firewall: Allow overriding the TTL

In instances where a cluster pod in a local VM needs to access a server that is sshuttle'd from the host, since the packets arriving at the host already made a hop, their TTL is 63 and so get ignored by sshuttle. Allowing an override of the firewall TTL rule allows the packets to go through.
2025-08-12 01:09:19 +02:00 · 2021-01-18 15:28:52 -05:00
parent 0e51da519f
commit 167a57e739
15 changed files with 77 additions and 48 deletions
--- a/tests/client/test_methods_tproxy.py
+++ b/tests/client/test_methods_tproxy.py
@ -108,7 +108,8 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        True,
-        None)
+        None,
+        63)
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET6, 'mangle', 'sshuttle-m-1024'),
        call(AF_INET6, 'mangle', 'sshuttle-t-1024'),
@ -212,7 +213,8 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        True,
-        None)
+        None,
+        63)
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', 'sshuttle-t-1025'),