Commit Graph

52 Commits

Author SHA1 Message Date
nom3ad
6b8e402367 make sure that existing python2 compatibility is not broken by this feature 2024-08-06 08:38:24 +10:00
nom3ad
7a92183f59 windows: better connection tracker 2024-08-06 08:38:24 +10:00
nom3ad
d4d0fa945d fix: bad file descriptor error in windows, fix pytest errors 2024-08-06 08:38:24 +10:00
nom3ad
4a84ad3be6 fix windows CRLF issue on stdin/stdout 2024-08-06 08:38:24 +10:00
nom3ad
0c4c061123 fix failing tests 2024-08-06 08:38:24 +10:00
Antoine Jacoutot
fd63611b5a Fix pf_rule size in OpenBSD. 2024-07-12 09:52:57 +10:00
Scott Kuhl
a604d107ef Keep terminal in a sane state when sudo use_pty is used.
This fixes #909 and is an alternative to the #922 pull request. When
sudo's use_pty is used with sshuttle, it causes issues with the
terminal. Pull request #712 contains some fixes for this problem.
However, when sshuttle is run with the --daemon option, it left the
user's terminal in a non-sane state. The problem appears to be related
to a socketpair that the firewall uses for communication. By setting
it up slightly differently (see changes to client.py and firewall.py),
the terminal state is no longer disrupted. This commit also changes
line endings of the printed messages from \r\n to \n. This undoes a
change introduced by pull request #712 and is no longer needed.
2024-01-05 19:08:34 +11:00
Jose M Perez
794b14eaac tproxy: Apply DNS rules first
Having --dst-type LOCAL rules before DNS ones forces the usage of a
dnsmasq-like program to retrigger DNS requests directed locally
because they are fast-tracked through the firewall and ignored by
sshuttle.

As dns options documentation state that they capture the requests no
matter the server, and other methods and older versions behave
consistently, change the iptables rules to apply DNS ones first.
2023-10-04 08:11:52 +11:00
Fata Nugraha
5b9f438d42 Fix tests 2023-08-07 20:00:32 +10:00
Fata Nugraha
998e5c5849 Fix tests 2023-08-07 20:00:32 +10:00
Bastian Venthur
a6efc6b653 This test broke in Python3.11
Fixed the test and only check for instance: str for families that are
not explicitly covered in `family_to_str`

closes: #784
2022-08-29 19:52:10 +10:00
Bastian Venthur
a33a4829e2 fixed some spelling mistakes 2022-06-15 07:43:25 +10:00
Nikos Atlas
1def53e085 fallback to file editing in case file is locked 2022-06-03 07:48:44 +10:00
mangano-ito
48ab82b81e test a wildcarded host acceptable 2022-02-10 23:32:43 +09:00
mangano-ito
1d4c059f44 format styles: E251 unexpected spaces around keyword / parameter equals (flake8) 2022-02-10 08:41:22 +09:00
mangano-ito
b9b89c3f55 add another example for host resolution tests 2022-02-09 21:29:24 +09:00
mangano-ito
e5eb5afef0 use mocked getaddrinfo to make host name resolution stable 2022-02-09 21:29:24 +09:00
mangano-ito
19e2a1810d add getaddrinfo mock for test-cases with hosts 2022-02-09 21:29:24 +09:00
mangano-ito
2f026c84af test hosts with port specified 2022-02-09 21:29:24 +09:00
mangano-ito
04214eaf89 test hosts with no port specified 2022-02-09 21:29:24 +09:00
Scott Kuhl
80a822e079 Fix flake8 and unit test errors introduced by use_pty fixes. 2022-01-07 13:21:16 -05:00
Brian May
b896a4b7f3 Remove references to legacy PyXAPI socket_ext for recvmsg
socket.recvmsg has been in Python since version 3.3 and we don't
support anything older then 3.6 the server side.
2021-11-11 08:01:15 +11:00
Scott Kuhl
bc065e368d Remove ttl hack & require -r option.
Previously, it was possible to run sshuttle locally without using ssh
and connecting to a remote server. In this configuration, traffic was
redirected to the sshuttle server running on the localhost. However,
the firewall needed to distinguish between traffic leaving the
sshuttle server and traffic that originated from the machine that
still needed to be routed through the sshuttle server. The TTL of the
packets leaving the sshuttle server were manipulated to indicate to
the firewall what should happen. The TTL was adjusted for all packets
leaving the sshuttle server (even if it wasn't necessary because the
server and client were running on different machines).

Changing the TTL caused trouble and some machines, and
the --ttl option was added as a workaround to change how the TTL was
set for traffic leaving sshuttle. All of this added complexity to the
code for a feature (running the server on localhost) that is likely
only used for testing and rarely used by others.

This commit updates the associated documentation, but doesn't fully
fix the ipfw method since I am unable to test that.

This change will also make sshuttle fail to work if -r is used to
specify a localhost. Pull request #610 partially addresses that issue.

