First, check if TTL indicates we should ignore packet (instead of
checking in multiple rules later). Also, nft method didn't do this at
all. Now, nft matches the behavior of nat.
Second, forward DNS traffic (we may need to intercept traffic to
localhost if a DNS server is running on localhost).
Third, ignore any local traffic packets. (Previously, we ignored local
traffic except DNS and then had the DNS rules). The nft method didn't
do this previously at all. It now matches the behavior of nat.
Lastly, list the subnets to redirect and/or exclude. This step is left
unchanged. Excluding the local port that we are listening on is
redundant with the third step, but should cause no harm.
In summary, this ordering simplifies the rules in nat and eliminates
differences that previously existed between nat and nft.
Use 'c' prefix for client, 's' prefix for server, and 'fw' prefix for
firewall messages. The 'c' and 's' prefixes were used sometimes but
not consistently. The firewall printed messages prefixed with
"firewall manager:" or "firewall:" or ">>" previously.
This patch also fixes a couple of print() calls that should have been
debug1()---a bug introduced in a recent commit.
Without this patch, sshuttle 'restores' /etc/hosts even if it didn't
make any modifications to it. This can be confirmed by running without
--auto-hosts and confirming that the modification time of /etc/hosts
is unchanged while sshuttle is running, but is updated when sshuttle
exits (and a debug2() message is printed indicating the file is
written).
I'm not aware of the previous behavior causing problems. However,
writing an important file unnecessarily as root should be avoided.
Pull request #502 made -r/--remote required. However, the
documentation still indicates that using no remote is a valid way to
test sshuttle (see Examples section of man page). I think this mode
might be useful for testing performance local without ssh, local with
ssh, and remote with ssh.
This patch adds a warning when -r/--remote is missing but restores the
previous behavior.
Additional comments, checks, warning messages, and diagnostic
information is printed out when the client starts.
We assume IPv4 is always present and enabled. We assume IPv6 is not
supported when it is disabled at the command line or when it is not
supported by the firewall method. Warn if IPv6 is disabled but the
user specified IPv6 subnets, IPv6 DNS servers, or IPv6 excludes that
are effectively ignored.
Instead of indicating which features are on/off, we also indicate if
features are available in the verbose output.
We also more clearly print the subnets that we forward, excludes, and
any redirected DNS servers to the terminal output.
These changes should help handling bug reports and make it clearer to
users what is happening. It should also make it more graceful when a
user specifies a subnet/exclude with hostname that resolves to both
IPv4 and IPv6 (but IPv6 is disabled in sshuttle).
The list of subnets to route over VPN and the list of subnets to
exclude are parsed in option.py parse_subnetport(). Hostnames or IP
addresses are supported. If a hostname was provided, only the first IP
address was considered. This could result in some traffic not
traversing the VPN that the user might expect should traverse it from
the arguments passed to sshuttle.
This patch makes the function handle all of the IPs if a hostname is
provided. If a user provides a hostname with a CIDR mask, problems can
occur and we warn the user about the issue.
If the user includes a hostname with both an IPv4 and an IPv6 address,
and the underlying method doesn't support IPv6, then this patch will
cause sshuttle to fail. I plan to provide a future patch where failure
won't occur if the only place IPv6 addresses appear is in the exclude
list. In that case it should be safe to ignore the IPv6 address.
This patch also changes parse_ipport() which is used by the --to-ns
option. If the user provides a hostname here, we just use the first IP
from the hostname and warn the user that only one is being used.
Some bug reports include verbose sshuttle output but lack the version
that is being used. Including the sshuttle version in the output may
make it easier to handle future bug reports.
Improve detection of when the ssh process exits in both daemon and
foreground modes. Previously, sshuttle could infinite loop with 100%
cpu usage if the ssh process died. On machines that use suspend, the
ssh connection might not resume after wakeup. Now, this situation is
detected and sshuttle exits. The fix involves changing the return
value we check for when we call poll() and using a psutil function to
detect when the process exits if we are running sshuttle as a daemon.
Python2 ignores the byte string qualification (b’foo’) but falls over for the combination rb for this regexp. Switching the qualification to br appears to fix this and works in both python2 and python3.
Fixes #469. We replace python3 exclusive code with a check for python3 and a compatibility fix. Note that the switch from os.set_nonblocking to fcntl.fcntl in 98d052d (fixing #503) also fixes python2 compatibility.
* Use types instead of imp.new_module.
I can follow up with https://docs.python.org/3/library/importlib.html#importlib.util.module_from_spec if need be.
* use source loader from importlib
* Revert "use source loader from importlib"
This reverts commit 1f255704f7.
* use inspect.getsource, but alas
* placate linter
* use find_spec to resolve a module spec to a file path
* better function naming
* remove outdated comment
* Fix parsing of hostnames to allow ssh aliases defined in ssh configs)
* nicer formatting, pep8 applied
* Properly parse IPv6 addresses with port specification
* Now also handles hostnames with port specified and IPv6 addresses without port properly
* Updated parameter description for the remotehost specification
* Make the urlparse import backwards compatible to python2
Co-authored-by: Tobi <tobi-git@grimm.gr>
* Add auto password prompt
Add auto password with sshpass
use user:password@host or user:password:port@host
* Update ssh.py
* Fix for IPv4 only
* Delete print sorry bad commit
* ipv4 fix
* Fix IPv4 args
* Fix for ipv6
* Fix ipv6 no password
* Add function parse_hostport
* Fix minor bug detect port
* Fix minor bug password detect
* Clear Code
* bad write "=" replace with "=="
* Rewrite code for more understand logical and fix minor bug
* add default define port
* delete old variable unused
* replace "==" per "is" try fix code reviews
* reback
* try define password with len
* Fix consistence variable password PR
* simplify function split ipv4 or ipv6
* clear code
