New release

Add changes for next release
Merge pull request #108 from vieira/pf-ipv6
2025-07-04 00:30:35 +02:00 · 2016-08-06 18:58:00 +10:00 · 2016-08-06 18:52:26 +10:00 · 2016-07-29 07:57:35 +10:00 · 2016-07-27 23:18:25 +00:00 · 2016-07-27 23:06:36 +00:00
21 changed files with 312 additions and 144 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,13 @@
-sshuttle/version.py
+/sshuttle/version.py
+/docs/conf.py
+/tmp/
+/.cache/
+/.eggs/
+/.tox/
+/build/
+/dist/
+/sshuttle.egg-info/
+/docs/_build/
 *.pyc
 *~
 *.8
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -1,3 +1,11 @@
+Release 0.78.1 (6th August, 2016)
+=================================
+* Fix readthedocs versioning.
+* Don't crash on ENETUNREACH.
+* Various bug fixes.
+* Improvements to BSD and OSX support.
+
+
 Release 0.78.0 (Apr 8, 2016)
 ============================

--- a/MANIFEST.in
+++ b/MANIFEST.in
@ -6,8 +6,10 @@ include LICENSE
 include run
 include tox.ini
 exclude sshuttle/version.py
+exclude docs/conf.py
 recursive-include docs *.bat
 recursive-include docs *.py
 recursive-include docs *.rst
 recursive-include docs Makefile
 recursive-include sshuttle *.py
+recursive-exclude docs/_build *
--- a/docs/conf.orig.py
+++ b/docs/conf.orig.py
@ -15,6 +15,7 @@

 # import sys
 # import os
+from setuptools_scm import get_version

 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
@ -54,7 +55,6 @@ copyright = '2016, Brian May'
 # built documents.
 #
 # The short X.Y version.
-from setuptools_scm import get_version
 version = get_version(root="..")
 # The full version, including alpha/beta/rc tags.
 release = version
--- a/docs/manpage.rst
+++ b/docs/manpage.rst
@ -136,6 +136,10 @@ Options
    if you use this option to give it a few names to start
    from.

+    If this option is used *without* :option:`--auto-hosts`,
+    then the listed hostnames will be scanned and added, but
+    no further hostnames will be added.
+
 .. option:: --no-latency-control

    Sacrifice latency to improve bandwidth benchmarks. ssh
--- a/2
+++ b/2
@ -2,7 +2,7 @@
 if python3.5 -V 2>/dev/null; then
 	exec python3.5 -m "sshuttle" "$@"
 elif python2.7 -V 2>/dev/null; then
-    exec python2.7 -m "sshuttle" "$@"
+	exec python2.7 -m "sshuttle" "$@"
 else
 	exec python -m "sshuttle" "$@"
 fi
--- a/setup.cfg
+++ b/setup.cfg
@ -0,0 +1,2 @@
+[aliases]
+test=pytest
--- a/setup.py
+++ b/setup.py
@ -18,7 +18,12 @@
 # along with python-tldap  If not, see <http://www.gnu.org/licenses/>.

 from setuptools import setup, find_packages
+import shutil

+with open("./docs/conf.orig.py", "r") as src:
+    with open("./docs/conf.py", "w") as dst:
+        dst.write("# FILE COPIED FROM conf.orig.py; DO NOT CHANGE\n")
+        shutil.copyfileobj(src, dst)

 def version_scheme(version):
    from setuptools_scm.version import guess_next_dev_version
@ -31,7 +36,7 @@ setup(
        'write_to': "sshuttle/version.py",
        'version_scheme': version_scheme,
    },
-    setup_requires=['setuptools_scm'],
+    setup_requires=['setuptools_scm', 'pytest-runner'],
    # version=version,
    url='https://github.com/sshuttle/sshuttle',
    author='Brian May',
--- a/sshuttle/assembler.py
+++ b/sshuttle/assembler.py
@ -34,4 +34,4 @@ sshuttle.helpers.verbose = verbosity

 import sshuttle.cmdline_options as options
 from sshuttle.server import main
-main(options.latency_control)
+main(options.latency_control, options.auto_hosts)
--- a/sshuttle/client.py
+++ b/sshuttle/client.py
@ -400,7 +400,7 @@ def ondns(listener, method, mux, handlers):

 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
          python, latency_control,
-          dns_listener, seed_hosts, auto_nets, daemon):
+          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon):

    debug1('Starting client with Python version %s\n'
           % platform.python_version())
@ -418,7 +418,8 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        (serverproc, serversock) = ssh.connect(
            ssh_cmd, remotename, python,
            stderr=ssyslog._p and ssyslog._p.stdin,
-            options=dict(latency_control=latency_control))
+            options=dict(latency_control=latency_control,
+                auto_hosts=auto_hosts))
    except socket.error as e:
        if e.args[0] == errno.EPIPE:
            raise Fatal("failed to establish ssh session (1)")
@ -514,7 +515,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,

 def main(listenip_v6, listenip_v4,
         ssh_cmd, remotename, python, latency_control, dns, nslist,
-         method_name, seed_hosts, auto_nets,
+         method_name, seed_hosts, auto_hosts, auto_nets,
         subnets_include, subnets_exclude, daemon, pidfile):

    if daemon:
@ -548,6 +549,7 @@ def main(listenip_v6, listenip_v4,
            listenip_v6 = None

    required.ipv6 = len(subnets_v6) > 0 or listenip_v6 is not None
+    required.ipv4 = len(subnets_v4) > 0 or listenip_v4 is not None
    required.udp = avail.udp
    required.dns = len(nslist) > 0

@ -570,6 +572,14 @@ def main(listenip_v6, listenip_v4,
    if listenip_v4 == "auto":
        listenip_v4 = ('127.0.0.1', 0)

+    if required.ipv4 and \
+            not any(listenip_v4[0] == sex[1] for sex in subnets_v4):
+        subnets_exclude.append((socket.AF_INET, listenip_v4[0], 32))
+
+    if required.ipv6 and \
+            not any(listenip_v6[0] == sex[1] for sex in subnets_v6):
+        subnets_exclude.append((socket.AF_INET6, listenip_v6[0], 128))
+
    if listenip_v6 and listenip_v6[1] and listenip_v4 and listenip_v4[1]:
        # if both ports given, no need to search for a spare port
        ports = [0, ]
@ -713,7 +723,7 @@ def main(listenip_v6, listenip_v4,
    try:
        return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                     python, latency_control, dns_listener,
-                     seed_hosts, auto_nets, daemon)
+                     seed_hosts, auto_hosts, auto_nets, daemon)
    finally:
        try:
            if daemon:
--- a/sshuttle/cmdline.py
+++ b/sshuttle/cmdline.py
@ -29,13 +29,12 @@ def main():
            includes = opt.subnets
            excludes = opt.exclude
            if not includes and not opt.auto_nets:
-                parser.error('at least one subnet, subnet file, or -N expected')
+                parser.error('at least one subnet, subnet file, '
+                             'or -N expected')
            remotename = opt.remote
            if remotename == '' or remotename == '-':
                remotename = None
            nslist = [family_ip_tuple(ns) for ns in opt.ns_hosts]
-            if opt.seed_hosts and not opt.auto_hosts:
-                parser.error('--seed-hosts only works if you also use -H')
            if opt.seed_hosts:
                sh = re.split(r'[\s,]+', (opt.seed_hosts or "").strip())
            elif opt.auto_hosts:
@ -68,6 +67,7 @@ def main():
                                      nslist,
                                      opt.method,
                                      sh,
+                                      opt.auto_hosts,
                                      opt.auto_nets,
                                      includes,
                                      excludes,
--- a/sshuttle/helpers.py
+++ b/sshuttle/helpers.py
@ -16,6 +16,7 @@ else:
    def b(s):
        return s

+
 def log(s):
    global logprefix
    try:
--- a/sshuttle/hostwatch.py
+++ b/sshuttle/hostwatch.py
@ -39,7 +39,7 @@ def write_host_cache():
        for name, ip in sorted(hostnames.items()):
            f.write(('%s,%s\n' % (name, ip)).encode("ASCII"))
        f.close()
-        os.chmod(tmpname, 384) # 600 in octal, 'rw-------'
+        os.chmod(tmpname, 384)  # 600 in octal, 'rw-------'
        os.rename(tmpname, CACHEFILE)
    finally:
        try:
@ -70,8 +70,8 @@ def read_host_cache():
 def found_host(hostname, ip):
    hostname = re.sub(r'\..*', '', hostname)
    hostname = re.sub(r'[^-\w]', '_', hostname)
-    if (ip.startswith('127.') or ip.startswith('255.')
-            or hostname == 'localhost'):
+    if (ip.startswith('127.') or ip.startswith('255.') or
+            hostname == 'localhost'):
        return
    oldip = hostnames.get(hostname)
    if oldip != ip:
@ -255,7 +255,7 @@ def _stdin_still_ok(timeout):
    return True


-def hw_main(seed_hosts):
+def hw_main(seed_hosts, auto_hosts):
    if helpers.verbose >= 2:
        helpers.logprefix = 'HH: '
    else:
@ -264,17 +264,18 @@ def hw_main(seed_hosts):
    debug1('Starting hostwatch with Python version %s\n'
           % platform.python_version())

-    read_host_cache()
-
-    _enqueue(_check_etc_hosts)
-    _enqueue(_check_netstat)
-    check_host('localhost')
-    check_host(socket.gethostname())
-    check_workgroup('workgroup')
-    check_workgroup('-')
    for h in seed_hosts:
        check_host(h)

+    if auto_hosts:
+        read_host_cache()
+        _enqueue(_check_etc_hosts)
+        _enqueue(_check_netstat)
+        check_host('localhost')
+        check_host(socket.gethostname())
+        check_workgroup('workgroup')
+        check_workgroup('-')
+
    while 1:
        now = time.time()
        for t, last_polled in list(queue.items()):
--- a/sshuttle/linux.py
+++ b/sshuttle/linux.py
@ -1,3 +1,4 @@
+import os
 import socket
 import subprocess as ssubprocess
 from sshuttle.helpers import log, debug1, Fatal, family_to_string
@ -18,7 +19,11 @@ def ipt_chain_exists(family, table, name):
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
    argv = [cmd, '-t', table, '-nL']
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE)
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
    for line in p.stdout:
        if line.startswith(b'Chain %s ' % name.encode("ASCII")):
            return True
@ -35,7 +40,11 @@ def ipt(family, table, *args):
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
    debug1('>> %s\n' % ' '.join(argv))
-    rv = ssubprocess.call(argv)
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    rv = ssubprocess.call(argv, env=env)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))

--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@ -11,7 +11,7 @@ from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string
 from sshuttle.methods import BaseMethod


-_pf_context = {'started_by_sshuttle': False, 'Xtoken': None}
+_pf_context = {'started_by_sshuttle': False, 'Xtoken': []}
 _pf_fd = None


@ -59,7 +59,8 @@ class Generic(object):
            pfctl('-e')
            _pf_context['started_by_sshuttle'] = True

-    def disable(self):
+    def disable(self, anchor):
+        pfctl('-a %s -F all' % anchor)
        if _pf_context['started_by_sshuttle']:
            pfctl('-d')

@ -96,12 +97,12 @@ class Generic(object):
    def _get_natlook_port(self, xport):
        return xport

-    def add_anchors(self, status=None):
+    def add_anchors(self, anchor, status=None):
        if status is None:
            status = pfctl('-s all')[0]
        self.status = status
-        if b'\nanchor "sshuttle"' not in status:
-            self._add_anchor_rule(self.PF_PASS, b"sshuttle")
+        if ('\nanchor "%s"' % anchor).encode('ASCII') not in status:
+            self._add_anchor_rule(self.PF_PASS, anchor.encode('ASCII'))

    def _add_anchor_rule(self, type, name, pr=None):
        if pr is None:
@ -120,10 +121,20 @@ class Generic(object):
            'I', self.PF_CHANGE_ADD_TAIL), 4)  # action = PF_CHANGE_ADD_TAIL
        ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)

-    def add_rules(self, rules):
+    def _inet_version(self, family):
+        return b'inet' if family == socket.AF_INET else b'inet6'
+
+    def _lo_addr(self, family):
+        return b'127.0.0.1' if family == socket.AF_INET else b'::1'
+
+    def add_rules(self, anchor, rules):
        assert isinstance(rules, bytes)
        debug3("rules:\n" + rules.decode("ASCII"))
-        pfctl('-a sshuttle -f /dev/stdin', rules)
+        pfctl('-a %s -f /dev/stdin' % anchor, rules)
+
+    def has_skip_loopback(self):
+        return b'skip' in pfctl('-s Interfaces -i lo -v')[0]
+


 class FreeBsd(Generic):
@ -153,11 +164,11 @@ class FreeBsd(Generic):
    def __init__(self):
        super(FreeBsd, self).__init__()

-    def add_anchors(self):
+    def add_anchors(self, anchor):
        status = pfctl('-s all')[0]
-        if b'\nrdr-anchor "sshuttle"' not in status:
-            self._add_anchor_rule(self.PF_RDR, b'sshuttle')
-        super(FreeBsd, self).add_anchors(status=status)
+        if ('\nrdr-anchor "%s"' % anchor).encode('ASCII') not in status:
+            self._add_anchor_rule(self.PF_RDR, anchor.encode('ASCII'))
+        super(FreeBsd, self).add_anchors(anchor, status=status)

    def _add_anchor_rule(self, type, name):
        pr = self.pfioc_rule()
@ -168,17 +179,20 @@ class FreeBsd(Generic):
        memmove(addressof(pr) + self.POOL_TICKET_OFFSET, ppa[4:8], 4)
        super(FreeBsd, self)._add_anchor_rule(type, name, pr=pr)

-    def add_rules(self, includes, port, dnsport, nslist):
+    def add_rules(self, anchor, includes, port, dnsport, nslist, family):
+        inet_version = self._inet_version(family)
+        lo_addr = self._lo_addr(family)
+
        tables = [
            b'table <forward_subnets> {%s}' % b','.join(includes)
        ]
        translating_rules = [
-            b'rdr pass on lo0 proto tcp '
-            b'to <forward_subnets> -> 127.0.0.1 port %r' % port
+            b'rdr pass on lo0 %s proto tcp to <forward_subnets> '
+            b'-> %s port %r' % (inet_version, lo_addr, port)
        ]
        filtering_rules = [
-            b'pass out route-to lo0 inet proto tcp '
-            b'to <forward_subnets> keep state'
+            b'pass out route-to lo0 %s proto tcp '
+            b'to <forward_subnets> keep state' % inet_version
        ]

        if len(nslist) > 0:
@ -186,16 +200,16 @@ class FreeBsd(Generic):
                b'table <dns_servers> {%s}' %
                b','.join([ns[1].encode("ASCII") for ns in nslist]))
            translating_rules.append(
-                b'rdr pass on lo0 proto udp to '
-                b'<dns_servers> port 53 -> 127.0.0.1 port %r' % dnsport)
+                b'rdr pass on lo0 %s proto udp to <dns_servers> '
+                b'port 53 -> %s port %r' % (inet_version, lo_addr, dnsport))
            filtering_rules.append(
-                b'pass out route-to lo0 inet proto udp to '
-                b'<dns_servers> port 53 keep state')
+                b'pass out route-to lo0 %s proto udp to '
+                b'<dns_servers> port 53 keep state' % inet_version)

        rules = b'\n'.join(tables + translating_rules + filtering_rules) \
                + b'\n'

-        super(FreeBsd, self).add_rules(rules)
+        super(FreeBsd, self).add_rules(anchor, rules)


 class OpenBsd(Generic):
@ -225,24 +239,28 @@ class OpenBsd(Generic):
        self.pfioc_natlook = pfioc_natlook
        super(OpenBsd, self).__init__()

-    def add_anchors(self):
+    def add_anchors(self, anchor):
        # before adding anchors and rules we must override the skip lo
        # that comes by default in openbsd pf.conf so the rules we will add,
        # which rely on translating/filtering  packets on lo, can work
-        pfctl('-f /dev/stdin', b'match on lo\n')
-        super(OpenBsd, self).add_anchors()
+        if self.has_skip_loopback():
+            pfctl('-f /dev/stdin', b'match on lo\n')
+        super(OpenBsd, self).add_anchors(anchor)
+
+    def add_rules(self, anchor, includes, port, dnsport, nslist, family):
+        inet_version = self._inet_version(family)
+        lo_addr = self._lo_addr(family)

-    def add_rules(self, includes, port, dnsport, nslist):
        tables = [
            b'table <forward_subnets> {%s}' % b','.join(includes)
        ]
        translating_rules = [
-            b'pass in on lo0 inet proto tcp '
-            b'divert-to 127.0.0.1 port %r' % port
+            b'pass in on lo0 %s proto tcp to <forward_subnets> '
+            b'divert-to %s port %r' % (inet_version, lo_addr, port)
        ]
        filtering_rules = [
-            b'pass out inet proto tcp '
-            b'to <forward_subnets> route-to lo0 keep state'
+            b'pass out %s proto tcp to <forward_subnets> '
+            b'route-to lo0 keep state' % inet_version
        ]

        if len(nslist) > 0:
@ -250,16 +268,16 @@ class OpenBsd(Generic):
                b'table <dns_servers> {%s}' %
                b','.join([ns[1].encode("ASCII") for ns in nslist]))
            translating_rules.append(
-                b'pass in on lo0 inet proto udp to <dns_servers>'
-                b'port 53 rdr-to 127.0.0.1 port %r' % dnsport)
+                b'pass in on lo0 %s proto udp to <dns_servers> port 53 '
+                b'rdr-to %s port %r' % (inet_version, lo_addr, dnsport))
            filtering_rules.append(
-                b'pass out inet proto udp to '
-                b'<dns_servers> port 53 route-to lo0 keep state')
+                b'pass out %s proto udp to <dns_servers> port 53 '
+                b'route-to lo0 keep state' % inet_version)

        rules = b'\n'.join(tables + translating_rules + filtering_rules) \
                + b'\n'

-        super(OpenBsd, self).add_rules(rules)
+        super(OpenBsd, self).add_rules(anchor, rules)


 class Darwin(FreeBsd):
@ -292,19 +310,20 @@ class Darwin(FreeBsd):

    def enable(self):
        o = pfctl('-E')
-        _pf_context['Xtoken'] = \
-            re.search(b'Token : (.+)', o[1]).group(1)
+        _pf_context['Xtoken'].append(re.search(b'Token : (.+)', o[1]).group(1))

-    def disable(self):
-        if _pf_context['Xtoken'] is not None:
-            pfctl('-X %s' % _pf_context['Xtoken'].decode("ASCII"))
+    def disable(self, anchor):
+        pfctl('-a %s -F all' % anchor)
+        if _pf_context['Xtoken']:
+            pfctl('-X %s' % _pf_context['Xtoken'].pop().decode("ASCII"))

-    def add_anchors(self):
+    def add_anchors(self, anchor):
        # before adding anchors and rules we must override the skip lo
        # that in some cases ends up in the chain so the rules we will add,
        # which rely on translating/filtering  packets on lo, can work
-        pfctl('-f /dev/stdin', b'pass on lo\n')
-        super(Darwin, self).add_anchors()
+        if self.has_skip_loopback():
+            pfctl('-f /dev/stdin', b'pass on lo\n')
+        super(Darwin, self).add_anchors(anchor)

    def _add_natlook_ports(self, pnl, src_port, dst_port):
        pnl.sxport.port = socket.htons(src_port)
@ -326,9 +345,14 @@ def pfctl(args, stdin=None):
    argv = ['pfctl'] + list(args.split(" "))
    debug1('>> %s\n' % ' '.join(argv))

+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
    p = ssubprocess.Popen(argv, stdin=ssubprocess.PIPE,
                          stdout=ssubprocess.PIPE,
-                          stderr=ssubprocess.PIPE)
+                          stderr=ssubprocess.PIPE,
+                          env=env)
    o = p.communicate(stdin)
    if p.returncode:
        raise Fatal('%r returned %d' % (argv, p.returncode))
@ -344,9 +368,17 @@ def pf_get_dev():
    return _pf_fd


+def pf_get_anchor(family, port):
+    return 'sshuttle%s-%d' % ('' if family == socket.AF_INET else '6', port)
+

 class Method(BaseMethod):

