tproxy: Skip firewall chains if packets have local destination. (#578)

If you use the tproxy method with a large subnet (such as 0/0), then
(1) you may not receive UDP packets that sshuttle/tproxy can handle
and (2) you are unable to connect to your machine using an IP that
your computer recognizes as its own.

To resolve those issues, any traffic to an IP that the host knows is
local, does not go through the sshuttle chains.

tests/client/test_methods_tproxy.py

@@ -133,6 +133,10 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
         call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
         call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
              'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
         call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
              '--set-mark', '1'),
         call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
@@ -233,6 +237,10 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
         call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
         call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
              'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
         call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
              '-j', 'MARK', '--set-mark', '1'),
         call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),