Load pf kernel module when enabling pf

When the pf module is not loaded our calls to pfctl will fail with unhelpful messages. This change spares the user the pain of decrypting those messages and manually enabling pf. It also keeps track if pf was loaded by sshuttle and unloads on exit if that was the case. Also fixed the case where both ipv4 and ipv6 anchors were added by sshuttle but the first call of disable would disable pf before the second call had the chance of cleaning it's anchor.
2025-01-18 20:08:14 +01:00 · 2017-10-19 00:48:08 +00:00 · 2017-10-19 00:48:08 +00:00 · 3635cc17ad
commit 3635cc17ad
parent ae13316e83
1 changed files with 20 additions and 4 deletions
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@ -14,7 +14,11 @@ from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string
 from sshuttle.methods import BaseMethod


-_pf_context = {'started_by_sshuttle': False, 'Xtoken': []}
+_pf_context = {
+    'started_by_sshuttle': 0,
+    'loaded_by_sshuttle': True,
+    'Xtoken': []
+}
 _pf_fd = None


@ -60,13 +64,13 @@ class Generic(object):
    def enable(self):
        if b'INFO:\nStatus: Disabled' in self.status:
            pfctl('-e')
-            _pf_context['started_by_sshuttle'] = True
+            _pf_context['started_by_sshuttle'] += 1

    def disable(self, anchor):
        pfctl('-a %s -F all' % anchor)
-        if _pf_context['started_by_sshuttle']:
+        if _pf_context['started_by_sshuttle'] == 1:
            pfctl('-d')
-            _pf_context['started_by_sshuttle'] = False
+        _pf_context['started_by_sshuttle'] -= 1

    def query_nat(self, family, proto, src_ip, src_port, dst_ip, dst_port):
        [proto, family, src_port, dst_port] = [
@ -168,6 +172,18 @@ class FreeBsd(Generic):
    def __init__(self):
        super(FreeBsd, self).__init__()

+    def enable(self):
+        returncode = ssubprocess.call(['kldload', 'pf'])
+        super(FreeBsd, self).enable()
+        if returncode == 0:
+            _pf_context['loaded_by_sshuttle'] = True
+
+    def disable(self, anchor):
+        super(FreeBsd, self).disable(anchor)
+        if _pf_context['loaded_by_sshuttle'] and \
+                _pf_context['started_by_sshuttle'] == 0:
+            ssubprocess.call(['kldunload', 'pf'])
+
    def add_anchors(self, anchor):
        status = pfctl('-s all')[0]
        if ('\nrdr-anchor "%s"' % anchor).encode('ASCII') not in status: