From 8b4466b802ff3fb19b80f5d594a188c4638b32d6 Mon Sep 17 00:00:00 2001
From: Avery Pennarun <apenwarr@gmail.com>
Date: Fri, 1 Oct 2010 00:00:45 -0700
Subject: [PATCH] BSD ipfw: switch from 'established' to
 'keep-state/check-state'.

It turns out 'established' doesn't work the way I expected it to from
iptables; it's not stateful.  It just checks the TCP flags to see if the
connection *thinks* it's already established, and follows the rule if so.
That caused the first packet of each new connection to set sent to our
transproxy, but not the subsequent ones, so weird stuff happened.

With this change, any (matching) connection created *after* starting sshuttle
will get forwarded, but pre-existing ones - most importantly, sshuttle's own
ssh connection - will not.

And with this (plus the previous commit), sshuttle works on MacOS, including
10.6!
---
 firewall.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/firewall.py b/firewall.py
index b7110e0..8f57504 100644
--- a/firewall.py
+++ b/firewall.py
@@ -65,14 +65,19 @@ def do_iptables(port, subnets):
 def ipfw_rule_exists(n):
     argv = ['ipfw', 'list']
     p = subprocess.Popen(argv, stdout = subprocess.PIPE)
+    found = False
     for line in p.stdout:
         if line.startswith('%05d ' % n):
-            if line.find('ipttl 42') < 0 and line.find('established') < 0:
+            if not ('ipttl 42 setup keep-state' in line
+                    or ('skipto %d' % (n+1)) in line
+                    or 'check-state' in line):
+                log('non-sshuttle ipfw rule: %r\n' % line.strip())
                 raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
-            return True
+            found = True
     rv = p.wait()
     if rv:
         raise Fatal('%r returned %d' % (argv, rv))
+    return found
 
 
 def sysctl_get(name):
@@ -127,8 +132,8 @@ def do_ipfw(port, subnets):
         sysctl_set('net.inet.ip.forwarding', 1)
         sysctl_set('net.inet.ip.scopedroute', 0)
 
-        ipfw('add', sport, 'accept', 'ip',
-             'from', 'any', 'to', 'any', 'established')
+        ipfw('add', sport, 'check-state', 'ip',
+             'from', 'any', 'to', 'any')
         
         # create new subnet entries
         for swidth,sexclude,snet in sorted(subnets, reverse=True):
@@ -140,7 +145,7 @@ def do_ipfw(port, subnets):
                 ipfw('add', sport, 'fwd', '127.0.0.1,%d' % port,
                      'log', 'tcp',
                      'from', 'any', 'to', '%s/%s' % (snet,swidth),
-                     'not', 'ipttl', '42')
+                     'not', 'ipttl', '42', 'keep-state', 'setup')
 
 
 def program_exists(name):