diff options
author | Scott Kuhl <kuhl@mtu.edu> | 2021-05-31 23:33:55 -0400 |
---|---|---|
committer | Scott Kuhl <kuhl@mtu.edu> | 2021-07-12 11:24:29 -0400 |
commit | bc065e368d9888a2f5816e5a498dfe33cb5dca8a (patch) | |
tree | 283d1006e8bb52aeb3f2348a7ad7b0fb817400fd /sshuttle/methods/nat.py | |
parent | 6ae0b51c61b43d7ac76b59248da0d2c127308c71 (diff) |
Remove ttl hack & require -r option.
Previously, it was possible to run sshuttle locally without using ssh
and connecting to a remote server. In this configuration, traffic was
redirected to the sshuttle server running on the localhost. However,
the firewall needed to distinguish between traffic leaving the
sshuttle server and traffic that originated from the machine that
still needed to be routed through the sshuttle server. The TTL of the
packets leaving the sshuttle server were manipulated to indicate to
the firewall what should happen. The TTL was adjusted for all packets
leaving the sshuttle server (even if it wasn't necessary because the
server and client were running on different machines).
Changing the TTL caused trouble and some machines, and
the --ttl option was added as a workaround to change how the TTL was
set for traffic leaving sshuttle. All of this added complexity to the
code for a feature (running the server on localhost) that is likely
only used for testing and rarely used by others.
This commit updates the associated documentation, but doesn't fully
fix the ipfw method since I am unable to test that.
This change will also make sshuttle fail to work if -r is used to
specify a localhost. Pull request #610 partially addresses that issue.
For example, see: #240, #490, #660, #606.
Diffstat (limited to 'sshuttle/methods/nat.py')
-rw-r--r-- | sshuttle/methods/nat.py | 20 |
1 files changed, 2 insertions, 18 deletions
diff --git a/sshuttle/methods/nat.py b/sshuttle/methods/nat.py index a7a661c..076d880 100644 --- a/sshuttle/methods/nat.py +++ b/sshuttle/methods/nat.py @@ -1,7 +1,7 @@ import socket from sshuttle.firewall import subnet_weight from sshuttle.helpers import family_to_string, which, debug2 -from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists, nonfatal +from sshuttle.linux import ipt, ipt_chain_exists, nonfatal from sshuttle.methods import BaseMethod @@ -13,7 +13,7 @@ class Method(BaseMethod): # recently-started one will win (because we use "-I OUTPUT 1" instead of # "-A OUTPUT"). def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user, ttl, tmark): + user, tmark): if family != socket.AF_INET and family != socket.AF_INET6: raise Exception( 'Address family "%s" unsupported by nat method_name' @@ -25,9 +25,6 @@ class Method(BaseMethod): def _ipt(*args): return ipt(family, table, *args) - def _ipt_ttl(*args): - return ipt_ttl(family, table, *args) - def _ipm(*args): return ipt(family, "mangle", *args) @@ -48,16 +45,6 @@ class Method(BaseMethod): _ipt('-I', 'OUTPUT', '1', *args) _ipt('-I', 'PREROUTING', '1', *args) - # This TTL hack allows the client and server to run on the - # same host. The connections the sshuttle server makes will - # have TTL set to 63. - if family == socket.AF_INET: - _ipt_ttl('-A', chain, '-j', 'RETURN', '-m', 'ttl', '--ttl', - '%s' % ttl) - else: # ipv6, ttl is renamed to 'hop limit' - _ipt_ttl('-A', chain, '-j', 'RETURN', '-m', 'hl', '--hl-eq', - '%s' % ttl) - # Redirect DNS traffic as requested. This includes routing traffic # to localhost DNS servers through sshuttle. for _, ip in [i for i in nslist if i[0] == family]: @@ -102,9 +89,6 @@ class Method(BaseMethod): def _ipt(*args): return ipt(family, table, *args) - def _ipt_ttl(*args): - return ipt_ttl(family, table, *args) - def _ipm(*args): return ipt(family, "mangle", *args) |