From b1ee4f1d6536d58732ec27a931f03443ff575749 Mon Sep 17 00:00:00 2001 From: JohnHay Date: Mon, 20 Dec 2021 08:37:15 +0200 Subject: [PATCH 1/8] check-state does not take extra options. --- sshuttle/methods/ipfw.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index 8afef51..4aeffeb 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -178,8 +178,7 @@ class Method(BaseMethod): if subnets or dnsport: sysctl_set('net.inet.ip.fw.enable', 1) - ipfw('add', '1', 'check-state', 'ip', - 'from', 'any', 'to', 'any') + ipfw('add', '1', 'check-state') ipfw('add', '1', 'skipto', '2', 'tcp', From f65a51bbee25312bbf0a981cbcd3fe8a649cf42f Mon Sep 17 00:00:00 2001 From: JohnHay Date: Mon, 20 Dec 2021 08:53:34 +0200 Subject: [PATCH 2/8] Add fport and lport (unused) to the for that parse subnets. Otherwise python is unhappy with "ValueError: too many values to unpack (expected 4)" --- sshuttle/methods/ipfw.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index 4aeffeb..d74dc60 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -205,7 +205,7 @@ class Method(BaseMethod): if subnets: # create new subnet entries - for _, swidth, sexclude, snet in sorted(subnets, + for _, swidth, sexclude, snet, fport, lport in sorted(subnets, key=lambda s: s[1], reverse=True): if sexclude: From 7c1f2b08cfbe2256e86e79540f263f2667ac2c28 Mon Sep 17 00:00:00 2001 From: JohnHay Date: Mon, 20 Dec 2021 08:55:38 +0200 Subject: [PATCH 3/8] Indent the else to the same level as its if. --- sshuttle/methods/ipfw.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index d74dc60..bc91f48 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -210,8 +210,8 @@ class Method(BaseMethod): reverse=True): if sexclude: ipfw('table', '125', 'add', '%s/%s' % (snet, swidth)) - else: - ipfw('table', '126', 'add', '%s/%s' % (snet, swidth)) + else: + ipfw('table', '126', 'add', '%s/%s' % (snet, swidth)) def restore_firewall(self, port, family, udp, user): if family not in [socket.AF_INET]: From f247853f39e0549f3dee2286a20867e401f3c7e9 Mon Sep 17 00:00:00 2001 From: JohnHay Date: Mon, 20 Dec 2021 08:58:25 +0200 Subject: [PATCH 4/8] Changed one place where the Exception text was still tproxy to ipfw. --- sshuttle/methods/ipfw.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index bc91f48..5d94750 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -216,7 +216,7 @@ class Method(BaseMethod): def restore_firewall(self, port, family, udp, user): if family not in [socket.AF_INET]: raise Exception( - 'Address family "%s" unsupported by tproxy method' + 'Address family "%s" unsupported by ipfw method' % family_to_string(family)) ipfw_noexit('delete', '1') From 0cfee0ba84ae6a48527b452e7cb868e1cb0e353b Mon Sep 17 00:00:00 2001 From: JohnHay Date: Mon, 20 Dec 2021 09:20:32 +0200 Subject: [PATCH 5/8] ipfw expects text. --- sshuttle/methods/ipfw.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index 5d94750..34adce2 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -186,7 +186,7 @@ class Method(BaseMethod): ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port, 'tcp', 'from', 'any', 'to', 'table(126)', - 'not', 'ipttl', ttl, 'keep-state', 'setup') + 'not', 'ipttl', '%d' % ttl, 'keep-state', 'setup') ipfw_noexit('table', '124', 'flush') dnscount = 0 @@ -197,11 +197,11 @@ class Method(BaseMethod): ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport, 'udp', 'from', 'any', 'to', 'table(124)', - 'not', 'ipttl', ttl) + 'not', 'ipttl', '%d' % ttl) ipfw('add', '1', 'allow', 'udp', 'from', 'any', 'to', 'any', - 'ipttl', ttl) + 'ipttl', '%d' % ttl) if subnets: # create new subnet entries From 2665b67926464cc2371702c287ac6a5d6657c221 Mon Sep 17 00:00:00 2001 From: JohnHay Date: Mon, 20 Dec 2021 11:52:09 +0200 