Due to message from CI:
DEPRECATION: Python 3.5 reached the end of its life on September 13th,
2020. Please upgrade your Python as Python 3.5 is no longer maintained.
pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will
remove support for this functionality.
The server should just read from resolv.conf to find DNS servers to
use. This restores this behavior after the previous commit changed it.
The client now reads both /etc/resolv.conf and
/run/systemd/resolve/resolv.conf. The latter is required to more
reliably intercept regular DNS requests that systemd-resolved makes.
This commit makes two fixes:
1. If an IPv6 DNS server is used, an nft rule had "ip6 protocol" in it
which is invalid and caused sshuttle to exit.
2. I modified detection of udp vs tcp to follow the recommendation at
https://superuser.com/questions/1560376/match-ipv6-protocol-using-nftables
I also re-arranged the code slightly to reduce the number of
if-statements.
Some methods are unable to determine the destination address of DNS
packets that we capture. When this happens, change the message so it
just shows where the DNS requests are from.
Previously, we would find DNS servers we wish to intercept traffic on
by reading /etc/resolv.conf. On systems using systemd-resolved,
/etc/resolv.conf points to localhost and then systemd-resolved
actually uses the DNS servers listed in
/run/systemd/resolve/resolv.conf. Many programs will route the DNS
traffic through localhost as /etc/resolv.conf indicates and sshuttle
would capture it. However, systemd-resolved also provides other
interfaces for programs to resolve hostnames besides the localhost
server in /etc/resolv.conf.
This patch adds systemd-resolved's servers into the list of DNS
servers when --dns is used.
Note that sshuttle will continue to fail to intercept any traffic sent
to port 853 for DNS over TLS (which systemd-resolved also supports).
For more info, see:
sshuttle issue #535https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.htmlhttps://github.com/systemd/systemd/issues/6076
This patch attempts to fix (or aid in debugging) issue #350.
sshuttle didn't explicitly search /sbin and /usr/sbin and they may be
missing in the user's PATH. If PATH is missing, these folders wouldn't
be searched either. There was also a program_exists function which is
redundant to which(). This consolidates everything into the helpers.py
file.
This patch introduces get_path() to return PATH + some extra hardcoded
paths. A new get_env() function can be called to create a consistent
environment when calling external programs. The new which() wrapper
function also ensures we use the same set of paths.
If -vv is supplied, messages clearly indicate the programs we are
looking for, if they are found, and where we looked if we failed to
find them.
I haven't tested the changes to ipfw or pf.
Update docs to indicate that IPv6 is supported with the nft method.
- Adds nft into the requirements.rst file.
- Update description of what happens when a hostname is used in a
subnet.
- Add ipfw to list of methods.
- Indicate that --auto-nets does not work with IPv6. Previously this
was only mentioned in tproxy.rst
- Clarify that we try to use "python3" on the server before trying
"python".
This works for me but needs testing by others. Remember to specify a
::0/0 subnet or similar to route IPv6 through sshuttle.
I'm adding this to nft before nat since it is not sshuttle's default
method on Linux. Documentation updates may be required too.
This patch uses the ipaddress module, but that appears to be included
since Python 3.3.
First, check if TTL indicates we should ignore packet (instead of
checking in multiple rules later). Also, nft method didn't do this at
all. Now, nft matches the behavior of nat.
Second, forward DNS traffic (we may need to intercept traffic to
localhost if a DNS server is running on localhost).
Third, ignore any local traffic packets. (Previously, we ignored local
traffic except DNS and then had the DNS rules). The nft method didn't
do this previously at all. It now matches the behavior of nat.
Lastly, list the subnets to redirect and/or exclude. This step is left
unchanged. Excluding the local port that we are listening on is
redundant with the third step, but should cause no harm.
In summary, this ordering simplifies the rules in nat and eliminates
differences that previously existed between nat and nft.
Use 'c' prefix for client, 's' prefix for server, and 'fw' prefix for
firewall messages. The 'c' and 's' prefixes were used sometimes but
not consistently. The firewall printed messages prefixed with
"firewall manager:" or "firewall:" or ">>" previously.
This patch also fixes a couple of print() calls that should have been
debug1()---a bug introduced in a recent commit.
Without this patch, sshuttle 'restores' /etc/hosts even if it didn't
make any modifications to it. This can be confirmed by running without
--auto-hosts and confirming that the modification time of /etc/hosts
is unchanged while sshuttle is running, but is updated when sshuttle
exits (and a debug2() message is printed indicating the file is
written).
I'm not aware of the previous behavior causing problems. However,
writing an important file unnecessarily as root should be avoided.
Pull request #502 made -r/--remote required. However, the
documentation still indicates that using no remote is a valid way to
test sshuttle (see Examples section of man page). I think this mode
might be useful for testing performance local without ssh, local with
ssh, and remote with ssh.
This patch adds a warning when -r/--remote is missing but restores the
previous behavior.