Merge pull request #19 from naclander/patch-1

Remove no-latency-control assertion

README.md

@@ -13,10 +13,16 @@ Required Software
 
  - You need PyXAPI, available here:
    http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
- - You also need autossh, available in various package management systems
  - Python 2.x, both locally and the remote system
 
 
+Additional Suggested Software
+-----------------------------
+
+ - You may want to need autossh, available in various package management
+   systems
+
+
 sshuttle: where transparent proxy meets VPN meets ssh
 =====================================================
 
@@ -69,7 +75,7 @@ Obtaining sshuttle
 
  - First, go get PyXAPI from the link above
 
- - Clone github.com/jwyllie83/sshuttle/tree/local
+ - Clone: `git clone https://github.com/sshuttle/sshuttle.git`
 
 
 Usage on (Ubuntu) Linux
@@ -87,15 +93,15 @@ Usage on (Ubuntu) Linux
 Usage on other Linuxes and OSes
 -------------------------------
 
-  <tt>./sshuttle -r username@sshserver 0.0.0.0/0 -vv</tt>
+  <tt>src/sshuttle -r username@sshserver 0.0.0.0/0 -vv</tt>
 
  - There is a shortcut for 0.0.0.0/0 for those that value
    their wrists
-   <tt>./sshuttle -r username@sshserver 0/0 -vv</tt>
+   <tt>src/sshuttle -r username@sshserver 0/0 -vv</tt>
 
  - If you would also like your DNS queries to be proxied
    through the DNS server of the server you are connect to:
-   <tt>./sshuttle --dns -vvr username@sshserver 0/0</tt>
+   <tt>src/sshuttle --dns -vvr username@sshserver 0/0</tt>
 
    The above is probably what you want to use to prevent
    local network attacks such as Firesheep and friends.

packaging/control

@@ -1,14 +1,16 @@
 Package: sshuttle
-Version: 0.2
+Version: 0+git
-Architecture: i386
+Architecture: all
 Maintainer: Jim Wyllie <jwyllie83@gmail.com>
-Depends: autossh, upstart, python (>=2.6)
+Depends: iptables, python (>= 2.6)
-Section: utils
+Suggests: autossh
+Section: net
 Priority: optional
-Homepage: http://github.com/jwyllie83/sshuttle.udp
+Homepage: http://github.com/sshuttle/sshuttle
-Description: "Full-featured" VPN over an SSH tunnel, allowing full remote
+Description: "Full-featured" VPN over an SSH tunnel
- access somewhere where all you have is an SSH connection.  It works well if
+ It allows full remote access somewhere where all you have is an SSH
- you generally find yourself in the following situation:
+ connection.  It works well if you generally find yourself in the
+ following situation:
  .
  - Your client machine (or router) is Linux, FreeBSD, or MacOS.
  - You have access to a remote network via ssh.
@@ -22,5 +24,5 @@ Description: "Full-featured" VPN over an SSH tunnel, allowing full remote
     it's disabled by default on openssh servers; plus it does
     TCP-over-TCP, which has suboptimal performance
  .
- It also has hooks for more complicated setups (VPN-in-a-SSH-VPN, etc) to allow
+ It also has hooks for more complicated setups (VPN-in-a-SSH-VPN, etc.) to allow
  you to set it up as you like.

packaging/make_deb

@@ -24,6 +24,11 @@ cp ../src/sshuttle ${B}/usr/bin
 cp -r sshuttle.conf ${B}/etc/init
 cp prefixes.conf ${B}/etc/sshuttle
 cp tunnel.conf ${B}/etc/sshuttle
+# Remove MacOS X stuff from .deb
+rm -r ${B}/usr/share/sshuttle/ui-macos
+
+# Fix path to main.py
+sed -e 's:^DIR=.*$:DIR=/usr/share/sshuttle/:' -i ${B}/usr/bin/sshuttle
 
