Override the skip on lo that ends up in the chain

In some cases (see #43) it seems that some network configurations may end up setting a skip on lo. As sshuttle adds rules that rely on filtering/translating packets on lo, this causes problem. This fix overrides the skip and makes the rules be applied again. Should fix at least some of the problems reported on #43.
2025-01-11 16:38:15 +01:00 · 2016-03-02 00:06:31 +00:00 · 2016-03-02 00:06:31 +00:00 · fae4cb1dbf
commit fae4cb1dbf
parent 7d8309ef05
2 changed files with 8 additions and 0 deletions
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@ -235,6 +235,13 @@ class Darwin(FreeBsd):
        if _pf_context['Xtoken'] is not None:
            pfctl('-X %s' % _pf_context['Xtoken'].decode("ASCII"))

+    def add_anchors(self):
+        # before adding anchors and rules we must override the skip lo
+        # that in some cases ends up in the chain so the rules we will add,
+        # which rely on translating/filtering  packets on lo, can work
+        pfctl('-f /dev/stdin', b'pass on lo\n')
+        super(Darwin, self).add_anchors()
+
    def _add_natlook_ports(self, pnl, src_port, dst_port):
        pnl.sxport.port = socket.htons(src_port)
        pnl.dxport.port = socket.htons(dst_port)
--- a/sshuttle/tests/test_methods_pf.py
+++ b/sshuttle/tests/test_methods_pf.py
@ -192,6 +192,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
    ]
    assert mock_pfctl.mock_calls == [
+        call('-f /dev/stdin', 'pass on lo\n'),
        call('-s all'),
        call('-a sshuttle -f /dev/stdin',
             b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'