Subject: [PATCH 6/8] Remove the ttl hack to allow the host and server to run on the same machine from the ipfw method. --- sshuttle/methods/ipfw.py | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index 34adce2..e650200 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -27,16 +27,17 @@ def recv_udp(listener, bufsize): def ipfw_rule_exists(n): - argv = ['ipfw', 'list'] + argv = ['ipfw', 'list', '%d' % n] p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env()) found = False for line in p.stdout: if line.startswith(b'%05d ' % n): - if not ('ipttl 63' in line or 'check-state' in line): + if not 'check-state :sshuttle' in line: log('non-sshuttle ipfw rule: %r' % line.strip()) raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n) found = True + break rv = p.wait() if rv: raise Fatal('%r returned %d' % (argv, rv)) @@ -156,11 +157,6 @@ class Method(BaseMethod): def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, user, tmark): - # TODO: The ttl hack to allow the host and server to run on - # the same machine has been removed but this method hasn't - # been updated yet. - ttl = 63 - # IPv6 not supported if family not in [socket.AF_INET]: raise Exception( @@ -178,7 +174,7 @@ class Method(BaseMethod): if subnets or dnsport: sysctl_set('net.inet.ip.fw.enable', 1) - ipfw('add', '1', 'check-state') + ipfw('add', '1', 'check-state', ':sshuttle') ipfw('add', '1', 'skipto', '2', 'tcp', @@ -186,7 +182,7 @@ class Method(BaseMethod): ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port, 'tcp', 'from', 'any', 'to', 'table(126)', - 'not', 'ipttl', '%d' % ttl, 'keep-state', 'setup') + 'setup', 'keep-state', ':sshuttle') ipfw_noexit('table', '124', 'flush') dnscount = 0 @@ -197,11 +193,10 @@ class Method(BaseMethod): ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport, 'udp', 'from', 'any', 'to', 'table(124)', - 'not', 'ipttl', '%d' % ttl) + 'keep-state', ':sshuttle') ipfw('add', '1', 'allow', 'udp', - 'from', 'any', 'to', 'any', - 'ipttl', '%d' % ttl) + 'from', 'any', 'to', 'any') if subnets: # create new subnet entries From e6f076e1a5d1d4d452ea44eeabfaee8ff528b8ad Mon Sep 17 00:00:00 2001 From: JohnHay Date: Tue, 21 Dec 2021 16:12:11 +0200 Subject: [PATCH 7/8] Make flake8 happy. --- sshuttle/methods/ipfw.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index e650200..090b2ed 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -33,7 +33,7 @@ def ipfw_rule_exists(n): found = False for line in p.stdout: if line.startswith(b'%05d ' % n): - if not 'check-state :sshuttle' in line: + if 'check-state :sshuttle' not in line: log('non-sshuttle ipfw rule: %r' % line.strip()) raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n) found = True @@ -201,8 +201,8 @@ class Method(BaseMethod): if subnets: # create new subnet entries for _, swidth, sexclude, snet, fport, lport in sorted(subnets, - key=lambda s: s[1], - reverse=True): + key=lambda s: s[1], + reverse=True): if sexclude: ipfw('table', '125', 'add', '%s/%s' % (snet, swidth)) else: From 922d827948d73572feeed054c9c2b23470910a07 Mon Sep 17 00:00:00 2001 From: JohnHay Date: Wed, 22 Dec 2021 06:04:25 +0200 Subject: [PATCH 8/8] Flake8 does not like if we go over 79 characters on a line. --- sshuttle/methods/ipfw.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index 090b2ed..1a31e02 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -200,9 +200,8 @@ class Method(BaseMethod): if subnets: # create new subnet entries - for _, swidth, sexclude, snet, fport, lport in sorted(subnets, - key=lambda s: s[1], - reverse=True): + for _, swidth, sexclude, snet, fport, lport \ + in sorted(subnets, key=lambda s: s[1], reverse=True): if sexclude: ipfw('table', '125', 'add', '%s/%s' % (snet, swidth)) else: