Commit Graph

514 Commits

Author SHA1 Message Date
vieira
6a488b3db9 Initial configuration for Bandit and Prospector
With this configuration it should be feasible to achieve a perfect score
without contortion.

Rules skiped for Bandit:
B101: assert_used
B104: hardcoded_bind_all_interfaces
B404: import_subprocess
B603: subprocess_without_shell_equals_true
B606: start_process_with_no_shell
B607: start_process_with_partial_path

Rules skiped for pylint:
- too-many-statements
- too-many-locals
- too-many-function-args
- too-many-arguments
- too-many-branches
- bare-except
- protected-access
- no-else-return
2017-11-09 12:02:31 +11:00
vieira
112931dd2c Changes methods that do not reference the instance to static methods 2017-11-08 16:17:06 +11:00
vieira
ad676029c7 Fix no value passed for argument auto_hosts in hw_main call 2017-11-08 16:17:06 +11:00
vieira
47030e846b Remove trailing whitespaces 2017-11-08 16:17:06 +11:00
vieira
416636fa9b Mock socket bind to avoid depending on local IPs being available in test box 2017-11-07 10:08:16 +11:00
vieira
4300a02343 Remove unused variable 'timeout' 2017-11-07 10:08:16 +11:00
vieira
4e8c5411b5 Also register por for dns proxy and for pairs in use by other procs 2017-11-07 10:08:16 +11:00
vieira
6cdc4da1e4 Fixes UDP and DNS proxies binding to the same socket address
As suggested by @colinmkeith the UDP and DNS proxies should listen on different
ports otherwise the DNS proxy can get traffic intended to the UDP proxy (or
vice-versa) and handle it incorrectly as reported in #178.

At first sight it seems that we had the code in place to try another port if
the one we are binding is already bound, however, with UDP and REUSEADDR the
OS will not refuse to bind two sockets to the same socket address, so both
the UDP proxy and DNS proxy were being bound to the same pair.
2017-11-07 10:08:16 +11:00
vieira
8add00866c turn off debugging 2017-10-23 06:58:21 +11:00
vieira
94ea0a3bed nested if should be and 2017-10-23 06:58:21 +11:00
vieira
9b7ce2811e Use versions of python3 greater than 3.5 when available (e.g. 3.6)
Some Linux distros, like Alpine, Arch, etc and some BSDs, like FreeBSD, are
now shipping with python3.6 as the default python3. Both the client and the
server are failing to run in this distros, because we are specifically looking
for python3.5.

These changes make the run shell script use python3 if the version is greater
than 3.5, otherwise falling back as usual.

On the server any version of python3 will do, use it before falling back to
python, as the server code can run with any version of python3.
2017-10-23 06:58:21 +11:00
vieira
7726dea27c Test double restore (ipv4, ipv6) disables only once; test kldload 2017-10-21 12:10:31 +11:00
vieira
3635cc17ad Load pf kernel module when enabling pf
When the pf module is not loaded our calls to pfctl will fail with
unhelpful messages.
This change spares the user the pain of decrypting those messages and manually
enabling pf. It also keeps track if pf was loaded by sshuttle and unloads on
exit if that was the case.

Also fixed the case where both ipv4 and ipv6 anchors were added by sshuttle
but the first call of disable would disable pf before the second call had the
chance of cleaning it's anchor.
2017-10-21 12:10:31 +11:00
vieira
ae13316e83 Just skip empty lines of routes data instead of stopping processing 2017-10-19 13:45:34 +11:00
vieira
e173eb6016 Skip empty lines on incoming routes data
If we receive no routes from server or if, for some reason, we receive
some empty lines, we should skip them instead of crashing.

Fixes on of the problems in #147.
2017-10-19 13:45:34 +11:00
vieira
29cd75b6f7 Make hostwatch find both fqdn and hostname
Currently hostwatch only adds hostnames even when FQDNs are available.
This commit changes found_host so that when the name is a FQDN, both the FQDN
and an hostname are added, e.g., given api.foo.com both api and api.foo.com
will be added.

Fixes #151 if merged.

N.B.: I rarely use hostwatch, it would probably be a good idea to get feedback
from people who actually use it before merging. Not too sure about this...
2017-10-17 07:12:06 +11:00
vieira
4c50be0bc7 Use getaddrinfo to obtain a correct sockaddr
While with AF_INET sockaddr is a 2-tuple composed by (address, port),
with AF_INET6 it is a 4-tuple with (address, port, flow info, scope id).

We were always passing a 2-tuple to socket.connect which would fail whenever
the address was, for instance, a link-local IPv6 address that needs a scope id.

With this change we now use getaddrinfo to correctly compute the full tuple.

Fixes #156.
2017-10-15 12:43:04 +11:00
max
2fa0cd06fb Route traffic by linux user 2017-09-17 15:33:34 +10:00
William Entriken
4d8b758d32 Add homebrew instructions
Per https://github.com/apenwarr/sshuttle/pull/45/files
2017-08-03 13:55:04 +10:00
vieira
4e8c2b9c68 Avoid port forwarding from loopback address
When doing port forwarding on lo0 avoid the special case where the
traffic on lo0 did not came from sshuttle pass out rule but from the lo0
address itself. Fixes #159.
2017-07-29 17:15:32 +10:00
Itamar Turner-Trauring
be559fc78b Fix case where there is no --dns. 2017-07-18 17:15:03 +10:00
Itamar Turner-Trauring
d2e97a60f7 Add new option for overriding destination DNS server. 2017-07-18 17:15:03 +10:00
Itamar Turner-Trauring
cdbb379910 Talk to custom DNS server on pod, instead of the ones in /etc/resolv.conf 2017-07-18 17:15:03 +10:00
Brian May
b65bb29023 Update changelog for 0.78.3 2017-07-09 09:12:04 +10:00
Brian May
c093b4bd96 Get version for sphinx from sshuttle.version 2017-07-09 09:08:48 +10:00
Brian May
e76d1e14bd Fix error in requirements.rst 2017-07-09 09:08:48 +10:00
Brian May
6c6a39fefa Pin version in requirements.txt 2017-07-09 09:08:48 +10:00
Brian May
714bd9f81b Update setup.cfg 2017-07-09 09:08:48 +10:00
Brian May
c746d6f7db Update and reformat changelog 2017-07-09 09:08:48 +10:00
vieira
f9361d7014 Order first by port range and only then by swidth
This change makes the subnets with the most specific port ranges come
before subnets with larger, least specific, port ranges. Before this
change subnets with smaller swidth would always come first and only for
subnets with the same width would the size of the port range be
considered.

Example:
188.0.0.0/8 -x 0.0.0.0/0:443
Before: 188.0.0.0/8 would come first meaning that all ports would be
routed through the VPN for the subnet 188.0.0.0/8
After: 0.0.0.0/0:443 comes first, meaning that port 443 will be
excluded for all subnets, including 188.0.0.0/8. All other ports of
188.0.0.0/8 will be routed.
2017-05-08 16:56:42 +10:00
João Vieira
c4a41ada09 Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges

This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.

When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.

For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.

Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```

Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```

Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```

* Allow subnets to be specified with domain names

Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.

Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>

* Also use getaddrinfo for parsing listen addr:port

* Fixes tests for tunneling a port range

* Updates documentation to include port/port range

Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.

* In Py2 only named arguments may follow *expression

Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.

* Use right regex to extract ip4/6, mask and ports

* Tests for parse_subnetport
2017-05-07 13:18:13 +10:00
vieira
ef83a5c573 Work around non tabular headers in BSD netstat
netstat outputs some headers in BSD (that the Linux version does not)
that are not tabular and were breaking our 'split line into columns
and get nth column' logic. We now skip such headers.

