diff options
author | vieira <vieira@yubo.be> | 2016-03-02 00:06:31 +0000 |
---|---|---|
committer | Brian May <brian@linuxpenguins.xyz> | 2016-03-02 18:36:14 +1100 |
commit | fae4cb1dbf012a71504a4f03ec566ac278b66906 (patch) | |
tree | a2f80163402d1610cf1603160c567f3f85c0be42 | |
parent | 7d8309ef05c15ebbe98cc484606979001f8c46f3 (diff) |
Override the skip on lo that ends up in the chain
In some cases (see #43) it seems that some network configurations may
end up setting a skip on lo. As sshuttle adds rules that rely on
filtering/translating packets on lo, this causes problem. This fix
overrides the skip and makes the rules be applied again.
Should fix at least some of the problems reported on #43.
-rw-r--r-- | sshuttle/methods/pf.py | 7 | ||||
-rw-r--r-- | sshuttle/tests/test_methods_pf.py | 1 |
2 files changed, 8 insertions, 0 deletions
diff --git a/sshuttle/methods/pf.py b/sshuttle/methods/pf.py index eee36fe..e017c12 100644 --- a/sshuttle/methods/pf.py +++ b/sshuttle/methods/pf.py @@ -235,6 +235,13 @@ class Darwin(FreeBsd): if _pf_context['Xtoken'] is not None: pfctl('-X %s' % _pf_context['Xtoken'].decode("ASCII")) + def add_anchors(self): + # before adding anchors and rules we must override the skip lo + # that in some cases ends up in the chain so the rules we will add, + # which rely on translating/filtering packets on lo, can work + pfctl('-f /dev/stdin', b'pass on lo\n') + super(Darwin, self).add_anchors() + def _add_natlook_ports(self, pnl, src_port, dst_port): pnl.sxport.port = socket.htons(src_port) pnl.dxport.port = socket.htons(dst_port) diff --git a/sshuttle/tests/test_methods_pf.py b/sshuttle/tests/test_methods_pf.py index 3d87ae8..61d719e 100644 --- a/sshuttle/tests/test_methods_pf.py +++ b/sshuttle/tests/test_methods_pf.py @@ -192,6 +192,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl): call(mock_pf_get_dev(), 0xCC20441A, ANY), ] assert mock_pfctl.mock_calls == [ + call('-f /dev/stdin', 'pass on lo\n'), call('-s all'), call('-a sshuttle -f /dev/stdin', b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n' |