diff options
author | Victor Kareh <vkareh@redhat.com> | 2021-01-18 15:28:52 -0500 |
---|---|---|
committer | Brian May <brian@linuxpenguins.xyz> | 2021-03-05 08:53:53 +1100 |
commit | 167a57e739bf62b83dcfb46e7d01a581981ef431 (patch) | |
tree | 9cb75c1c02ac0df67297b408cc4eda2ec130a08b /sshuttle/methods/ipfw.py | |
parent | 0e51da519fe5e277fd77ac7860a4f39b5f7e5e78 (diff) |
firewall: Allow overriding the TTL
In instances where a cluster pod in a local VM needs to access a server
that is sshuttle'd from the host, since the packets arriving at the host
already made a hop, their TTL is 63 and so get ignored by sshuttle.
Allowing an override of the firewall TTL rule allows the packets to go
through.
Diffstat (limited to 'sshuttle/methods/ipfw.py')
-rw-r--r-- | sshuttle/methods/ipfw.py | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index 34f71a2..f93bdf4 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -189,7 +189,7 @@ class Method(BaseMethod): # udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1) def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user): + user, ttl): # IPv6 not supported if family not in [socket.AF_INET]: raise Exception( @@ -216,7 +216,7 @@ class Method(BaseMethod): ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port, 'tcp', 'from', 'any', 'to', 'table(126)', - 'not', 'ipttl', '63', 'keep-state', 'setup') + 'not', 'ipttl', ttl, 'keep-state', 'setup') ipfw_noexit('table', '124', 'flush') dnscount = 0 @@ -227,11 +227,11 @@ class Method(BaseMethod): ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport, 'udp', 'from', 'any', 'to', 'table(124)', - 'not', 'ipttl', '63') + 'not', 'ipttl', ttl) ipfw('add', '1', 'allow', 'udp', 'from', 'any', 'to', 'any', - 'ipttl', '63') + 'ipttl', ttl) if subnets: # create new subnet entries |