 # Copy the control file over, as well
 cp control ${B}/DEBIAN

src/client.py

@@ -184,6 +184,22 @@ def daemon_cleanup():
         else:
             raise
 
+pf_command_file = None
+
+def pf_dst(sock):
+    peer = sock.getpeername()
+    proxy = sock.getsockname()
+
+    argv = (sock.family, socket.IPPROTO_TCP, peer[0], peer[1], proxy[0], proxy[1])
+    pf_command_file.write("QUERY_PF_NAT %r,%r,%s,%r,%s,%r\n" % argv)
+    pf_command_file.flush()
+    line = pf_command_file.readline()
+    debug2("QUERY_PF_NAT %r,%r,%s,%r,%s,%r" % argv + ' > ' + line)
+    if line.startswith('QUERY_PF_NAT_SUCCESS '):
+        (ip, port) = line[21:].split(',')
+        return (ip, int(port))
+
+    return sock.getsockname()
 
 def original_dst(sock):
     try:
@@ -381,6 +397,8 @@ def onaccept_tcp(listener, method, mux, handlers):
             raise
     if method == "tproxy":
         dstip = sock.getsockname()
+    elif method == "pf":
+        dstip = pf_dst(sock)
     else:
         dstip = original_dst(sock)
     debug1('Accept TCP: %s:%r -> %s:%r.\n' % (srcip[0], srcip[1],
@@ -536,7 +554,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
         if auto_nets:
             for line in routestr.strip().split('\n'):
                 (family, ip, width) = line.split(',', 2)
-                fw.auto_nets.append((family, ip, int(width)))
+                fw.auto_nets.append((int(family), ip, int(width)))
 
         # we definitely want to do this *after* starting ssh, or we might end
         # up intercepting the ssh connection!
@@ -738,6 +756,10 @@ def main(listenip_v6, listenip_v4,
             if dns_listener.v6 is not None:
                 dns_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)
 
+    if fw.method == "pf":
+        global pf_command_file
+        pf_command_file = fw.pfile
+
     try:
         return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                      python, latency_control, dns_listener,

src/firewall.py

@@ -7,8 +7,13 @@ import compat.ssubprocess as ssubprocess
 import ssyslog
 import sys
 import os
+import re
 from helpers import log, debug1, debug3, islocal, Fatal, family_to_string, \
     resolvconf_nameservers
+from fcntl import ioctl
+from ctypes import c_char, c_uint8, c_uint16, c_uint32, Union, Structure, \
+	sizeof, addressof, memmove
+
 
 # python doesn't have a definition for this
 IPPROTO_DIVERT = 254
@@ -332,7 +337,7 @@ def _handle_diversion(divertsock, dnsport):
         _real_dns_server[0] = dst
         dst = ('127.0.0.1', dnsport)
     elif src[1] == dnsport:
-        if islocal(src[0]):
+        if islocal(src[0], divertsock.family):
             debug3('...packet is a DNS response.\n')
             src = _real_dns_server[0]
     else:
@@ -463,6 +468,68 @@ def do_ipfw(port, dnsport, family, subnets, udp):
     return do_wait
 
 
+def pfctl(args, stdin = None):
+    argv = ['pfctl'] + list(args.split(" "))
+    debug1('>> %s\n' % ' '.join(argv))
+
+    p = ssubprocess.Popen(argv, stdin = ssubprocess.PIPE, 
+                                stdout = ssubprocess.PIPE, 
+                                stderr = ssubprocess.PIPE)
+    o = p.communicate(stdin)
+    if p.returncode:
+        raise Fatal('%r returned %d' % (argv, p.returncode))
+
+    return o
+
+_pf_context = {'started_by_sshuttle': False, 'Xtoken':''}
+
+def do_pf(port, dnsport, family, subnets, udp):
+    global _pf_started_by_sshuttle
+    tables = []
+    translating_rules = []
+    filtering_rules = []
+
+    if subnets:
+        includes=[]
+        # If a given subnet is both included and excluded, list the exclusion
+        # first; the table will ignore the second, opposite definition
+        for f, swidth, sexclude, snet \
+                in sorted(subnets, key=lambda s: (s[1], s[2]), reverse=True):
+                    includes.append("%s%s/%s" % ("!" if sexclude else "", snet, swidth))
+
+        tables.append('table <forward_subnets> {%s}' % ','.join(includes))
+        translating_rules.append('rdr pass on lo0 proto tcp to <forward_subnets> -> 127.0.0.1 port %r' % port)
+        filtering_rules.append('pass out route-to lo0 inet proto tcp to <forward_subnets> keep state')
+
+        if dnsport:
+            nslist = resolvconf_nameservers()
+            tables.append('table <dns_servers> {%s}' % ','.join([ns[1] for ns in nslist]))
+            translating_rules.append('rdr pass on lo0 proto udp to <dns_servers> port 53 -> 127.0.0.1 port %r' % dnsport)
+            filtering_rules.append('pass out route-to lo0 inet proto udp to <dns_servers> port 53 keep state')
+
+        rules = '\n'.join(tables + translating_rules + filtering_rules) + '\n'
+
+        pf_status = pfctl('-s all')[0]
+        if not '\nrdr-anchor "sshuttle" all\n' in pf_status:
+            pf_add_anchor_rule(PF_RDR, "sshuttle")        
+        if not '\nanchor "sshuttle" all\n' in pf_status:
+            pf_add_anchor_rule(PF_PASS, "sshuttle")
+
+        pfctl('-a sshuttle -f /dev/stdin', rules)
+        if sys.platform == "darwin":
+            o = pfctl('-E')
+            _pf_context['Xtoken'] = re.search(r'Token : (.+)', o[1]).group(1)
+        elif 'INFO:\nStatus: Disabled' in pf_status: 
+            pfctl('-e')
+            _pf_context['started_by_sshuttle'] = True
+    else:
+        pfctl('-a sshuttle -F all')
+        if sys.platform == "darwin":
+            pfctl('-X %s' % _pf_context['Xtoken'])
+        elif _pf_context['started_by_sshuttle']:
+            pfctl('-d')
+
+
 def program_exists(name):
     paths = (os.getenv('PATH') or os.defpath).split(os.pathsep)
     for p in paths:
@@ -515,6 +582,106 @@ def restore_etc_hosts(port):
     rewrite_etc_hosts(port)
 