+    def get_supported_features(self):
+        result = super(Method, self).get_supported_features()
+        result.ipv6 = True
+        return result
+
    def get_tcp_dstip(self, sock):
        pfile = self.firewall.pfile

@ -372,7 +404,7 @@ class Method(BaseMethod):
        translating_rules = []
        filtering_rules = []

-        if family != socket.AF_INET:
+        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
                % family_to_string(family))
@ -391,20 +423,20 @@ class Method(BaseMethod):
                                    snet.encode("ASCII"),
                                    swidth))

-        pf.add_anchors()
-        pf.add_rules(includes, port, dnsport, nslist)
+        anchor = pf_get_anchor(family, port)
+        pf.add_anchors(anchor)
+        pf.add_rules(anchor, includes, port, dnsport, nslist, family)
        pf.enable()

    def restore_firewall(self, port, family, udp):
-        if family != socket.AF_INET:
+        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
                % family_to_string(family))
        if udp:
            raise Exception("UDP not supported by pf method_name")

-        pfctl('-a sshuttle -F all')
-        pf.disable()
+        pf.disable(pf_get_anchor(family, port))

    def firewall_command(self, line):
        if line.startswith('QUERY_PF_NAT '):
--- a/sshuttle/options.py
+++ b/sshuttle/options.py
@ -134,7 +134,7 @@ parser.add_argument(
    "-H", "--auto-hosts",
    action="store_true",
    help="""
-    scan for remote hostnames and update local /etc/hosts
+    continuously scan for remote hostnames and update local /etc/hosts as they are found
    """
 )
 parser.add_argument(
@ -187,7 +187,7 @@ parser.add_argument(
    "-x", "--exclude",
    metavar="IP/MASK",
    action="append",
-    default=[parse_subnet('127.0.0.1/8')],
+    default=[],
    type=parse_subnet,
    help="""
    exclude this subnet (can be used more than once)
@ -232,7 +232,7 @@ parser.add_argument(
    metavar="HOSTNAME[,HOSTNAME]",
    default=[],
    help="""
-    with -H, use these hostnames for initial scan (comma-separated)
+    comma-separated list of hostnames for initial scan (may be used with or without --auto-hosts)
    """
 )
 parser.add_argument(
--- a/sshuttle/server.py
+++ b/sshuttle/server.py
@ -63,7 +63,11 @@ def _shl(n, bits):
 def _list_routes():
    # FIXME: IPv4 only
    argv = ['netstat', '-rn']
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE)
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
    routes = []
    for line in p.stdout:
        cols = re.split(r'\s+', line.decode("ASCII"))
@ -94,7 +98,7 @@ def _exc_dump():
    return ''.join(traceback.format_exception(*exc_info))


-def start_hostwatch(seed_hosts):
+def start_hostwatch(seed_hosts, auto_hosts):
    s1, s2 = socket.socketpair()
    pid = os.fork()
    if not pid:
@ -106,7 +110,7 @@ def start_hostwatch(seed_hosts):
                os.dup2(s1.fileno(), 1)
                os.dup2(s1.fileno(), 0)
                s1.close()
-                rv = hostwatch.hw_main(seed_hosts) or 0
+                rv = hostwatch.hw_main(seed_hosts, auto_hosts) or 0
            except Exception:
                log('%s\n' % _exc_dump())
                rv = 98
@ -219,11 +223,11 @@ class UdpProxy(Handler):
            log('UDP recv from %r port %d: %s\n' % (peer[0], peer[1], e))
            return
        debug2('UDP response: %d bytes\n' % len(data))
-        hdr = "%s,%r," % (peer[0], peer[1])
+        hdr = b("%s,%r," % (peer[0], peer[1]))
        self.mux.send(self.chan, ssnet.CMD_UDP_DATA, hdr + data)


-def main(latency_control):
+def main(latency_control, auto_hosts):
    debug1('Starting server with Python version %s\n'
           % platform.python_version())

@ -273,7 +277,8 @@ def main(latency_control):

    def got_host_req(data):
        if not hw.pid:
-            (hw.pid, hw.sock) = start_hostwatch(data.strip().split())
+            (hw.pid, hw.sock) = start_hostwatch(
+                    data.strip().split(), auto_hosts)
            handlers.append(Handler(socks=[hw.sock],
                                    callback=hostwatch_ready))
    mux.got_host_req = got_host_req
@ -281,6 +286,12 @@ def main(latency_control):
    def new_channel(channel, data):
        (family, dstip, dstport) = data.decode("ASCII").split(',', 2)
        family = int(family)
+        # AF_INET is the same constant on Linux and BSD but AF_INET6
+        # is different. As the client and server can be running on
+        # different platforms we can not just set the socket family
+        # to what comes in the wire.
+        if family != socket.AF_INET:
+            family = socket.AF_INET6
        dstport = int(dstport)
        outwrap = ssnet.connect_dst(family, dstip, dstport)
        handlers.append(Proxy(MuxWrapper(mux, channel), outwrap))
@ -300,7 +311,7 @@ def main(latency_control):
    def udp_req(channel, cmd, data):
        debug2('Incoming UDP request channel=%d, cmd=%d\n' % (channel, cmd))
        if cmd == ssnet.CMD_UDP_DATA:
-            (dstip, dstport, data) = data.split(",", 2)
+            (dstip, dstport, data) = data.split(b(','), 2)
            dstport = int(dstport)
            debug2('is incoming UDP data. %r %d.\n' % (dstip, dstport))
            h = udphandlers[channel]
--- a/sshuttle/ssh.py
+++ b/sshuttle/ssh.py
@ -15,6 +15,7 @@ except ImportError:
    # Python 2.x
    from pipes import quote

