(self, port, dnsport, nslist, family, subnets, udp,
user, group, tmark)
| 156 | # udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1) |
| 157 | |
| 158 | def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, |
| 159 | user, group, tmark): |
| 160 | # IPv6 not supported |
| 161 | if family not in [socket.AF_INET]: |
| 162 | raise Exception( |
| 163 | 'Address family "%s" unsupported by ipfw method_name' |
| 164 | % family_to_string(family)) |
| 165 | |
| 166 | # XXX: Any risk from this? |
| 167 | ipfw_noexit('delete', '1') |
| 168 | |
| 169 | while _changedctls: |
| 170 | name = _changedctls.pop() |
| 171 | oldval = _oldctls[name] |
| 172 | _sysctl_set(name, oldval) |
| 173 | |
| 174 | if subnets or dnsport: |
| 175 | sysctl_set('net.inet.ip.fw.enable', 1) |
| 176 | |
| 177 | ipfw('add', '1', 'check-state', ':sshuttle') |
| 178 | |
| 179 | ipfw('add', '1', 'skipto', '2', |
| 180 | 'tcp', |
| 181 | 'from', 'any', 'to', 'table(125)') |
| 182 | ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port, |
| 183 | 'tcp', |
| 184 | 'from', 'any', 'to', 'table(126)', |
| 185 | 'setup', 'keep-state', ':sshuttle') |
| 186 | |
| 187 | ipfw_noexit('table', '124', 'flush') |
| 188 | dnscount = 0 |
| 189 | for _, ip in [i for i in nslist if i[0] == family]: |
| 190 | ipfw('table', '124', 'add', '%s' % (ip)) |
| 191 | dnscount += 1 |
| 192 | if dnscount > 0: |
| 193 | ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport, |
| 194 | 'udp', |
| 195 | 'from', 'any', 'to', 'table(124)', |
| 196 | 'keep-state', ':sshuttle') |
| 197 | ipfw('add', '1', 'allow', |
| 198 | 'udp', |
| 199 | 'from', 'any', 'to', 'any') |
| 200 | |
| 201 | if subnets: |
| 202 | # create new subnet entries |
| 203 | for _, swidth, sexclude, snet, fport, lport \ |
| 204 | in sorted(subnets, key=lambda s: s[1], reverse=True): |
| 205 | if sexclude: |
| 206 | ipfw('table', '125', 'add', '%s/%s' % (snet, swidth)) |
| 207 | else: |
| 208 | ipfw('table', '126', 'add', '%s/%s' % (snet, swidth)) |
| 209 | |
| 210 | def restore_firewall(self, port, family, udp, user, group): |
| 211 | if family not in [socket.AF_INET]: |
nothing calls this directly
no test coverage detected