Move nested functions to top level.

Send DNS request back on same sock we received it on.
Pass socket through to handlers. Required for IPv6 support.
2025-07-04 08:40:30 +02:00 · 2011-05-31 00:42:48 -04:00 · 2011-05-31 00:39:17 -04:00 · 2011-05-31 00:39:17 -04:00 · 2011-05-29 22:42:16 -04:00 · 2011-05-15 17:35:53 -04:00
10 changed files with 200 additions and 115 deletions
--- a/README.md
+++ b/README.md
@ -63,7 +63,19 @@ This is how you use it:
    on your client machine. You'll need root or sudo
    access, and python needs to be installed.
- - <tt>./sshuttle -r username@sshserver 0.0.0.0/0 -vv</tt>
+ - The most basic use of sshuttle looks like:
  <tt>./sshuttle -r username@sshserver 0.0.0.0/0 -vv</tt>
 - There is a shortcut for 0.0.0.0/0 for those that value
   their wrists
   <tt>./sshuttle -r username@sshserver 0/0 -vv</tt>
 - If you would also like your DNS queries to be proxied
   through the DNS server of the server you are connect to:
   <tt>./sshuttle --dns -vvr username@sshserver 0/0</tt>
   The above is probably what you want to use to prevent
   local network attacks such as Firesheep and friends.
 (You may be prompted for one or more passwords; first, the
 local password to become root using either sudo or su, and
--- a/client.py
+++ b/client.py
@ -175,6 +175,65 @@ class FirewallClient:
            raise Fatal('cleanup: %r returned %d' % (self.argv, rv))
 def onaccept(listener, mux, handlers):
    global _extra_fd
    try:
        sock,srcip = listener.accept()
    except socket.error, e:
        if e.args[0] in [errno.EMFILE, errno.ENFILE]:
            debug1('Rejected incoming connection: too many open files!\n')
            # free up an fd so we can eat the connection
            os.close(_extra_fd)
            try:
                sock,srcip = listener.accept()
                sock.close()
            finally:
                _extra_fd = os.open('/dev/null', os.O_RDONLY)
            return
        else:
            raise
    dstip = original_dst(sock)
    debug1('Accept: %s:%r -> %s:%r.\n' % (srcip[0],srcip[1],
                                          dstip[0],dstip[1]))
    if dstip[1] == listener.getsockname()[1] and islocal(dstip[0]):
        debug1("-- ignored: that's my address!\n")
        sock.close()
        return
    chan = mux.next_channel()
    if not chan:
        log('warning: too many open channels.  Discarded connection.\n')
        sock.close()
        return
    mux.send(chan, ssnet.CMD_CONNECT, '%s,%s' % dstip)
    outwrap = MuxWrapper(mux, chan)
    handlers.append(Proxy(SockWrapper(sock, sock), outwrap))
 dnsreqs = {}
 def dns_done(chan, data):
    peer,sock,timeout = dnsreqs.get(chan) or (None,None,None)
    debug3('dns_done: channel=%r peer=%r\n' % (chan, peer))
    if peer:
        del dnsreqs[chan]
        debug3('doing sendto %r\n' % (peer,))
        sock.sendto(data, peer)
 def ondns(listener, mux, handlers):
    pkt,peer = listener.recvfrom(4096)
    now = time.time()
    if pkt:
        debug1('DNS request from %r: %d bytes\n' % (peer, len(pkt)))
        chan = mux.next_channel()
        dnsreqs[chan] = peer,listener,now+30
        mux.send(chan, ssnet.CMD_DNS_REQ, pkt)
        mux.channels[chan] = lambda cmd,data: dns_done(chan,data)
    for chan,(peer,sock,timeout) in dnsreqs.items():
        if timeout < now:
            del dnsreqs[chan]
    debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
 def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
          dnslistener, seed_hosts, auto_nets,
          syslog, daemon):
@ -198,7 +257,14 @@ def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
    handlers.append(mux)
    expected = 'SSHUTTLE0001'
    try:
        v = 'x'
        while v and v != '\0':
            v = serversock.recv(1)
        v = 'x'
        while v and v != '\0':
            v = serversock.recv(1)
        initstring = serversock.recv(len(expected))
    except socket.error, e:
        if e.args[0] == errno.ECONNRESET:
@ -248,63 +314,10 @@ def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
                fw.sethostip(name, ip)
    mux.got_host_list = onhostlist
-    def onaccept():
+    handlers.append(Handler([listener], lambda: onaccept(listener, mux, handlers)))
        global _extra_fd
        try:
            sock,srcip = listener.accept()
        except socket.error, e:
            if e.args[0] in [errno.EMFILE, errno.ENFILE]:
                debug1('Rejected incoming connection: too many open files!\n')
                # free up an fd so we can eat the connection
                os.close(_extra_fd)
                try:
                    sock,srcip = listener.accept()
                    sock.close()
                finally:
                    _extra_fd = os.open('/dev/null', os.O_RDONLY)
                return
            else:
                raise
        dstip = original_dst(sock)
        debug1('Accept: %s:%r -> %s:%r.\n' % (srcip[0],srcip[1],
                                              dstip[0],dstip[1]))
        if dstip[1] == listener.getsockname()[1] and islocal(dstip[0]):
            debug1("-- ignored: that's my address!\n")
            sock.close()
            return
        chan = mux.next_channel()
        if not chan:
            log('warning: too many open channels.  Discarded connection.\n')
            sock.close()
            return
        mux.send(chan, ssnet.CMD_CONNECT, '%s,%s' % dstip)
        outwrap = MuxWrapper(mux, chan)
        handlers.append(Proxy(SockWrapper(sock, sock), outwrap))
    handlers.append(Handler([listener], onaccept))
    dnsreqs = {}
    def dns_done(chan, data):
        peer,timeout = dnsreqs.get(chan) or (None,None)
        debug3('dns_done: channel=%r peer=%r\n' % (chan, peer))
        if peer:
            del dnsreqs[chan]
            debug3('doing sendto %r\n' % (peer,))
            dnslistener.sendto(data, peer)
    def ondns():
        pkt,peer = dnslistener.recvfrom(4096)
        now = time.time()
        if pkt:
            debug1('DNS request from %r: %d bytes\n' % (peer, len(pkt)))
            chan = mux.next_channel()
            dnsreqs[chan] = peer,now+30
            mux.send(chan, ssnet.CMD_DNS_REQ, pkt)
            mux.channels[chan] = lambda cmd,data: dns_done(chan,data)
        for chan,(peer,timeout) in dnsreqs.items():
            if timeout < now:
                del dnsreqs[chan]
        debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
    if dnslistener:
-        handlers.append(Handler([dnslistener], ondns))
+        handlers.append(Handler([dnslistener], lambda: ondns(dnslistener, mux, handlers)))
    if seed_hosts != None:
        debug1('seed_hosts: %r\n' % seed_hosts)
--- a/115
+++ b/115
@ -8,14 +8,14 @@
 #
 # By default, no output coloring.
-GREEN=""
+green=""
-BOLD=""
+bold=""
-PLAIN=""
+plain=""
 if [ -n "$TERM" -a "$TERM" != "dumb" ] && tty <&2 >/dev/null 2>&1; then
-	GREEN="$(printf '\033[32m')"
+	green="$(printf '\033[32m')"
-	BOLD="$(printf '\033[1m')"
+	bold="$(printf '\033[1m')"
-	PLAIN="$(printf '\033[m')"
+	plain="$(printf '\033[m')"
 fi
 _dirsplit()
@ -24,6 +24,13 @@ _dirsplit()
 	dir=${1%$base}
 }
 dirname()
 (
 	_dirsplit "$1"
 	dir=${dir%/}
 	echo "${dir:-.}"
 )
 _dirsplit "$0"
 export REDO=$(cd "${dir:-.}" && echo "$PWD/$base")
@ -54,87 +61,105 @@ fi
 _find_dofile_pwd()
 {
-	DOFILE=default.$1.do
+	dofile=default.$1.do
 	while :; do
-		DOFILE=default.${DOFILE#default.*.}
+		dofile=default.${dofile#default.*.}
-		[ -e "$DOFILE" -o "$DOFILE" = default.do ] && break
+		[ -e "$dofile" -o "$dofile" = default.do ] && break
 	done
-	EXT=${DOFILE#default}
+	ext=${dofile#default}
-	EXT=${EXT%.do}
+	ext=${ext%.do}
-	BASE=${1%$EXT}
+	base=${1%$ext}
 }
 _find_dofile()
 {
-	PREFIX=
+	local prefix=
 	while :; do
 		_find_dofile_pwd "$1"
-		[ -e "$DOFILE" ] && break
+		[ -e "$dofile" ] && break
 		[ "$PWD" = "/" ] && break
-		TARGET=${PWD##*/}/$TARGET
+		target=${PWD##*/}/$target
-		PREFIX=${PWD##*/}/$PREFIX
+		tmp=${PWD##*/}/$tmp
 		prefix=${PWD##*/}/$prefix
 		cd ..
 	done
-	BASE=$PREFIX$BASE
+	base=$prefix$base
 }
 _run_dofile()
 {
 	export DO_DEPTH="$DO_DEPTH  "
-	export REDO_TARGET=$PWD/$TARGET
+	export REDO_TARGET=$PWD/$target
 	local line1
 	set -e
-	read line1 <"$PWD/$DOFILE"
+	read line1 <"$PWD/$dofile"
 	cmd=${line1#"#!/"}
 	if [ "$cmd" != "$line1" ]; then
-		/$cmd "$PWD/$DOFILE" "$@" >"$TARGET.tmp2"
+		/$cmd "$PWD/$dofile" "$@" >"$tmp.tmp2"
 	else
-		. "$PWD/$DOFILE" >"$TARGET.tmp2"
+		:; . "$PWD/$dofile" >"$tmp.tmp2"
 	fi
 }
 _do()
 {
-	DIR=$1
+	local dir=$1 target=$2 tmp=$3
-	TARGET=$2
+	if [ ! -e "$target" ] || [ -d "$target" -a ! -e "$target.did" ]; then
 	if [ ! -e "$TARGET" ] || [ -e "$TARGET/." -a ! -e "$TARGET.did" ]; then
 		printf '%sdo  %s%s%s%s\n' \
-			"$GREEN" "$DO_DEPTH" "$BOLD" "$DIR$TARGET" "$PLAIN" >&2
+			"$green" "$DO_DEPTH" "$bold" "$dir$target" "$plain" >&2
-		echo "$PWD/$TARGET" >>"$DO_BUILT"
+		echo "$PWD/$target" >>"$DO_BUILT"
-		DOFILE=$TARGET.do
+		dofile=$target.do
-		BASE=$TARGET
+		base=$target
-		EXT=
+		ext=
-		[ -e "$TARGET.do" ] || _find_dofile "$TARGET"
+		[ -e "$target.do" ] || _find_dofile "$target"
-		if [ ! -e "$DOFILE" ]; then
+		if [ ! -e "$dofile" ]; then
-			echo "do: $TARGET: no .do file" >&2
+			echo "do: $target: no .do file" >&2
 			return 1
 		fi
-		[ ! -e "$DO_BUILD" ] || : >>"$TARGET.did"
+		[ ! -e "$DO_BUILT" ] || [ ! -d "$(dirname "$target")" ] ||
-		( _run_dofile "$BASE" "$EXT" "$TARGET.tmp" )
+		: >>"$target.did"
-		RV=$?