+
 def readfile(name):
    tokens = name.split(".")
    f = None
@ -105,7 +106,7 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
    if not rhost:
        # ignore the --python argument when running locally; we already know
        # which python version works.
-        argv = [sys.argv[1], '-c', pyscript]
+        argv = [sys.executable, '-c', pyscript]
    else:
        if ssh_cmd:
            sshl = ssh_cmd.split(' ')
--- a/sshuttle/ssnet.py
+++ b/sshuttle/ssnet.py
@ -54,7 +54,8 @@ cmd_to_name = {

 NET_ERRS = [errno.ECONNREFUSED, errno.ETIMEDOUT,
            errno.EHOSTUNREACH, errno.ENETUNREACH,
-            errno.EHOSTDOWN, errno.ENETDOWN]
+            errno.EHOSTDOWN, errno.ENETDOWN,
+            errno.ENETUNREACH]


 def _add(l, elem):
@ -357,8 +358,8 @@ class Mux(Handler):

    def amount_queued(self):
        total = 0
-        for b in self.outbuf:
-            total += len(b)
+        for byte in self.outbuf:
+            total += len(byte)
        return total

    def check_fullness(self):
@ -375,7 +376,8 @@ class Mux(Handler):
    def send(self, channel, cmd, data):
        assert isinstance(data, binary_type)
        assert len(data) <= 65535
-        p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) + data
+        p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) \
+            + data
        self.outbuf.append(p)
        debug2(' > channel=%d cmd=%s len=%d (fullness=%d)\n'
               % (channel, cmd_to_name.get(cmd, hex(cmd)),
@ -556,7 +558,7 @@ def connect_dst(family, ip, port):
    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
    return SockWrapper(outsock, outsock,
                       connect_to=(ip, port),
-                       peername = '%s:%d' % (ip, port))
+                       peername='%s:%d' % (ip, port))


 def runonce(handlers, mux):
--- a/sshuttle/tests/client/test_methods_pf.py
+++ b/sshuttle/tests/client/test_methods_pf.py
@ -10,7 +10,7 @@ from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd
 def test_get_supported_features():
    method = get_method('pf')
    features = method.get_supported_features()
-    assert not features.ipv6
+    assert features.ipv6
    assert not features.udp
    assert features.dns

@ -155,6 +155,8 @@ def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):


 def pfctl(args, stdin=None):
+    if args == '-s Interfaces -i lo -v':
+        return (b'lo0 (skip)',)
    if args == '-s all':
        return (b'INFO:\nStatus: Disabled\nanother mary had a little lamb\n',
                b'little lamb\n')
@ -174,19 +176,45 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method = get_method('pf')
    assert method.name == 'pf'

-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by pf method_name'
-    assert mock_pf_get_dev.mock_calls == []
-    assert mock_ioctl.mock_calls == []
-    assert mock_pfctl.mock_calls == []
+    # IPV6
+
+    method.setup_firewall(
+        1024, 1026,
+        [(10, u'2404:6800:4004:80c::33')],
+        10,
+        [(10, 64, False, u'2404:6800:4004:80c::'),
+            (10, 128, True, u'2404:6800:4004:80c::101f')],
+        False)
+    assert mock_ioctl.mock_calls == [
+        call(mock_pf_get_dev(), 0xC4704433, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+        call(mock_pf_get_dev(), 0xC4704433, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+    ]
+    assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
+        call('-f /dev/stdin', b'pass on lo\n'),
+        call('-s all'),
+        call('-a sshuttle6-1024 -f /dev/stdin',
+             b'table <forward_subnets> {'
+             b'!2404:6800:4004:80c::101f/128,2404:6800:4004:80c::/64'
+             b'}\n'
+             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
+             b'rdr pass on lo0 inet6 proto tcp '
+             b'to <forward_subnets> -> ::1 port 1024\n'
+             b'rdr pass on lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 -> ::1 port 1026\n'
+             b'pass out route-to lo0 inet6 proto tcp '
+             b'to <forward_subnets> keep state\n'
+             b'pass out route-to lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 keep state\n'),
+        call('-E'),
+    ]
+    mock_pf_get_dev.reset_mock()
+    mock_ioctl.reset_mock()
+    mock_pfctl.reset_mock()

    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
@ -215,14 +243,15 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
    ]
    assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
        call('-f /dev/stdin', b'pass on lo\n'),
        call('-s all'),
-        call('-a sshuttle -f /dev/stdin',
+        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'
             b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 proto tcp '
+             b'rdr pass on lo0 inet proto tcp '
             b'to <forward_subnets> -> 127.0.0.1 port 1025\n'
-             b'rdr pass on lo0 proto udp '
+             b'rdr pass on lo0 inet proto udp '
             b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
             b'pass out route-to lo0 inet proto tcp '
             b'to <forward_subnets> keep state\n'
@ -237,7 +266,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.restore_firewall(1025, 2, False)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
-        call('-a sshuttle -F all'),
+        call('-a sshuttle-1025 -F all'),
        call("-X abcdefg"),
    ]
    mock_pf_get_dev.reset_mock()
@ -256,19 +285,34 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method = get_method('pf')
    assert method.name == 'pf'

