mirror of
https://github.com/sshuttle/sshuttle.git
synced 2024-11-25 01:13:37 +01:00
commit
354cbe6071
@ -27,16 +27,17 @@ def recv_udp(listener, bufsize):
|
|||||||
|
|
||||||
|
|
||||||
def ipfw_rule_exists(n):
|
def ipfw_rule_exists(n):
|
||||||
argv = ['ipfw', 'list']
|
argv = ['ipfw', 'list', '%d' % n]
|
||||||
p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
|
p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
|
||||||
|
|
||||||
found = False
|
found = False
|
||||||
for line in p.stdout:
|
for line in p.stdout:
|
||||||
if line.startswith(b'%05d ' % n):
|
if line.startswith(b'%05d ' % n):
|
||||||
if not ('ipttl 63' in line or 'check-state' in line):
|
if 'check-state :sshuttle' not in line:
|
||||||
log('non-sshuttle ipfw rule: %r' % line.strip())
|
log('non-sshuttle ipfw rule: %r' % line.strip())
|
||||||
raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
|
raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
|
||||||
found = True
|
found = True
|
||||||
|
break
|
||||||
rv = p.wait()
|
rv = p.wait()
|
||||||
if rv:
|
if rv:
|
||||||
raise Fatal('%r returned %d' % (argv, rv))
|
raise Fatal('%r returned %d' % (argv, rv))
|
||||||
@ -156,11 +157,6 @@ class Method(BaseMethod):
|
|||||||
|
|
||||||
def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
|
def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
|
||||||
user, tmark):
|
user, tmark):
|
||||||
# TODO: The ttl hack to allow the host and server to run on
|
|
||||||
# the same machine has been removed but this method hasn't
|
|
||||||
# been updated yet.
|
|
||||||
ttl = 63
|
|
||||||
|
|
||||||
# IPv6 not supported
|
# IPv6 not supported
|
||||||
if family not in [socket.AF_INET]:
|
if family not in [socket.AF_INET]:
|
||||||
raise Exception(
|
raise Exception(
|
||||||
@ -178,8 +174,7 @@ class Method(BaseMethod):
|
|||||||
if subnets or dnsport:
|
if subnets or dnsport:
|
||||||
sysctl_set('net.inet.ip.fw.enable', 1)
|
sysctl_set('net.inet.ip.fw.enable', 1)
|
||||||
|
|
||||||
ipfw('add', '1', 'check-state', 'ip',
|
ipfw('add', '1', 'check-state', ':sshuttle')
|
||||||
'from', 'any', 'to', 'any')
|
|
||||||
|
|
||||||
ipfw('add', '1', 'skipto', '2',
|
ipfw('add', '1', 'skipto', '2',
|
||||||
'tcp',
|
'tcp',
|
||||||
@ -187,7 +182,7 @@ class Method(BaseMethod):
|
|||||||
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
|
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
|
||||||
'tcp',
|
'tcp',
|
||||||
'from', 'any', 'to', 'table(126)',
|
'from', 'any', 'to', 'table(126)',
|
||||||
'not', 'ipttl', ttl, 'keep-state', 'setup')
|
'setup', 'keep-state', ':sshuttle')
|
||||||
|
|
||||||
ipfw_noexit('table', '124', 'flush')
|
ipfw_noexit('table', '124', 'flush')
|
||||||
dnscount = 0
|
dnscount = 0
|
||||||
@ -198,26 +193,24 @@ class Method(BaseMethod):
|
|||||||
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
|
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
|
||||||
'udp',
|
'udp',
|
||||||
'from', 'any', 'to', 'table(124)',
|
'from', 'any', 'to', 'table(124)',
|
||||||
'not', 'ipttl', ttl)
|
'keep-state', ':sshuttle')
|
||||||
ipfw('add', '1', 'allow',
|
ipfw('add', '1', 'allow',
|
||||||
'udp',
|
'udp',
|
||||||
'from', 'any', 'to', 'any',
|
'from', 'any', 'to', 'any')
|
||||||
'ipttl', ttl)
|
|
||||||
|
|
||||||
if subnets:
|
if subnets:
|
||||||
# create new subnet entries
|
# create new subnet entries
|
||||||
for _, swidth, sexclude, snet in sorted(subnets,
|
for _, swidth, sexclude, snet, fport, lport \
|
||||||
key=lambda s: s[1],
|
in sorted(subnets, key=lambda s: s[1], reverse=True):
|
||||||
reverse=True):
|
|
||||||
if sexclude:
|
if sexclude:
|
||||||
ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
|
ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
|
||||||
else:
|
else:
|
||||||
ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))
|
ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))
|
||||||
|
|
||||||
def restore_firewall(self, port, family, udp, user):
|
def restore_firewall(self, port, family, udp, user):
|
||||||
if family not in [socket.AF_INET]:
|
if family not in [socket.AF_INET]:
|
||||||
raise Exception(
|
raise Exception(
|
||||||
'Address family "%s" unsupported by tproxy method'
|
'Address family "%s" unsupported by ipfw method'
|
||||||
% family_to_string(family))
|
% family_to_string(family))
|
||||||
|
|
||||||
ipfw_noexit('delete', '1')
|
ipfw_noexit('delete', '1')
|
||||||
|
Loading…
Reference in New Issue
Block a user