extern/sshuttle
1
1
Fork 0
mirror of https://github.com/sshuttle/sshuttle.git synced 2024-11-25 01:13:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #705 from JohnHay/ipfw

Browse Source 
Make ipfw method work
This commit is contained in:
Brian May 2021-12-24 10:10:02 +11:00 committed by GitHub
commit 354cbe6071
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
sshuttle/methods/ipfw.py
View File

@ -27,16 +27,17 @@ def recv_udp(listener, bufsize):
def ipfw_rule_exists(n): def ipfw_rule_exists(n):
argv = ['ipfw', 'list'] argv = ['ipfw', 'list', '%d' % n]
p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env()) p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
found = False found = False
for line in p.stdout: for line in p.stdout:
if line.startswith(b'%05d ' % n): if line.startswith(b'%05d ' % n):
if not ('ipttl 63' in line or 'check-state' in line): if 'check-state :sshuttle' not in line:
log('non-sshuttle ipfw rule: %r' % line.strip()) log('non-sshuttle ipfw rule: %r' % line.strip())
raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n) raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
found = True found = True
break
rv = p.wait() rv = p.wait()
if rv: if rv:
raise Fatal('%r returned %d' % (argv, rv)) raise Fatal('%r returned %d' % (argv, rv))
@ -156,11 +157,6 @@ class Method(BaseMethod):
def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
user, tmark): user, tmark):
# TODO: The ttl hack to allow the host and server to run on
# the same machine has been removed but this method hasn't
# been updated yet.
ttl = 63
# IPv6 not supported # IPv6 not supported
if family not in [socket.AF_INET]: if family not in [socket.AF_INET]:
raise Exception( raise Exception(
@ -178,8 +174,7 @@ class Method(BaseMethod):
if subnets or dnsport: if subnets or dnsport:
sysctl_set('net.inet.ip.fw.enable', 1) sysctl_set('net.inet.ip.fw.enable', 1)
ipfw('add', '1', 'check-state', 'ip', ipfw('add', '1', 'check-state', ':sshuttle')
'from', 'any', 'to', 'any')
ipfw('add', '1', 'skipto', '2', ipfw('add', '1', 'skipto', '2',
'tcp', 'tcp',
@ -187,7 +182,7 @@ class Method(BaseMethod):
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port, ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
'tcp', 'tcp',
'from', 'any', 'to', 'table(126)', 'from', 'any', 'to', 'table(126)',
'not', 'ipttl', ttl, 'keep-state', 'setup') 'setup', 'keep-state', ':sshuttle')
ipfw_noexit('table', '124', 'flush') ipfw_noexit('table', '124', 'flush')
dnscount = 0 dnscount = 0
@ -198,17 +193,15 @@ class Method(BaseMethod):
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport, ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
'udp', 'udp',
'from', 'any', 'to', 'table(124)', 'from', 'any', 'to', 'table(124)',
'not', 'ipttl', ttl) 'keep-state', ':sshuttle')
ipfw('add', '1', 'allow', ipfw('add', '1', 'allow',
'udp', 'udp',
'from', 'any', 'to', 'any', 'from', 'any', 'to', 'any')
'ipttl', ttl)
if subnets: if subnets:
# create new subnet entries # create new subnet entries
for _, swidth, sexclude, snet in sorted(subnets, for _, swidth, sexclude, snet, fport, lport \
key=lambda s: s[1], in sorted(subnets, key=lambda s: s[1], reverse=True):
reverse=True):
if sexclude: if sexclude:
ipfw('table', '125', 'add', '%s/%s' % (snet, swidth)) ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
else: else:
@ -217,7 +210,7 @@ class Method(BaseMethod):
def restore_firewall(self, port, family, udp, user): def restore_firewall(self, port, family, udp, user):
if family not in [socket.AF_INET]: if family not in [socket.AF_INET]:
raise Exception( raise Exception(
'Address family "%s" unsupported by tproxy method' 'Address family "%s" unsupported by ipfw method'
% family_to_string(family)) % family_to_string(family))
ipfw_noexit('delete', '1') ipfw_noexit('delete', '1')