-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by pf method_name'
-    assert mock_pf_get_dev.mock_calls == []
-    assert mock_ioctl.mock_calls == []
-    assert mock_pfctl.mock_calls == []
+    method.setup_firewall(
+        1024, 1026,
+        [(10, u'2404:6800:4004:80c::33')],
+        10,
+        [(10, 64, False, u'2404:6800:4004:80c::'),
+            (10, 128, True, u'2404:6800:4004:80c::101f')],
+        False)
+
+    assert mock_pfctl.mock_calls == [
+        call('-s all'),
+        call('-a sshuttle6-1024 -f /dev/stdin',
+             b'table <forward_subnets> {'
+             b'!2404:6800:4004:80c::101f/128,2404:6800:4004:80c::/64'
+             b'}\n'
+             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
+             b'rdr pass on lo0 inet6 proto tcp '
+             b'to <forward_subnets> -> ::1 port 1024\n'
+             b'rdr pass on lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 -> ::1 port 1026\n'
+             b'pass out route-to lo0 inet6 proto tcp '
+             b'to <forward_subnets> keep state\n'
+             b'pass out route-to lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 keep state\n'),
+        call('-e'),
+    ]
+    mock_pf_get_dev.reset_mock()
+    mock_ioctl.reset_mock()
+    mock_pfctl.reset_mock()

    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
@ -298,12 +342,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    ]
    assert mock_pfctl.mock_calls == [
        call('-s all'),
-        call('-a sshuttle -f /dev/stdin',
+        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'
             b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 proto tcp '
+             b'rdr pass on lo0 inet proto tcp '
             b'to <forward_subnets> -> 127.0.0.1 port 1025\n'
-             b'rdr pass on lo0 proto udp '
+             b'rdr pass on lo0 inet proto udp '
             b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
             b'pass out route-to lo0 inet proto tcp '
             b'to <forward_subnets> keep state\n'
@ -318,7 +362,7 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.restore_firewall(1025, 2, False)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
-        call('-a sshuttle -F all'),
+        call('-a sshuttle-1025 -F all'),
        call("-d"),
    ]
    mock_pf_get_dev.reset_mock()
@ -337,19 +381,40 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method = get_method('pf')
    assert method.name == 'pf'

-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by pf method_name'
-    assert mock_pf_get_dev.mock_calls == []
-    assert mock_ioctl.mock_calls == []
-    assert mock_pfctl.mock_calls == []
+    method.setup_firewall(
+        1024, 1026,
+        [(10, u'2404:6800:4004:80c::33')],
+        10,
+        [(10, 64, False, u'2404:6800:4004:80c::'),
+            (10, 128, True, u'2404:6800:4004:80c::101f')],
+        False)
+
+    assert mock_ioctl.mock_calls == [
+        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+    ]
+    assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
+        call('-f /dev/stdin', b'match on lo\n'),
+        call('-s all'),
+        call('-a sshuttle6-1024 -f /dev/stdin',
+             b'table <forward_subnets> {'
+             b'!2404:6800:4004:80c::101f/128,2404:6800:4004:80c::/64'
+             b'}\n'
+             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
+             b'pass in on lo0 inet6 proto tcp to '
+             b'<forward_subnets> divert-to ::1 port 1024\n'
+             b'pass in on lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 rdr-to ::1 port 1026\n'
+             b'pass out inet6 proto tcp to '
+             b'<forward_subnets> route-to lo0 keep state\n'
+             b'pass out inet6 proto udp to '
+             b'<dns_servers> port 53 route-to lo0 keep state\n'),
+        call('-e'),
+    ]
+    mock_pf_get_dev.reset_mock()
+    mock_ioctl.reset_mock()
+    mock_pfctl.reset_mock()
    
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
@ -374,14 +439,15 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        call(mock_pf_get_dev(), 0xcd48441a, ANY),
    ]
    assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
        call('-f /dev/stdin', b'match on lo\n'),
        call('-s all'),
-        call('-a sshuttle -f /dev/stdin',
+        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'
             b'table <dns_servers> {1.2.3.33}\n'
-             b'pass in on lo0 inet proto tcp divert-to 127.0.0.1 port 1025\n'
+             b'pass in on lo0 inet proto tcp to <forward_subnets> divert-to 127.0.0.1 port 1025\n'
             b'pass in on lo0 inet proto udp to '
-             b'<dns_servers>port 53 rdr-to 127.0.0.1 port 1027\n'
+             b'<dns_servers> port 53 rdr-to 127.0.0.1 port 1027\n'
             b'pass out inet proto tcp to '
             b'<forward_subnets> route-to lo0 keep state\n'
             b'pass out inet proto udp to '
@ -395,7 +461,7 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.restore_firewall(1025, 2, False)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
-        call('-a sshuttle -F all'),
+        call('-a sshuttle-1025 -F all'),
        call("-d"),
    ]
    mock_pf_get_dev.reset_mock()
--- a/sshuttle/tests/server/test_server.py
+++ b/sshuttle/tests/server/test_server.py
@ -1,3 +1,4 @@
+import os
 import io
 import socket
 import sshuttle.server
@ -34,8 +35,12 @@ Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

    routes = sshuttle.server._list_routes()

