Merge branch 'master' into nat-ipv6

6 files changed, 11 insertions, 21 deletions

diff --git a/sshuttle/methods/__init__.py b/sshuttle/methods/__init__.py
index 1882c3a..0e4c49d 100644
--- a/sshuttle/methods/__init__.py
+++ b/sshuttle/methods/__init__.py
@@ -91,7 +91,7 @@ class BaseMethod(object):
                     (key, self.name))
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, ttl, tmark):
         raise NotImplementedError()
 
     def restore_firewall(self, port, family, udp, user):
diff --git a/sshuttle/methods/ipfw.py b/sshuttle/methods/ipfw.py
index f93bdf4..bda8968 100644
--- a/sshuttle/methods/ipfw.py
+++ b/sshuttle/methods/ipfw.py
@@ -189,7 +189,7 @@ class Method(BaseMethod):
         #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         # IPv6 not supported
         if family not in [socket.AF_INET]:
             raise Exception(
diff --git a/sshuttle/methods/nat.py b/sshuttle/methods/nat.py
index baa9998..a7a661c 100644
--- a/sshuttle/methods/nat.py
+++ b/sshuttle/methods/nat.py
@@ -13,7 +13,7 @@ class Method(BaseMethod):
     # recently-started one will win (because we use "-I OUTPUT 1" instead of
     # "-A OUTPUT").
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         if family != socket.AF_INET and family != socket.AF_INET6:
             raise Exception(
                 'Address family "%s" unsupported by nat method_name'
diff --git a/sshuttle/methods/nft.py b/sshuttle/methods/nft.py
index 775fa51..8f54c86 100644
--- a/sshuttle/methods/nft.py
+++ b/sshuttle/methods/nft.py
@@ -13,7 +13,7 @@ class Method(BaseMethod):
     # recently-started one will win (because we use "-I OUTPUT 1" instead of
     # "-A OUTPUT").
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         if udp:
             raise Exception("UDP not supported by nft")
 
diff --git a/sshuttle/methods/pf.py b/sshuttle/methods/pf.py
index 1bc67e7..be46be7 100644
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@@ -444,7 +444,7 @@ class Method(BaseMethod):
         return sock.getsockname()
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by pf method_name'
diff --git a/sshuttle/methods/tproxy.py b/sshuttle/methods/tproxy.py
index c1cccd5..eb337fe 100644
--- a/sshuttle/methods/tproxy.py
+++ b/sshuttle/methods/tproxy.py
@@ -151,17 +151,7 @@ class Method(BaseMethod):
             udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
-        if self.firewall is None:
-            tmark = '1'
-        else:
-            tmark = self.firewall.tmark
-
-        self.setup_firewall_tproxy(port, dnsport, nslist, family, subnets, udp,
-                                   user, tmark)
-
-    def setup_firewall_tproxy(self, port, dnsport, nslist, family, subnets,
-                              udp, user, tmark):
+                       user, ttl, tmark):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by tproxy method'
@@ -192,8 +182,8 @@ class Method(BaseMethod):
         _ipt('-F', divert_chain)
         _ipt('-N', tproxy_chain)
         _ipt('-F', tproxy_chain)
-        _ipt('-I', 'OUTPUT', tmark, '-j', mark_chain)
-        _ipt('-I', 'PREROUTING', tmark, '-j', tproxy_chain)
+        _ipt('-I', 'OUTPUT', '1', '-j', mark_chain)
+        _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain)
 
         # Don't have packets sent to any of our local IP addresses go
         # through the tproxy or mark chains.
@@ -224,7 +214,7 @@ class Method(BaseMethod):
                  '--dest', '%s/32' % ip,
                  '-m', 'udp', '-p', 'udp', '--dport', '53')
             _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                 '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
+                 '--tproxy-mark', tmark,
                  '--dest', '%s/32' % ip,
                  '-m', 'udp', '-p', 'udp', '--dport', '53',
                  '--on-port', str(dnsport))
@@ -249,7 +239,7 @@ class Method(BaseMethod):
                      '-m', 'tcp',
                      *tcp_ports)
                 _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                     '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
+                     '--tproxy-mark', tmark,
                      '--dest', '%s/%s' % (snet, swidth),
                      '-m', 'tcp',
                      *(tcp_ports + ('--on-port', str(port))))
@@ -273,7 +263,7 @@ class Method(BaseMethod):
                          '-m', 'udp',
                          *udp_ports)
                     _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                         '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
+                         '--tproxy-mark', tmark,
                          '--dest', '%s/%s' % (snet, swidth),
                          '-m', 'udp',
                          *(udp_ports + ('--on-port', str(port))))