127.0.0.2", "127.0.0.1", "2222222")
|
|
|
|
assert sock.mock_calls == []
|
|
|
|
assert mock_socket.mock_calls == [
|
|
|
|
call(sock.family, 2),
|
2017-09-24 14:11:26 +02:00
|
|
|
call().setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1),
|
2015-11-17 06:51:22 +01:00
|
|
|
call().setsockopt(0, 19, 1),
|
|
|
|
call().bind('127.0.0.2'),
|
|
|
|
call().sendto("2222222", '127.0.0.1'),
|
|
|
|
call().close()
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
def test_setup_tcp_listener():
|
|
|
|
listener = Mock()
|
|
|
|
method = get_method('tproxy')
|
|
|
|
method.setup_tcp_listener(listener)
|
|
|
|
assert listener.mock_calls == [
|
|
|
|
call.setsockopt(0, 19, 1)
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
def test_setup_udp_listener():
|
|
|
|
listener = Mock()
|
|
|
|
method = get_method('tproxy')
|
|
|
|
method.setup_udp_listener(listener)
|
|
|
|
assert listener.mock_calls == [
|
|
|
|
call.setsockopt(0, 19, 1),
|
|
|
|
call.v4.setsockopt(0, 20, 1),
|
|
|
|
call.v6.setsockopt(41, 74, 1)
|
|
|
|
]
|
|
|
|
|
|
|
|
|
2015-12-15 01:40:55 +01:00
|
|
|
def test_assert_features():
|
2015-11-17 06:51:22 +01:00
|
|
|
method = get_method('tproxy')
|
2015-12-15 01:40:55 +01:00
|
|
|
features = method.get_supported_features()
|
|
|
|
method.assert_features(features)
|
2015-11-17 06:51:22 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_firewall_command():
|
|
|
|
method = get_method('tproxy')
|
2022-06-14 20:02:12 +02:00
|
|
|
assert not method.firewall_command("something")
|
2015-11-17 06:51:22 +01:00
|
|
|
|
|
|
|
|
|
|
|
@patch('sshuttle.methods.tproxy.ipt')
|
|
|
|
@patch('sshuttle.methods.tproxy.ipt_chain_exists')
|
2021-06-01 05:33:55 +02:00
|
|
|
def test_setup_firewall(mock_ipt_chain_exists, mock_ipt):
|
2015-11-17 06:51:22 +01:00
|
|
|
mock_ipt_chain_exists.return_value = True
|
|
|
|
method = get_method('tproxy')
|
|
|
|
assert method.name == 'tproxy'
|
|
|
|
|
|
|
|
# IPV6
|
|
|
|
|
|
|
|
method.setup_firewall(
|
|
|
|
1024, 1026,
|
2017-09-24 14:11:26 +02:00
|
|
|
[(AF_INET6, u'2404:6800:4004:80c::33')],
|
|
|
|
AF_INET6,
|
|
|
|
[(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
|
|
|
|
(AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
|
2017-09-08 03:17:37 +02:00
|
|
|
True,
|
2021-01-18 21:28:52 +01:00
|
|
|
None,
|
2023-08-04 14:51:03 +02:00
|
|
|
None,
|
2021-06-01 05:33:55 +02:00
|
|
|
'0x01')
|
2015-11-17 06:51:22 +01:00
|
|
|
assert mock_ipt_chain_exists.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', 'sshuttle-m-1024'),
|
|
|
|
call(AF_INET6, 'mangle', 'sshuttle-t-1024'),
|
|
|
|
call(AF_INET6, 'mangle', 'sshuttle-d-1024')
|
2015-11-17 06:51:22 +01:00
|
|
|
]
|
|
|
|
assert mock_ipt.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-N', 'sshuttle-m-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-N', 'sshuttle-d-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-N', 'sshuttle-t-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
|
|
|
|
call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
|
2019-02-10 23:59:13 +01:00
|
|
|
'sshuttle-t-1024'),
|
2023-10-03 01:27:44 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
|
|
|
|
'--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::33/32',
|
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '53'),
|
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
|
|
|
|
'--tproxy-mark', '0x01',
|
|
|
|
'--dest', u'2404:6800:4004:80c::33/32',
|
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
|
2021-01-03 23:05:32 +01:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
|
|
|
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
|
|
|
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--set-mark', '0x01'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
|
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
|
2015-11-17 06:51:22 +01:00
|
|
|
'--dest', u'2404:6800:4004:80c::101f/128',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
|
2015-11-17 06:51:22 +01:00
|
|
|
'--dest', u'2404:6800:4004:80c::101f/128',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
|
2015-11-17 06:51:22 +01:00
|
|
|
'--dest', u'2404:6800:4004:80c::101f/128',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
|
2015-11-17 06:51:22 +01:00
|
|
|
'--dest', u'2404:6800:4004:80c::101f/128',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::/64',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--tproxy-mark', '0x01', '--dest',
|
|
|
|
u'2404:6800:4004:80c::/64',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000',
|
|
|
|
'--on-port', '1024'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::/64',
