extern/sshuttle
1
1
Fork 0
mirror of https://github.com/sshuttle/sshuttle.git synced 2024-11-22 16:03:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #490 from erikselin/42-is-not-the-answer

Browse Source 
Douglas Adams and Deep Thought was wrong, 42 is not the answer
This commit is contained in:
Brian May 2020-07-17 11:09:04 +10:00 committed by GitHub
commit f353701f24
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sshuttle/linux.py
View File

@ -71,10 +71,10 @@ def ipt_ttl(family, *args):
global _no_ttl_module global _no_ttl_module
if not _no_ttl_module: if not _no_ttl_module:
# we avoid infinite loops by generating server-side connections # we avoid infinite loops by generating server-side connections
# with ttl 42. This makes the client side not recapture those # with ttl 63. This makes the client side not recapture those
# connections, in case client == server. # connections, in case client == server.
try: try:
argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '42'] argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '63']
ipt(family, *argsplus) ipt(family, *argsplus)
except Fatal: except Fatal:
ipt(family, *args) ipt(family, *args)

10
sshuttle/methods/ipfw.py
View File

@ -70,7 +70,7 @@ def ipfw_rule_exists(n):
found = False found = False
for line in p.stdout: for line in p.stdout:
if line.startswith(b'%05d ' % n): if line.startswith(b'%05d ' % n):
if not ('ipttl 42' in line or 'check-state' in line): if not ('ipttl 63' in line or 'check-state' in line):
log('non-sshuttle ipfw rule: %r\n' % line.strip()) log('non-sshuttle ipfw rule: %r\n' % line.strip())
raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n) raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
found = True found = True
@ -185,7 +185,7 @@ class Method(BaseMethod):
sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1) sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 42) sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
sender.bind(srcip) sender.bind(srcip)
sender.sendto(data, dstip) sender.sendto(data, dstip)
sender.close() sender.close()
@ -224,7 +224,7 @@ class Method(BaseMethod):
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port, ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
'tcp', 'tcp',
'from', 'any', 'to', 'table(126)', 'from', 'any', 'to', 'table(126)',
'not', 'ipttl', '42', 'keep-state', 'setup') 'not', 'ipttl', '63', 'keep-state', 'setup')
ipfw_noexit('table', '124', 'flush') ipfw_noexit('table', '124', 'flush')
dnscount = 0 dnscount = 0
@ -235,11 +235,11 @@ class Method(BaseMethod):
ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport, ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
'udp', 'udp',
'from', 'any', 'to', 'table(124)', 'from', 'any', 'to', 'table(124)',
'not', 'ipttl', '42') 'not', 'ipttl', '63')
ipfw('add', '1', 'allow', ipfw('add', '1', 'allow',
'udp', 'udp',
'from', 'any', 'to', 'any', 'from', 'any', 'to', 'any',
'ipttl', '42') 'ipttl', '63')
if subnets: if subnets:
# create new subnet entries # create new subnet entries

6
sshuttle/methods/nft.py
View File

@ -50,17 +50,17 @@ class Method(BaseMethod):
'ip daddr %s/%s' % (snet, swidth), 'return'))) 'ip daddr %s/%s' % (snet, swidth), 'return')))
else: else:
_nft('add rule', chain, *(tcp_ports + ( _nft('add rule', chain, *(tcp_ports + (
'ip daddr %s/%s' % (snet, swidth), 'ip ttl != 42', 'ip daddr %s/%s' % (snet, swidth), 'ip ttl != 63',
('redirect to :' + str(port))))) ('redirect to :' + str(port)))))
for _, ip in [i for i in nslist if i[0] == family]: for _, ip in [i for i in nslist if i[0] == family]:
if family == socket.AF_INET: if family == socket.AF_INET:
_nft('add rule', chain, 'ip protocol udp ip daddr %s' % ip, _nft('add rule', chain, 'ip protocol udp ip daddr %s' % ip,
'udp dport { 53 }', 'ip ttl != 42', 'udp dport { 53 }', 'ip ttl != 63',
('redirect to :' + str(dnsport))) ('redirect to :' + str(dnsport)))
elif family == socket.AF_INET6: elif family == socket.AF_INET6:
_nft('add rule', chain, 'ip6 protocol udp ip6 daddr %s' % ip, _nft('add rule', chain, 'ip6 protocol udp ip6 daddr %s' % ip,
'udp dport { 53 }', 'ip ttl != 42', 'udp dport { 53 }', 'ip ttl != 63',
('redirect to :' + str(dnsport))) ('redirect to :' + str(dnsport)))
def restore_firewall(self, port, family, udp, user): def restore_firewall(self, port, family, udp, user):

4
sshuttle/server.py
View File

@ -195,7 +195,7 @@ class DnsProxy(Handler):
family, sockaddr = self._addrinfo(peer, port) family, sockaddr = self._addrinfo(peer, port)
sock = socket.socket(family, socket.SOCK_DGRAM) sock = socket.socket(family, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42) sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
sock.connect(sockaddr) sock.connect(sockaddr)
self.peers[sock] = peer self.peers[sock] = peer
@ -252,7 +252,7 @@ class UdpProxy(Handler):
self.chan = chan self.chan = chan
self.sock = sock self.sock = sock
if family == socket.AF_INET: if family == socket.AF_INET:
self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42) self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
def send(self, dstip, data): def send(self, dstip, data):
debug2('UDP: sending to %r port %d\n' % dstip) debug2('UDP: sending to %r port %d\n' % dstip)

2
sshuttle/ssnet.py
View File

@ -570,7 +570,7 @@ class MuxWrapper(SockWrapper):
def connect_dst(family, ip, port): def connect_dst(family, ip, port):
debug2('Connecting to %s:%d\n' % (ip, port)) debug2('Connecting to %s:%d\n' % (ip, port))
outsock = socket.socket(family) outsock = socket.socket(family)
outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42) outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
return SockWrapper(outsock, outsock, return SockWrapper(outsock, outsock,
connect_to=(ip, port), connect_to=(ip, port),
peername='%s:%d' % (ip, port)) peername='%s:%d' % (ip, port))