Should fix #141.
2017-04-05 13:11:08 +10:00
S-trace
af9ebd0f4b Fix UDP and DNS support on Python 2.7 with tproxy method
There was runtime failure on UDP or DNS processing, because "socket" was redefined to PyXAPI's socket_ext in tproxy.py, but still was plain Python's socket in client.py
Fixed https://github.com/sshuttle/sshuttle/issues/134 for me
2017-02-21 16:42:18 +11:00
vieira
9a9015a75e Fixed tests after adding support for iproute2 2017-02-11 09:07:50 +11:00
vieira
d7d24f956b Small refactoring of netstat/iproute parsing 2017-02-11 09:07:50 +11:00
vieira
809fad537f Add support for iproute2
`netstat` has been deprecated for some time and some distros might
start shipping without it in the near future. This commit adds support
for `ip route` and uses it when available.
2017-02-11 09:07:50 +11:00
Stephen Levine
abce18cfc2 Allow remote hosts with colons in the username 2017-02-11 09:02:28 +11:00
Ermal Luci
5e90491344 Re-introduce ipfw support for sshuttle on FreeBSD with support for --DNS option as well
Sponsored-by: rsync.net
2017-01-28 11:36:26 +11:00
vieira
e8ceccc3d5 Add support for PfSense
PfSense is based on FreeBSD and its pf is pretty close to the one
FreeBSD ships, however some structures have different fields and two
offsets had to be fixed.
2017-01-15 19:08:53 +11:00
vieira
e39c4afce0 Set started_by_sshuttle False after disabling pf
We set it to true when we enable pf, but do not set it back to False
after disabling. When using IPv4 and IPv6 we end up trying to disable
twice which procudes an error while undoing changes in FreeBSD 11.
2017-01-09 10:07:38 +11:00
vieira
0e52cce9d1 Fix punctuation and explain Type=notify
Added missing full stops and explain that Type=notify is needed in the
systemd service unit.
2016-10-30 10:58:03 +11:00
vieira
6d5d0d766f Tests and documentation for systemd integration
Some tests and documentation for the systemd notification feature.
Also fixes some corner case issues detected while writing the tests.
2016-10-30 10:58:03 +11:00
vieira
08fb3be7a0 Move pytest-runner to tests_require
As it is only required to run the tests move pytest-runner from
setup_requires to tests_require as suggested by @jonathanunderwood
on #115.
2016-10-29 12:04:22 +11:00
Jason Woods
fee5868196 Fix warning: closed channel got=STOP_SENDING 2016-10-28 08:25:21 +11:00
vieira
fbbcc05d58 Support sdnotify for better systemd integration
These changes introduce support for sdnotify allowing sshuttle to notify
systemd when it finishes connecting to the server and installing
firewall rules, and is ready to tunnel requests.
2016-10-24 17:54:33 +11:00
Joao Vieira
15b394da86 Fix #117 to allow for no subnets via file (-s)
This should fix an issue introduced in #117 where when no subnets are
given via file (-s file) the variable is None instead of an empty list
and the concatenation with the subnets given as positional parameters
fails.
2016-10-13 17:52:58 +11:00
Felix Dreissig
0ed5ef9a97 Fix argument splitting for multi-word arguments
By just splitting at spaces, multi-word arguments are torn apart even if
quoted. In case of custom ssh-cmd, this makes it practically impossible
to set certian options through `ssh -o`.
shlex splits arguments like a shell and e.g. respects quotes.
2016-10-04 18:19:59 +11:00
vieira
c0c3612e6d Allow subnets to be given only by file (-s)
This should fix #116. Handling this while still having the positional
arguments and -s both write to the same list turned out to be more
complicated than it's worth so each writes to their own variable and we
merge them at the end.
2016-09-27 08:12:39 +10:00
Brian May
0033efca11 Merge pull request #113 from RichiH/patch-1
requirements.rst: Fix mistakes
2016-09-05 07:32:38 +10:00
Richard Hartmann
ae6e25302f requirements.rst: Fix mistakes 2016-09-04 18:54:12 +02:00