 
+# This are some classes and functions used to support pf in yosemite. 
+class pf_state_xport(Union):
+    _fields_ = [("port", c_uint16),
+                ("call_id", c_uint16),
+                ("spi", c_uint32)]
+
+class pf_addr(Structure):
+    class _pfa(Union):
+        _fields_ = [("v4",            c_uint32),      # struct in_addr
+                    ("v6",            c_uint32 * 4),  # struct in6_addr
+                    ("addr8",         c_uint8 * 16),
+                    ("addr16",        c_uint16 * 8),
+                    ("addr32",        c_uint32 * 4)]
+
+    _fields_ = [("pfa",               _pfa)]
+    _anonymous_ = ("pfa",)
+
+class pfioc_natlook(Structure):
+    _fields_ = [("saddr", pf_addr),
+                ("daddr", pf_addr),
+                ("rsaddr", pf_addr),
+                ("rdaddr", pf_addr),
+                ("sxport", pf_state_xport),
+                ("dxport", pf_state_xport),
+                ("rsxport", pf_state_xport),
+                ("rdxport", pf_state_xport),
+                ("af", c_uint8),                      # sa_family_t  
+                ("proto", c_uint8),
+                ("proto_variant", c_uint8),
+                ("direction", c_uint8)]
+
+pfioc_rule = c_char * 3104  # sizeof(struct pfioc_rule)
+
+pfioc_pooladdr = c_char * 1136 # sizeof(struct pfioc_pooladdr) 
+
+MAXPATHLEN = 1024
+
+DIOCNATLOOK = ((0x40000000L | 0x80000000L) | ((sizeof(pfioc_natlook) & 0x1fff) << 16) | ((ord('D')) << 8) | (23))
+DIOCCHANGERULE = ((0x40000000L | 0x80000000L) | ((sizeof(pfioc_rule) & 0x1fff) << 16) | ((ord('D')) << 8) | (26))
+DIOCBEGINADDRS = ((0x40000000L | 0x80000000L) | ((sizeof(pfioc_pooladdr) & 0x1fff) << 16) | ((ord('D')) << 8) | (51))
+
+PF_CHANGE_ADD_TAIL = 2
+PF_CHANGE_GET_TICKET = 6
+
+PF_PASS = 0
+PF_RDR = 8
+
+PF_OUT = 2
+
+_pf_fd = None
+
+def pf_get_dev():
+    global _pf_fd
+    if _pf_fd == None:
+        _pf_fd = os.open('/dev/pf', os.O_RDWR)
+
+    return _pf_fd
+
+def pf_query_nat(family, proto, src_ip, src_port, dst_ip, dst_port):
+    [proto, family, src_port, dst_port] = [int(v) for v in [proto, family, src_port, dst_port]]
+    
+    length = 4 if family == socket.AF_INET else 16
+
+    pnl = pfioc_natlook()
+    pnl.proto = proto
+    pnl.direction = PF_OUT
+    pnl.af = family
+    memmove(addressof(pnl.saddr), socket.inet_pton(pnl.af, src_ip), length)
+    pnl.sxport.port = socket.htons(src_port)
+    memmove(addressof(pnl.daddr), socket.inet_pton(pnl.af, dst_ip), length)
+    pnl.dxport.port = socket.htons(dst_port)
+
+    ioctl(pf_get_dev(), DIOCNATLOOK, (c_char * sizeof(pnl)).from_address(addressof(pnl)))
+
+    ip = socket.inet_ntop(pnl.af, (c_char * length).from_address(addressof(pnl.rdaddr)))
+    port = socket.ntohs(pnl.rdxport.port)
+    return (ip, port)
+
+def pf_add_anchor_rule(type, name):
+    ACTION_OFFSET = 0
+    POOL_TICKET_OFFSET = 8
+    ANCHOR_CALL_OFFSET = 1040
+    RULE_ACTION_OFFSET = 3068
+
+    pr = pfioc_rule()
+    ppa = pfioc_pooladdr()
+
+    ioctl(pf_get_dev(), DIOCBEGINADDRS, ppa)
+
+    memmove(addressof(pr) + POOL_TICKET_OFFSET, ppa[4:8], 4)  #pool_ticket
+    memmove(addressof(pr) + ANCHOR_CALL_OFFSET, name, min(MAXPATHLEN, len(name)))  #anchor_call = name
+    memmove(addressof(pr) + RULE_ACTION_OFFSET, struct.pack('I', type), 4)  #rule.action = type
+
+    memmove(addressof(pr) + ACTION_OFFSET, struct.pack('I', PF_CHANGE_GET_TICKET), 4) #action = PF_CHANGE_GET_TICKET
+    ioctl(pf_get_dev(), DIOCCHANGERULE, pr)
+
+    memmove(addressof(pr) + ACTION_OFFSET, struct.pack('I', PF_CHANGE_ADD_TAIL), 4) #action = PF_CHANGE_ADD_TAIL
+    ioctl(pf_get_dev(), DIOCCHANGERULE, pr)
+
+
 # This is some voodoo for setting up the kernel's transparent
 # proxying stuff.  If subnets is empty, we just delete our sshuttle rules;
 # otherwise we delete it, then make them from scratch.
@@ -541,8 +708,10 @@ def main(port_v6, port_v4, dnsport_v6, dnsport_v4, method, udp, syslog):
             method = "ipfw"
         elif program_exists('iptables'):
             method = "nat"
+        elif program_exists('pfctl'):
+            method = "pf"
         else:
-            raise Fatal("can't find either ipfw or iptables; check your PATH")
+            raise Fatal("can't find either ipfw, iptables or pfctl; check your PATH")
 
