diff options
| author | Haw Loeung <haw.loeung@canonical.com> | 2020-01-31 11:18:00 +1100 |
|---|---|---|
| committer | Brian May <brian@linuxpenguins.xyz> | 2020-02-04 07:41:29 +1100 |
| commit | 84076f29fac33d06aaa4298a0ffb7b5468a995a4 (patch) | |
| tree | cb7e8918647ecaf1361430d490fc5b073af132cd | |
| parent | ad31ac4e18f124172beda3e69cd2e57a20ffe594 (diff) | |
Handle when default chains already exists (#392)
| -rw-r--r-- | sshuttle/methods/nft.py | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/sshuttle/methods/nft.py b/sshuttle/methods/nft.py index 7b14f76..59266af 100644 --- a/sshuttle/methods/nft.py +++ b/sshuttle/methods/nft.py @@ -1,5 +1,6 @@ import socket from sshuttle.firewall import subnet_weight +from sshuttle.helpers import Fatal, log from sshuttle.linux import nft, nft_get_handle, nonfatal from sshuttle.methods import BaseMethod @@ -21,16 +22,19 @@ class Method(BaseMethod): def _nft(action, *args): return nft(family, table, action, *args) - chain = 'sshuttle-%s' % port - # basic cleanup/setup of chains _nft('add table', '') - _nft('add chain', 'prerouting', - '{ type nat hook prerouting priority -100; policy accept; }') - _nft('add chain', 'postrouting', - '{ type nat hook postrouting priority 100; policy accept; }') - _nft('add chain', 'output', - '{ type nat hook output priority -100; policy accept; }') + # prerouting, postrouting, and output chains may already exist + for chain in ['prerouting', 'postrouting', 'output']: + rules = '{{ type nat hook {} priority -100; policy accept; }}' \ + .format(chain) + try: + _nft('add chain', chain, rules) + except Fatal: + log('Chain {} already exists, ignoring\n'.format(chain)) + + chain = 'sshuttle-%s' % port + _nft('add chain', chain) _nft('flush chain', chain) _nft('add rule', 'output jump %s' % chain) |