diff options
| author | João Vieira <vieira@yubo.be> | 2018-10-28 19:56:12 +0000 |
|---|---|---|
| committer | Brian May <brian@linuxpenguins.xyz> | 2018-11-03 12:24:32 +1100 |
| commit | ca41026c892c51326009a357b5b333c4cabcbeae (patch) | |
| tree | 64781b382dc0bc2e0c04a09e79d28d7dbc5bf207 /sshuttle/methods | |
| parent | b473b916337a0a95a177e24703ee6ba584d9ae3b (diff) | |
Changes pf exclusion rules precedence
Before this change, in pf, exclusions used a pass out quick which gave
them higher precedence than any other rule independent of subnet width.
As reported in #265 this causes exclusion from one instance of sshuttle
to also take effect on other instances because quick aborts the
evaluation of rules across all anchors.
This commit changes the precedence of rules so quick can now be
dropped. The new order is defined by the following rule, from
subnet_weight:
"We need to go from smaller, more specific, port ranges, to larger,
less-specific, port ranges. At each level, we order by subnet
width, from most-specific subnets (largest swidth) to
least-specific. On ties, excludes come first."
Diffstat (limited to 'sshuttle/methods')
| -rw-r--r-- | sshuttle/methods/pf.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sshuttle/methods/pf.py b/sshuttle/methods/pf.py index d80678f..a8c0d17 100644 --- a/sshuttle/methods/pf.py +++ b/sshuttle/methods/pf.py @@ -217,7 +217,7 @@ class FreeBsd(Generic): b'pass out route-to lo0 %s proto tcp ' b'to %s keep state' % (inet_version, subnet) if not exclude else - b'pass out quick %s proto tcp to %s' % (inet_version, subnet) + b'pass out %s proto tcp to %s' % (inet_version, subnet) for exclude, subnet in includes ] @@ -287,7 +287,7 @@ class OpenBsd(Generic): b'pass out %s proto tcp to %s ' b'route-to lo0 keep state' % (inet_version, subnet) if not exclude else - b'pass out quick %s proto tcp to %s' % (inet_version, subnet) + b'pass out %s proto tcp to %s' % (inet_version, subnet) for exclude, subnet in includes ] @@ -452,7 +452,7 @@ class Method(BaseMethod): # exclusion first; the table will ignore the second, opposite # definition for _, swidth, sexclude, snet, fport, lport \ - in sorted(subnets, key=subnet_weight, reverse=True): + in sorted(subnets, key=subnet_weight): includes.append((sexclude, b"%s/%d%s" % ( snet.encode("ASCII"), swidth, |