For example, see: #240, #490, #660, #606.
2021-07-12 11:24:29 -04:00
Scott Kuhl
3f201095ea Merge branch 'master' into nat-ipv6 2021-05-30 21:09:32 -04:00
Scott Kuhl
c026a92cad Add IPv6 support to nat (iptables) method.
Adding IPv6 support to the nat method is straightforward after the
previous work to add IPv6 support for nft.
2021-05-29 20:55:48 -04:00
Scott Kuhl
a7df12cd68 Fix --tmark option
Even when --tmark was used, the iptables code always used '1' for the
mark. This patch corrects the problem.

Previously, it wasn't clear if the tmark should be supplied in
hexadecimal or as an integer. This makes it use hexadecimal, checks
that the input is hexadecimal, and updates the associated
documentation.

This patch also makes --ttl information get passed to the firewall in
a way that matches how other information gets passed. The ttl and
tmark information are passed next to each other in many places and
this patch also makes the order consistent.
2021-05-27 21:48:43 -04:00
Victor Kareh
167a57e739 firewall: Allow overriding the TTL
In instances where a cluster pod in a local VM needs to access a server
that is sshuttle'd from the host, since the packets arriving at the host
already made a hop, their TTL is 63 and so get ignored by sshuttle.
Allowing an override of the firewall TTL rule allows the packets to go
through.
2021-03-05 08:53:53 +11:00
Kees Hink
0e51da519f Allow comments in configuration file 2021-02-16 07:51:32 +11:00
masahitojp
65d437a9f8 feat: remove mock from test dependencies.
Because mock can be replace by unittest.mock
2021-01-17 15:42:55 +11:00
Scott Kuhl
97c25e988e
tproxy: Skip firewall chains if packets have local destination. (#578)
If you use the tproxy method with a large subnet (such as 0/0), then
(1) you may not receive UDP packets that sshuttle/tproxy can handle
and (2) you are unable to connect to your machine using an IP that
your computer recognizes as its own.

To resolve those issues, any traffic to an IP that the host knows is
local, does not go through the sshuttle chains.
2021-01-04 09:05:32 +11:00
Scott Kuhl
7fc33c0020 Refactor debug, log and Fatal messages.
This commit rewrites the log() function so that it will append a
newline at the end of the message if none is present. It doesn't make
sense to print a log message without a newline since the next log
message (which will write a prefix) expects to be starting at the
beginning of a line.

Although it isn't strictly necessary, this commit also removes any
newlines at the ends of messages. If I missed any, including the
newline at the end of the message will continue to work as it did
before.

Previously, some calls were missing the newline at the end even though
including it was necessary for subsequent messages to appear
correctly.

This code also cleans up some redundant prefixes. The log() method
will prepend the prefix and the different processes should set their
prefix as soon as they start.

Multiline messages are still supported (although the prefix for the
additional lines was changed to match the length of the prefix used
for the first line).
2021-01-01 19:32:48 +11:00
Scott Kuhl
6d4261e3f9 Refactor automatic method selection.
Add an "is_supported()" function to the different methods so that each
method can include whatever logic they wish to indicate if they are
supported on a particular machine. Previously, methods/__init__.py
contained all of the logic for selecting individual methods. Now, it
iterates through a list of possible options and stops on the first
method that it finds that is_supported().

Currently, the decision is made based on the presence of programs in
the PATH. In the future, things such as the platform sshuttle is
running on could be considered.
2020-12-28 10:21:56 +11:00
Brian May
9b036fc689
Merge pull request #552 from skuhl/systemd-resolved
Intercept DNS requests sent by systemd-resolved.
2020-11-04 16:55:09 +11:00
Scott Kuhl
8461e08bc3 Make server and client handle resolv.conf differently.
The server should just read from resolv.conf to find DNS servers to
use. This restores this behavior after the previous commit changed it.

The client now reads both /etc/resolv.conf and
/run/systemd/resolve/resolv.conf. The latter is required to more
reliably intercept regular DNS requests that systemd-resolved makes.
2020-11-03 20:27:57 -05:00
Scott Kuhl
34f538ff98 Merge branch 'master' into which-fix to resolve merge conflict. 2020-10-26 17:24:32 -04:00
Scott Kuhl
68c9c9bbcd Improve consistency of PATH, environments, and which()
This patch attempts to fix (or aid in debugging) issue #350.

sshuttle didn't explicitly search /sbin and /usr/sbin and they may be
missing in the user's PATH. If PATH is missing, these folders wouldn't
be searched either. There was also a program_exists function which is
redundant to which(). This consolidates everything into the helpers.py
file.

This patch introduces get_path() to return PATH + some extra hardcoded
paths. A new get_env() function can be called to create a consistent
environment when calling external programs. The new which() wrapper
function also ensures we use the same set of paths.

If -vv is supplied, messages clearly indicate the programs we are
looking for, if they are found, and where we looked if we failed to
find them.

