mirror of
https://github.com/sshuttle/sshuttle.git
synced 2025-01-22 05:49:09 +01:00
Don't redirect excluded subsets of included subnets
This commit is contained in:
parent
e127aab776
commit
3a73520310
@ -490,16 +490,16 @@ def do_pf(port, dnsport, family, subnets, udp):
|
|||||||
filtering_rules = []
|
filtering_rules = []
|
||||||
|
|
||||||
if subnets:
|
if subnets:
|
||||||
include_subnets = filter(lambda s:not s[2], sorted(subnets, reverse=True))
|
includes=[]
|
||||||
if include_subnets:
|
# If a given subnet is both included and excluded, list the exclusion
|
||||||
tables.append('table <include_subnets> {%s}' % ','.join(["%s/%s" % (n[3], n[1]) for n in include_subnets]))
|
# first; the table will ignore the second, opposite definition
|
||||||
translating_rules.append('rdr pass on lo0 proto tcp to <include_subnets> -> 127.0.0.1 port %r' % port)
|
for f, swidth, sexclude, snet \
|
||||||
filtering_rules.append('pass out route-to lo0 inet proto tcp to <include_subnets> keep state')
|
in sorted(subnets, key=lambda s: (s[1], s[2]), reverse=True):
|
||||||
|
includes.append("%s%s/%s" % ("!" if sexclude else "", snet, swidth))
|
||||||
|
|
||||||
exclude_subnets = filter(lambda s:s[2], sorted(subnets, reverse=True))
|
tables.append('table <forward_subnets> {%s}' % ','.join(includes))
|
||||||
if exclude_subnets:
|
translating_rules.append('rdr pass on lo0 proto tcp to <forward_subnets> -> 127.0.0.1 port %r' % port)
|
||||||
tables.append('table <exclude_subnets> {%s}' % ','.join(["%s/%s" % (n[3], n[1]) for n in exclude_subnets]))
|
filtering_rules.append('pass out route-to lo0 inet proto tcp to <forward_subnets> keep state')
|
||||||
filtering_rules.append('pass out quick proto tcp from any to <exclude_subnets> keep state')
|
|
||||||
|
|
||||||
if dnsport:
|
if dnsport:
|
||||||
nslist = resolvconf_nameservers()
|
nslist = resolvconf_nameservers()
|
||||||
|
Loading…
Reference in New Issue
Block a user