|
2019-10-12 20:02:33 +02:00
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '8000:9000'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--tproxy-mark', '0x01', '--dest',
|
|
|
|
u'2404:6800:4004:80c::/64',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '8000:9000',
|
|
|
|
'--on-port', '1024')
|
2015-11-17 06:51:22 +01:00
|
|
|
]
|
|
|
|
mock_ipt_chain_exists.reset_mock()
|
|
|
|
mock_ipt.reset_mock()
|
|
|
|
|
2023-08-04 14:51:03 +02:00
|
|
|
method.restore_firewall(1025, AF_INET6, True, None, None)
|
2015-11-17 06:51:22 +01:00
|
|
|
assert mock_ipt_chain_exists.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET6, 'mangle', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET6, 'mangle', 'sshuttle-d-1025')
|
2015-11-17 06:51:22 +01:00
|
|
|
]
|
|
|
|
assert mock_ipt.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1025'),
|
|
|
|
call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1025')
|
2015-11-17 06:51:22 +01:00
|
|
|
]
|
|
|
|
mock_ipt_chain_exists.reset_mock()
|
|
|
|
mock_ipt.reset_mock()
|
|
|
|
|
|
|
|
# IPV4
|
|
|
|
|
|
|
|
method.setup_firewall(
|
|
|
|
1025, 1027,
|
2017-09-24 14:11:26 +02:00
|
|
|
[(AF_INET, u'1.2.3.33')],
|
|
|
|
AF_INET,
|
|
|
|
[(AF_INET, 24, False, u'1.2.3.0', 0, 0),
|
|
|
|
(AF_INET, 32, True, u'1.2.3.66', 80, 80)],
|
2017-09-08 03:17:37 +02:00
|
|
|
True,
|
2021-01-18 21:28:52 +01:00
|
|
|
None,
|
2023-08-04 14:51:03 +02:00
|
|
|
None,
|
2021-06-01 05:33:55 +02:00
|
|
|
'0x01')
|
2015-11-17 06:51:22 +01:00
|
|
|
assert mock_ipt_chain_exists.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', 'sshuttle-d-1025')
|
2015-11-17 06:51:22 +01:00
|
|
|
]
|
|
|
|
assert mock_ipt.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-N', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-N', 'sshuttle-d-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-N', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
|
2019-02-10 23:59:13 +01:00
|
|
|
'sshuttle-t-1025'),
|
2023-10-03 01:27:44 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
|
|
|
|
'--set-mark', '0x01', '--dest', u'1.2.3.33/32',
|
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '53'),
|
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
|
|
|
|
'--tproxy-mark', '0x01', '--dest', u'1.2.3.33/32',
|
|
|
|
'-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
|
2021-01-03 23:05:32 +01:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
|
|
|
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
|
|
|
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
|
2021-05-27 22:21:42 +02:00
|
|
|
'-j', 'MARK', '--set-mark', '0x01'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
|
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
|
2017-11-07 02:20:24 +01:00
|
|
|
'--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'--dport', '80:80'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
|
|
|
|
'--dport', '80:80'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
|
|
|
|
'--dport', '80:80'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
|
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
2017-05-07 05:18:13 +02:00
|
|
|
'--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
|
|
|
|
'--dport', '80:80'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--set-mark', '0x01', '--dest', u'1.2.3.0/24',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-m', 'tcp', '-p', 'tcp'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--tproxy-mark', '0x01', '--dest', u'1.2.3.0/24',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--set-mark', '0x01', '--dest', u'1.2.3.0/24',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-m', 'udp', '-p', 'udp'),
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
|
2021-05-27 22:21:42 +02:00
|
|
|
'--tproxy-mark', '0x01', '--dest', u'1.2.3.0/24',
|
2015-11-17 06:51:22 +01:00
|
|
|
'-m', 'udp', '-p', 'udp', '--on-port', '1025')
|
|
|
|
]
|
|
|
|
mock_ipt_chain_exists.reset_mock()
|
|
|
|
mock_ipt.reset_mock()
|
|
|
|
|
2023-08-04 14:51:03 +02:00
|
|
|
method.restore_firewall(1025, AF_INET, True, None, None)
|
2015-11-17 06:51:22 +01:00
|
|
|
assert mock_ipt_chain_exists.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', 'sshuttle-d-1025')
|
2015-11-17 06:51:22 +01:00
|
|
|
]
|
|
|
|
assert mock_ipt.mock_calls == [
|
2017-09-24 14:11:26 +02:00
|
|
|
call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
|
|
|
|
call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025')
|
2015-11-17 06:51:22 +01:00
|
|
|
]
|
|
|
|
mock_ipt_chain_exists.reset_mock()
|
|
|
|
mock_ipt.reset_mock()
|