+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
    assert mock_popen.mock_calls == [
-        call(['netstat', '-rn'], stdout=-1),
+        call(['netstat', '-rn'], stdout=-1, env=env),
        call().wait()
    ]
    assert routes == [
Author	SHA1	Message	Date
Brian May	2c20a1fd5a	New release	2016-08-06 18:58:00 +10:00
Brian May	915f72de35	Add changes for next release	2016-08-06 18:52:26 +10:00
Brian May	1ffc3f52a1	Merge pull request #108 from vieira/pf-ipv6 IPv6 support for OSX and BSDs	2016-07-29 07:57:35 +10:00
vieira	8520ea2787	Use == instead of is to compare with AF_INET	2016-07-27 23:18:25 +00:00
vieira	6a394deaf2	Fixes missing comma from tuple in pf tests	2016-07-27 23:06:36 +00:00
vieira	83d5c59a57	Tests for IPv6 on pf	2016-07-27 22:17:02 +00:00
vieira	1cfd9eb9d7	Be more specific and consistent in some pf rules	2016-07-27 22:15:47 +00:00
vieira	f8d58fa4f0	IPv6 support for BSD and OSX Adds IPv6 support for OpenBSD and OSX.	2016-07-24 22:04:29 +00:00
vieira	d2d5a37541	AF_INET6 is different between BSDs and Linux AF_INET is the same constant on Linux and BSD but AF_INET6 is different. As the client and server can be running on different platforms we can not just set the socket family to what comes in the wire.	2016-07-24 22:02:17 +00:00
vieira	e9be2deea0	Exclude the IP where sshuttle is really listening We were always excluding 127.0.0.1/8 but sshuttle might be listening on other IP, e.g., ::1 for IPv6 or any other defined with -l	2016-07-24 21:58:20 +00:00
Brian May	22b1b54bfd	Add pytest-runner support	2016-07-10 11:26:32 +10:00
vieira	a43c668dde	Fixes type mismatch between str and bytes Should fix issue #104.	2016-07-09 22:49:12 +00:00
Huiqiang Liu	e0dfb95596	Fix OpenBSD pf test failure	2016-06-17 17:18:43 +08:00
Huiqiang Liu	5d28ce8272	Merge pull request #1 from vieira/patch-1 Add <forward_subnets> to divert rule in OpenBSD	2016-06-17 08:25:59 +08:00
João Vieira	f876c5db5e	Add <forward_subnets> to divert rule in OpenBSD Fixes bug where all traffic routed to loopback would end up being diverted to the same port.	2016-06-16 22:34:19 +01:00
Huiqiang Liu	2e1beefc9a	Hack pf to enable multiple instances in Mac OS X 10.10 and above	2016-06-16 12:31:02 +08:00
Dan Lenski	5a20783baa	tweak docs to match @vieira's changes	2016-05-02 21:40:53 -07:00
vieira	495b3c39ea	Seed hosts without auto hosts A possible implementation for the change requested in #94, so that seed hosts can be used without auto hosts. In this scenario only the specified hosts (or ips) will be looked up (or rev looked up).	2016-05-03 00:18:32 +00:00
Brian May	f3cbc5018a	Fix PEP8 issues	2016-04-30 18:08:46 +10:00
Brian May	e73e797f33	Update files list	2016-04-30 18:05:47 +10:00
Brian May	1d64879613	Fix tests	2016-04-23 13:19:06 +10:00
Brian May	8fad282bfd	Ensure locale is set to C for external commands Otherwise the output can vary and confuse our attempts to parse it. Fixes: 93	2016-04-23 12:53:45 +10:00
Brian May	1dda9dd621	Add ENETUNREACH to NET_ERRS We shouldn't come up with a fatal error because of a ENETUNREACH when trying to contact the DNS server. Although this error shouldn't happen either. Fixes #89.	2016-04-20 15:18:59 +10:00
vieira	74e308a29f	Don't mix tab and spaces in shell script Sometime ago I was in python mode and incorrectly indented a line of the shell script with spaces instead of tabs. Shame on me. This should bring things back to their natural order.	2016-04-20 15:17:07 +10:00
vieira	516ff7bc4a	Correctly obtains the python executable to use Previously the sshuttle shell script would pass the python to use as the first argument of the command. The new run script no longer does this. Instead we can obtain the python being used via sys.executable. Fixes #88.	2016-04-20 15:15:44 +10:00
Brian May	89c5b57019	Attempt readthedocs workaround readthedocs alters docs/conf.py which in turn means python_scm detects a version and incorrectly adjusts the version number. Here we try to work around this problem. We do this by renaming the docs/conf.py file and copying it back to docs/conf.py when setup.py is invoked. This way, hopefully, scm won't see the changes to docs/conf.py References: http://stackoverflow.com/questions/35811267/readthedocs-and-setuptools-scm-version-wrong/36386177 https://github.com/pypa/setuptools_scm/issues/84	2016-04-18 11:44:05 +10:00