+		( _run_dofile "$base" "$ext" "$tmp.tmp" )
-		if [ $RV != 0 ]; then
+		rv=$?
 		if [ $rv != 0 ]; then
 			printf "do: %s%s\n" "$DO_DEPTH" \
-				"$DIR$TARGET: got exit code $RV" >&2
+				"$dir$target: got exit code $rv" >&2
-			rm -f "$TARGET.tmp" "$TARGET.tmp2"
+			rm -f "$tmp.tmp" "$tmp.tmp2"
-			return $RV
+			return $rv
 		fi
-		mv "$TARGET.tmp" "$TARGET" 2>/dev/null ||
+		mv "$tmp.tmp" "$target" 2>/dev/null ||
-		! test -s "$TARGET.tmp2" ||
+		! test -s "$tmp.tmp2" ||
-		mv "$TARGET.tmp2" "$TARGET" 2>/dev/null
+		mv "$tmp.tmp2" "$target" 2>/dev/null
-		rm -f "$TARGET.tmp2"
+		rm -f "$tmp.tmp2"
 	else
-		echo "do  $DO_DEPTH$TARGET exists." >&2
+		echo "do  $DO_DEPTH$target exists." >&2
 	fi
 }
 # Make corrections for directories that don't actually exist yet.
 _dir_shovel()
 {
 	local dir base
 	xdir=$1 xbase=$2 xbasetmp=$2
 	while [ ! -d "$xdir" -a -n "$xdir" ]; do
 		_dirsplit "${xdir%/}"
 		xbasetmp=${base}__$xbase
 		xdir=$dir xbase=$base/$xbase
 		echo "xbasetmp='$xbasetmp'" >&2
 	done
 }
 redo()
 {
 	for i in "$@"; do
 		_dirsplit "$i"
-		( cd "$dir" && _do "$dir" "$base" ) || return 1
+		_dir_shovel "$dir" "$base"
 		dir=$xdir base=$xbase basetmp=$xbasetmp
 		( cd "$dir" && _do "$dir" "$base" "$basetmp" ) || return 1
 	done
 }
--- a/helpers.py
+++ b/helpers.py
@ -1,4 +1,4 @@
-import sys, os, socket
+import sys, os, socket, errno
 logprefix = ''
 verbose = 0
--- a/server.py
+++ b/server.py
@ -130,7 +130,7 @@ class DnsProxy(Handler):
        try:
            self.sock.send(self.request)
        except socket.error, e:
-            if e.args[0] in [errno.ECONNREFUSED, errno.EHOSTUNREACH]:
+            if e.args[0] in ssnet.NET_ERRS:
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
@ -145,7 +145,7 @@ class DnsProxy(Handler):
        try:
            data = self.sock.recv(4096)
        except socket.error, e:
-            if e.args[0] in [errno.ECONNREFUSED, errno.EHOSTUNREACH]:
+            if e.args[0] in ssnet.NET_ERRS:
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
@ -173,7 +173,7 @@ def main():
        debug1('  %s/%d\n' % r)
    # synchronization header
-    sys.stdout.write('SSHUTTLE0001')
+    sys.stdout.write('\0\0SSHUTTLE0001')
    sys.stdout.flush()
    handlers = []
--- a/ssh.py
+++ b/ssh.py
@ -85,7 +85,7 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
            pycmd = "'%s' -c '%s'" % (python, pyscript)
        else:
            pycmd = ("P=python2; $P -V 2>/dev/null || P=python; "
-                     "\"$P\" -c '%s'") % pyscript
+                     "exec \"$P\" -c '%s'") % pyscript
        argv = (sshl + 
                portl + 
                ipv6flag + 
--- a/7
+++ b/7
@ -1,5 +1,10 @@
 #!/bin/sh
-DIR=$(dirname "$0")
+EXE=$0
 for i in 1 2 3 4 5 6 7 8 9 10; do
 	[ -L "$EXE" ] || break
 	EXE=$(readlink "$EXE")
 done
 DIR=$(dirname "$EXE")
 if python2 -V 2>/dev/null; then
 	exec python2 "$DIR/main.py" python2 "$@"
 else
--- a/ssnet.py
+++ b/ssnet.py
@ -42,6 +42,10 @@ cmd_to_name = {
 }
 NET_ERRS = [errno.ECONNREFUSED, errno.ETIMEDOUT,
            errno.EHOSTUNREACH, errno.ENETUNREACH,
            errno.EHOSTDOWN, errno.ENETDOWN]
 def _add(l, elem):
    if not elem in l:
@ -124,6 +128,12 @@ class SockWrapper:
            return  # already connected
        self.rsock.setblocking(False)
        debug3('%r: trying connect to %r\n' % (self, self.connect_to))
        if socket.inet_aton(self.connect_to[0])[0] == '\0':
            self.seterr(Exception("Can't connect to %r: "
                                  "IP address starts with zero\n"
                                  % (self.connect_to,)))
            self.connect_to = None
            return
        try:
            self.rsock.connect(self.connect_to)
            # connected successfully (Linux)
@ -142,12 +152,21 @@ class SockWrapper:
                debug3('%r: fixed connect result: %s\n' % (self, e))
            if e.args[0] in [errno.EINPROGRESS, errno.EALREADY]:
                pass  # not connected yet
            elif e.args[0] == 0:
                # connected successfully (weird Linux bug?)
                # Sometimes Linux seems to return EINVAL when it isn't
                # invalid.  This *may* be caused by a race condition
                # between connect() and getsockopt(SO_ERROR) (ie. it
                # finishes connecting in between the two, so there is no
                # longer an error).  However, I'm not sure of that.
                #
                # I did get at least one report that the problem went away
                # when we added this, however.
                self.connect_to = None
            elif e.args[0] == errno.EISCONN:
                # connected successfully (BSD)
                self.connect_to = None
-            elif e.args[0] in [errno.ECONNREFUSED, errno.ETIMEDOUT,
+            elif e.args[0] in NET_ERRS + [errno.EACCES, errno.EPERM]:
                               errno.EHOSTUNREACH, errno.ENETUNREACH,
                               errno.EACCES, errno.EPERM]:
                # a "normal" kind of error
                self.connect_to = None
                self.seterr(e)
--- a/ui-macos/bits/runpython.do
+++ b/ui-macos/bits/runpython.do
@ -1,5 +1,15 @@
 exec >&2
 redo-ifchange runpython.c
-gcc -Wall -o $3 runpython.c \
+ARCHES=""
 printf "Platforms: "
 for d in /usr/libexec/gcc/darwin/*; do
    PLAT=$(basename "$d")
    [ "$PLAT" != "ppc64" ] || continue  # fails for some reason on my Mac
    ARCHES="$ARCHES -arch $PLAT"
    printf "$PLAT "
 done
 printf "\n"
 gcc $ARCHES \
 	-Wall -o $3 runpython.c \
 	-I/usr/include/python2.5 \
 	-lpython2.5
--- a/ui-macos/models.py
+++ b/ui-macos/models.py
@ -3,6 +3,7 @@ import my
 configchange_callback = setconnect_callback = None
 objc_validator = objc.signature('@@:N^@o^@')
 def config_changed():
@ -39,7 +40,7 @@ class SshuttleNet(NSObject):
    def setSubnet_(self, v):
        self._k_subnet = v
        config_changed()
-    @objc.accessor
+    @objc_validator
    def validateSubnet_error_(self, value, error):
        #print 'validateSubnet!'
        return True, _validate_ip(value), error
@ -49,7 +50,7 @@ class SshuttleNet(NSObject):
    def setWidth_(self, v):
        self._k_width = v
        config_changed()
-    @objc.accessor
+    @objc_validator
    def validateWidth_error_(self, value, error):
        #print 'validateWidth!'