I haven't tested the changes to ipfw or pf.
2020-10-23 20:33:20 -04:00
Scott Kuhl
6d86e44fb4 IPv6 support in nft method.
This works for me but needs testing by others. Remember to specify a
::0/0 subnet or similar to route IPv6 through sshuttle.

I'm adding this to nft before nat since it is not sshuttle's default
method on Linux. Documentation updates may be required too.

This patch uses the ipaddress module, but that appears to be included
since Python 3.3.
2020-10-21 17:47:07 -04:00
Scott Kuhl
bc24ed359a Make nat and nft rules consistent; improve rule ordering.
First, check if TTL indicates we should ignore packet (instead of
checking in multiple rules later). Also, nft method didn't do this at
all. Now, nft matches the behavior of nat.

Second, forward DNS traffic (we may need to intercept traffic to
localhost if a DNS server is running on localhost).

Third, ignore any local traffic packets. (Previously, we ignored local
traffic except DNS and then had the DNS rules). The nft method didn't
do this previously at all. It now matches the behavior of nat.

Lastly, list the subnets to redirect and/or exclude. This step is left
unchanged. Excluding the local port that we are listening on is
redundant with the third step, but should cause no harm.

In summary, this ordering simplifies the rules in nat and eliminates
differences that previously existed between nat and nft.
2020-10-21 11:51:39 -04:00
Brian May
c3016f2d90
Merge pull request #541 from skuhl/use-all-ips
When subnets and excludes are specified with hostnames, use all IPs.
2020-10-20 07:56:50 +11:00
Scott Kuhl
e1106a33a9 Only write /etc/hosts when necessary.
Without this patch, sshuttle 'restores' /etc/hosts even if it didn't
make any modifications to it. This can be confirmed by running without
--auto-hosts and confirming that the modification time of /etc/hosts
is unchanged while sshuttle is running, but is updated when sshuttle
exits (and a debug2() message is printed indicating the file is
written).

I'm not aware of the previous behavior causing problems. However,
writing an important file unnecessarily as root should be avoided.
2020-10-19 00:17:37 -04:00
Scott Kuhl
c2b10465e7 Remove localhost test since it can resolve to either IPv4, IPv6, or both in any particular order 2020-10-17 15:56:23 -04:00
Scott Kuhl
cfe14f2498 fix flake8 issues in updated tests 2020-10-17 15:40:28 -04:00
Scott Kuhl
cb53d8a150 Make tests for parse_subnetport() expect lists & update expected error messages in tests 2020-10-17 15:36:16 -04:00
Joshua Li
d0f0aa9f17 remove version_info based branching 2020-06-03 14:30:37 +10:00
Norman Rasmussen
502b36e990 Add tproxy udp port mark filter that was missed in #144, fixes #367. 2019-10-13 11:45:04 +11:00
Nick Sokolov
a7193f508a Fix capturing of local DNS servers
Regression was introduced in #337 that is skipping all local traffic,
including DNS. This change makes UDP port 53 (DNS) LOCAL traffic to be
treated as special case.

Fixes #357
2019-09-22 10:37:49 +10:00
Anthony Cornehl
21ef365c59 The size of pf_rule grew in OpenBSD 6.4 2019-09-22 10:29:28 +10:00
Daniel Jeffery
3e2ad68796 Fix tests for existing PR-312 (#337)
* use addrtype match to return the LOCAL trafik

* Add assertion for the new LOCAL firewall rule added in PR 312.

* Fix linter complaints
2019-06-08 12:12:21 +10:00
Bastian Venthur
3bfb975ed9 Fix/pep8 (#277)
* re-organized imports according to pep8
* fixed all remaining pep8 issues
* moved common config into setup.cfg, additionally test `tests`
* removed --select=X -- the errors selected where by default not in
  flake8's --ignore list so effectively had no effect
* update .travis.yml to reflect changes in tox.ini
* make travis just use tox in order to avoid code duplaction
* replace py.test with pytest
* fixed .travis.yml
* try different pypy toxenv
* hopefully fixed testenv for pypy
* added pypy basepython, removed unused python2.6
* install dev package before testing (fixes missing coverage)
* fixed empty exception pass blocks with noqa
* Added dummy log message on empty try-except-pass blocks to make dodacy happy :(
* Replaced Exception with BaseException
2019-02-11 09:59:13 +11:00
João Vieira
ca41026c89 Changes pf exclusion rules precedence
Before this change, in pf, exclusions used a pass out quick which gave
them higher precedence than any other rule independent of subnet width.
As reported in #265 this causes exclusion from one instance of sshuttle
to also take effect on other instances because quick aborts the
evaluation of rules across all anchors.

This commit changes the precedence of rules so quick can now be
dropped. The new order is defined by the following rule, from
subnet_weight:

"We need to go from smaller, more specific, port ranges, to larger,
less-specific, port ranges. At each level, we order by subnet
width, from most-specific subnets (largest swidth) to
least-specific. On ties, excludes come first."
2018-11-03 12:24:32 +11:00