diff options
author | vieira <vieira@yubo.be> | 2017-07-28 02:31:45 +0000 |
---|---|---|
committer | Brian May <brian@linuxpenguins.xyz> | 2017-07-29 17:15:32 +1000 |
commit | 4e8c2b9c680518677b9ce49936ed3336b202ecf5 (patch) | |
tree | 13ffe96a4f33e29f4296f7dc74c1a7acd855182b | |
parent | be559fc78b881398fb4d0bd79a19d2eb255830a6 (diff) |
Avoid port forwarding from loopback address
When doing port forwarding on lo0 avoid the special case where the
traffic on lo0 did not came from sshuttle pass out rule but from the lo0
address itself. Fixes #159.
-rw-r--r-- | sshuttle/methods/pf.py | 4 | ||||
-rw-r--r-- | sshuttle/tests/client/test_methods_pf.py | 12 |
2 files changed, 8 insertions, 8 deletions
diff --git a/sshuttle/methods/pf.py b/sshuttle/methods/pf.py index 28d7ddd..498ba8c 100644 --- a/sshuttle/methods/pf.py +++ b/sshuttle/methods/pf.py @@ -189,8 +189,8 @@ class FreeBsd(Generic): tables = [] translating_rules = [ - b'rdr pass on lo0 %s proto tcp to %s ' - b'-> %s port %r' % (inet_version, subnet, lo_addr, port) + b'rdr pass on lo0 %s proto tcp from ! %s to %s ' + b'-> %s port %r' % (inet_version, lo_addr, subnet, lo_addr, port) for exclude, subnet in includes if not exclude ] filtering_rules = [ diff --git a/sshuttle/tests/client/test_methods_pf.py b/sshuttle/tests/client/test_methods_pf.py index 5df57af..36b64a9 100644 --- a/sshuttle/tests/client/test_methods_pf.py +++ b/sshuttle/tests/client/test_methods_pf.py @@ -199,7 +199,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl): call('-s all'), call('-a sshuttle6-1024 -f /dev/stdin', b'table <dns_servers> {2404:6800:4004:80c::33}\n' - b'rdr pass on lo0 inet6 proto tcp to ' + b'rdr pass on lo0 inet6 proto tcp from ! ::1 to ' b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n' b'rdr pass on lo0 inet6 proto udp ' b'to <dns_servers> port 53 -> ::1 port 1026\n' @@ -248,7 +248,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl): call('-s all'), call('-a sshuttle-1025 -f /dev/stdin', b'table <dns_servers> {1.2.3.33}\n' - b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 ' + b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 to 1.2.3.0/24 ' b'-> 127.0.0.1 port 1025\n' b'rdr pass on lo0 inet proto udp ' b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n' @@ -296,8 +296,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl): call('-s all'), call('-a sshuttle6-1024 -f /dev/stdin', b'table <dns_servers> {2404:6800:4004:80c::33}\n' - b'rdr pass on lo0 inet6 proto tcp to 2404:6800:4004:80c::/64 ' - b'port 8000:9000 -> ::1 port 1024\n' + b'rdr pass on lo0 inet6 proto tcp from ! ::1 to ' + b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n' b'rdr pass on lo0 inet6 proto udp ' b'to <dns_servers> port 53 -> ::1 port 1026\n' b'pass out quick inet6 proto tcp to ' @@ -343,8 +343,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl): call('-s all'), call('-a sshuttle-1025 -f /dev/stdin', b'table <dns_servers> {1.2.3.33}\n' - b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 -> ' - b'127.0.0.1 port 1025\n' + b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 ' + b'to 1.2.3.0/24 -> 127.0.0.1 port 1025\n' b'rdr pass on lo0 inet proto udp ' b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n' b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n' |