        return True, _validate_width(value), error
@ -118,7 +119,7 @@ class SshuttleServer(NSObject):
        self._k_host = v
        self.setTitle_(None)
        config_changed()
-    @objc.accessor
+    @objc_validator
    def validateHost_error_(self, value, error):
        #print 'validatehost! %r %r %r' % (self, value, error)
        while value.startswith('-'):
Author	SHA1	Message	Date
Brian May	a8b71f6387	Move nested functions to top level.	2011-05-31 00:42:48 -04:00
Brian May	4bfcd7091d	Send DNS request back on same sock we received it on.	2011-05-31 00:39:17 -04:00
Brian May	bd489b3319	Pass socket through to handlers. Required for IPv6 support.	2011-05-31 00:39:17 -04:00
Avery Pennarun	8ab5ef283d	ssnet.py: deal with a possible connect/getsockopt(SO_ERROR) race. Seems to affect Linux servers. Ed Maste says the patch fixes it for him.	2011-05-29 22:42:16 -04:00
Brian May	e67208a294	helpers.py: errno is used by this module, but not imported.	2011-05-15 17:35:53 -04:00
Avery Pennarun	7859be13c2	ui-macos/bits/runpython.do: skip ppc64 architecture. I don't have a Mac that can build it. Hopefully ppc will run fine on ppc64.	2011-05-07 23:19:52 -04:00
Avery Pennarun	f313d50690	ui-macos/bits/runpython.do: report which platforms we're compiling for. Just as a quick reminder, in case you're building a fat binary and you don't have all the architectures actually installed.	2011-05-07 23:16:42 -04:00
Grissiom	15e26d2e0e	README.md: fix little bug The ssh hostname should immediately follow the -r parameter.	2011-05-07 23:16:42 -04:00
Avery Pennarun	e2ec475de3	ui-macos/models.py: fix a compatibility problem on MacOS for PPC. @objc.accessor isn't the right thing to use for a Core Data Validation function. Yowee, PyObjc sure is non-obvious.	2011-05-07 23:16:42 -04:00
Avery Pennarun	57e744dadd	./do: use the latest minimal/do from the redo project.	2011-05-03 14:19:45 -07:00
Avery Pennarun	c13be0b817	ui-macos/bits/runpython.do: auto-determine arches to build for. Some people don't have all of them installed, so auto-detect them by looking at the available arches in /usr/libexec.	2011-05-03 14:18:37 -07:00
$Jonathan \"Duke\" Leto$ Jonathan \"Duke\" Leto	da2c6273f6	Add some friendly info to the README	2011-05-03 14:03:19 -07:00
Avery Pennarun	7712c60c36	Insert two binary NUL bytes (\0) before SSHUTTLE0001 sync string. ...and search for those null bytes before looking for the sync string. This helps when people have misconfigured .bashrc to print messages even in non-interactive mode. (On my Debian Lenny system, .bashrc doesn't seem to run when you do 'ssh localhost ls', but on MacOS servers, it does. Hmm...)	2011-05-03 13:59:25 -07:00
Avery Pennarun	65b0390fe9	ssh.py: use 'exec python -c' instead of just 'python -c'. This gets rid of an extra intermediate sh process on the server that we were keeping for no good reason, since it would exit as soon as python exited anyway.	2011-05-03 13:51:09 -07:00
Avery Pennarun	c5834a9773	Handle EHOSTDOWN, ENETDOWN. Someone on the mailing list reported getting these. Also centralize the list of these errors, so we don't have different parts of the code supporting a different subset of them. Now just use ssnet.NET_ERRS.	2011-05-03 13:32:25 -07:00
Avery Pennarun	e2474543fc	runpython.do: also compile for ppc architecture.	2011-04-24 22:51:27 -04:00
kaizoku	8636378870	Dereference symlink for sshuttle launch script (Modified slightly by apenwarr)	2011-04-24 22:42:50 -04:00
Avery Pennarun	f5eed4c809	Don't try to connect to remote IPs that start with zero. For some reason, on Linux servers this returns EINVAL. I don't like just treating EINVAL as non-fatal in general, so let's catch this specific case and ignore it. Reported by Reza Mohammadi on the mailing list. Interestingly, it's kind of hard to trigger this crash since the client would have to request the connection, and that connection shouldn't exist because the original client program would have already gotten EINVAL. But my MacOS machine can generate such a connection, so a MacOS->Linux sshuttle could trigger this.	2011-04-24 22:15:20 -04:00