     if method == "nat":
         do_it = do_iptables_nat
@@ -550,6 +719,8 @@ def main(port_v6, port_v4, dnsport_v6, dnsport_v4, method, udp, syslog):
         do_it = do_iptables_tproxy
     elif method == "ipfw":
         do_it = do_ipfw
+    elif method == "pf":
+        do_it = do_pf
     else:
         raise Exception('Unknown method "%s"' % method)
 
@@ -637,6 +808,14 @@ def main(port_v6, port_v4, dnsport_v6, dnsport_v4, method, udp, syslog):
                 (name, ip) = line[5:].strip().split(',', 1)
                 hostmap[name] = ip
                 rewrite_etc_hosts(port_v6 or port_v4)
+            elif line.startswith('QUERY_PF_NAT '):
+                try:
+                    dst = pf_query_nat(*(line[13:].split(',')))
+                    sys.stdout.write('QUERY_PF_NAT_SUCCESS %s,%r\n' % dst)
+                except IOError, e:
+                    sys.stdout.write('QUERY_PF_NAT_FAILURE %s\n' % e)
+
+                sys.stdout.flush()
             elif line:
                 raise Fatal('expected EOF, got %r' % line)
             else:

src/main.py

@@ -116,7 +116,7 @@ l,listen=  transproxy to this ip address and port number
 H,auto-hosts scan for remote hostnames and update local /etc/hosts
 N,auto-nets  automatically determine subnets to route
 dns        capture local DNS requests and forward to the remote DNS server
-method=    auto, nat, tproxy, or ipfw
+method=    auto, nat, tproxy, pf or ipfw
 python=    path to python interpreter on the remote server
 r,remote=  ssh hostname (and optional username) of remote sshuttle server
 x,exclude= exclude this subnet (can be used more than once)
@@ -183,7 +183,7 @@ try:
             includes = parse_subnet_file(opt.subnets)
         if not opt.method:
             method = "auto"
-        elif opt.method in ["auto", "nat", "tproxy", "ipfw"]:
+        elif opt.method in ["auto", "nat", "tproxy", "ipfw", "pf"]:
             method = opt.method
         else:
             o.fatal("method %s not supported" % opt.method)

src/options.py

@@ -61,6 +61,8 @@ def _remove_negative_k(k):
 
 
 def _tty_width():
+    if not hasattr(sys.stderr, "fileno"):
+        return _atoi(os.environ.get('WIDTH')) or 70
     s = struct.pack("HHHH", 0, 0, 0, 0)
     try:
         import fcntl

src/server.py

@@ -215,7 +215,6 @@ def main():
         helpers.logprefix = ' s: '
     else:
         helpers.logprefix = 'server: '
-    assert latency_control is not None
     debug1('latency control setting = %r\n' % latency_control)
 
     routes = list(list_routes())
@@ -328,6 +327,7 @@ def main():
                     debug3('expiring dnsreqs channel=%d\n' % channel)
                     del dnshandlers[channel]
                     h.ok = False
+        if udphandlers:
             for channel, h in udphandlers.items():
                 if not h.ok:
                     debug3('expiring UDP channel=%d\n' % channel)

src/ui-macos/main.py

@@ -1,7 +1,21 @@
 import sys
 import os
 import pty
-from AppKit import *
+from AppKit import (
+  objc,
+  NSApp,
+  NSApplicationMain,
+  NSAttributedString,
+  NSFileHandle,
+  NSFileHandleDataAvailableNotification,
+  NSImage,
+  NSMenu,
+  NSMenuItem,
+  NSNotificationCenter,
+  NSObject,
+  NSStatusBar,
+  NSVariableStatusItemLength,
+)
 import my
 import models
 import askpass
@@ -217,6 +231,7 @@ class SshuttleController(NSObject):
 
     @objc.IBAction
     def cmd_quit(self, sender):
+        NSStatusBar.systemStatusBar().removeStatusItem_(self.statusitem)
         NSApp.performSelector_withObject_afterDelay_(NSApp.terminate_,
                                                      None, 0.0)
 
@@ -365,11 +380,10 @@ class SshuttleController(NSObject):
         bar = NSStatusBar.systemStatusBar()
         statusitem = bar.statusItemWithLength_(NSVariableStatusItemLength)
         self.statusitem = statusitem
-        self.img_idle = my.Image('chicken-tiny-bw', 'png')
+        self.img_idle = NSImage.imageNamed_('ChickenIdleTemplate')
-        self.img_running = my.Image('chicken-tiny', 'png')
+        self.img_running = NSImage.imageNamed_('ChickenRunningTemplate')
-        self.img_err = my.Image('chicken-tiny-err', 'png')
+        self.img_err = NSImage.imageNamed_('ChickenErrorTemplate')
         statusitem.setImage_(self.img_idle)
-        statusitem.setHighlightMode_(True)
         statusitem.setMenu_(self.menu)
         self.fill_menu()
 

src/ui-macos/models.py

@@ -1,4 +1,4 @@
-from AppKit import *
+from AppKit import (objc, NSObject)
 import my
 
 

src/ui-macos/my.py

@@ -1,5 +1,11 @@
 import os
-from AppKit import *
+from AppKit import (
+  NSBundle,
+  NSData,
+  NSDictionary,
+  NSImage,
+  NSUserDefaults,
+)
 import PyObjCTools.AppHelper
 
 

src/ui-macos/sources.list.do

@@ -4,9 +4,9 @@ cat <<-EOF
 	app.icns
 	MainMenu.nib English.lproj/MainMenu.nib
 	UserDefaults.plist
-	chicken-tiny.png
+	ChickenIdleTemplate.pdf
-	chicken-tiny-bw.png
+	ChickenRunningTemplate.pdf
-	chicken-tiny-err.png
+	ChickenErrorTemplate.pdf
 EOF
 for d in *.py sshuttle/*.py sshuttle/sshuttle sshuttle/compat/*.py; do
 	echo $d