diff options
author | Scott Kuhl <kuhl@mtu.edu> | 2021-05-30 21:09:32 -0400 |
---|---|---|
committer | Scott Kuhl <kuhl@mtu.edu> | 2021-05-30 21:09:32 -0400 |
commit | 3f201095eabc34879ccc66cad47da73ccec3ce39 (patch) | |
tree | 53ebfe172e47844ab52af368ce1188daeeb6110b /sshuttle/methods | |
parent | c026a92cad92dea30fe1bbc4802e41a1fc0499ff (diff) | |
parent | 58c264ff1c28ca2f780c86ba79ba58cd21050617 (diff) |
Merge branch 'master' into nat-ipv6
Diffstat (limited to 'sshuttle/methods')
-rw-r--r-- | sshuttle/methods/__init__.py | 2 | ||||
-rw-r--r-- | sshuttle/methods/ipfw.py | 2 | ||||
-rw-r--r-- | sshuttle/methods/nat.py | 2 | ||||
-rw-r--r-- | sshuttle/methods/nft.py | 2 | ||||
-rw-r--r-- | sshuttle/methods/pf.py | 2 | ||||
-rw-r--r-- | sshuttle/methods/tproxy.py | 22 |
6 files changed, 11 insertions, 21 deletions
diff --git a/sshuttle/methods/__init__.py b/sshuttle/methods/__init__.py index 1882c3a..0e4c49d 100644 --- a/sshuttle/methods/__init__.py +++ b/sshuttle/methods/__init__.py @@ -91,7 +91,7 @@ class BaseMethod(object): (key, self.name)) def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user): + user, ttl, tmark): raise NotImplementedError() def restore_firewall(self, port, family, udp, user): diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py index f93bdf4..bda8968 100644 --- a/sshuttle/methods/ipfw.py +++ b/sshuttle/methods/ipfw.py @@ -189,7 +189,7 @@ class Method(BaseMethod): # udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1) def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user, ttl): + user, ttl, tmark): # IPv6 not supported if family not in [socket.AF_INET]: raise Exception( diff --git a/sshuttle/methods/nat.py b/sshuttle/methods/nat.py index baa9998..a7a661c 100644 --- a/sshuttle/methods/nat.py +++ b/sshuttle/methods/nat.py @@ -13,7 +13,7 @@ class Method(BaseMethod): # recently-started one will win (because we use "-I OUTPUT 1" instead of # "-A OUTPUT"). def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user, ttl): + user, ttl, tmark): if family != socket.AF_INET and family != socket.AF_INET6: raise Exception( 'Address family "%s" unsupported by nat method_name' diff --git a/sshuttle/methods/nft.py b/sshuttle/methods/nft.py index 775fa51..8f54c86 100644 --- a/sshuttle/methods/nft.py +++ b/sshuttle/methods/nft.py @@ -13,7 +13,7 @@ class Method(BaseMethod): # recently-started one will win (because we use "-I OUTPUT 1" instead of # "-A OUTPUT"). def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user, ttl): + user, ttl, tmark): if udp: raise Exception("UDP not supported by nft") diff --git a/sshuttle/methods/pf.py b/sshuttle/methods/pf.py index 1bc67e7..be46be7 100644 --- a/sshuttle/methods/pf.py +++ b/sshuttle/methods/pf.py @@ -444,7 +444,7 @@ class Method(BaseMethod): return sock.getsockname() def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user, ttl): + user, ttl, tmark): if family not in [socket.AF_INET, socket.AF_INET6]: raise Exception( 'Address family "%s" unsupported by pf method_name' diff --git a/sshuttle/methods/tproxy.py b/sshuttle/methods/tproxy.py index c1cccd5..eb337fe 100644 --- a/sshuttle/methods/tproxy.py +++ b/sshuttle/methods/tproxy.py @@ -151,17 +151,7 @@ class Method(BaseMethod): udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1) def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, - user, ttl): - if self.firewall is None: - tmark = '1' - else: - tmark = self.firewall.tmark - - self.setup_firewall_tproxy(port, dnsport, nslist, family, subnets, udp, - user, tmark) - - def setup_firewall_tproxy(self, port, dnsport, nslist, family, subnets, - udp, user, tmark): + user, ttl, tmark): if family not in [socket.AF_INET, socket.AF_INET6]: raise Exception( 'Address family "%s" unsupported by tproxy method' @@ -192,8 +182,8 @@ class Method(BaseMethod): _ipt('-F', divert_chain) _ipt('-N', tproxy_chain) _ipt('-F', tproxy_chain) - _ipt('-I', 'OUTPUT', tmark, '-j', mark_chain) - _ipt('-I', 'PREROUTING', tmark, '-j', tproxy_chain) + _ipt('-I', 'OUTPUT', '1', '-j', mark_chain) + _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain) # Don't have packets sent to any of our local IP addresses go # through the tproxy or mark chains. @@ -224,7 +214,7 @@ class Method(BaseMethod): '--dest', '%s/32' % ip, '-m', 'udp', '-p', 'udp', '--dport', '53') _ipt('-A', tproxy_chain, '-j', 'TPROXY', - '--tproxy-mark', '0x'+tmark+'/0x'+tmark, + '--tproxy-mark', tmark, '--dest', '%s/32' % ip, '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', str(dnsport)) @@ -249,7 +239,7 @@ class Method(BaseMethod): '-m', 'tcp', *tcp_ports) _ipt('-A', tproxy_chain, '-j', 'TPROXY', - '--tproxy-mark', '0x'+tmark+'/0x'+tmark, + '--tproxy-mark', tmark, '--dest', '%s/%s' % (snet, swidth), '-m', 'tcp', *(tcp_ports + ('--on-port', str(port)))) @@ -273,7 +263,7 @@ class Method(BaseMethod): '-m', 'udp', *udp_ports) _ipt('-A', tproxy_chain, '-j', 'TPROXY', - '--tproxy-mark', '0x'+tmark+'/0x'+tmark, + '--tproxy-mark', tmark, '--dest', '%s/%s' % (snet, swidth), '-m', 'udp', *(udp_ports + ('--on-port', str(port)))) |