MCPcopy Index your code
hub / github.com/sshuttle/sshuttle / setup_firewall

Method setup_firewall

sshuttle/methods/nat.py:15–81  ·  view source on GitHub ↗
(self, port, dnsport, nslist, family, subnets, udp,
                       user, group, tmark)

Source from the content-addressed store, hash-verified

13 # recently-started one will win (because we use "-I OUTPUT 1" instead of
14 # "-A OUTPUT").
15 def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
16 user, group, tmark):
17 if family != socket.AF_INET and family != socket.AF_INET6:
18 raise Exception(
19 'Address family "%s" unsupported by nat method_name'
20 % family_to_string(family))
21 if udp:
22 raise Exception("UDP not supported by nat method_name")
23 table = "nat"
24
25 def _ipt(*args):
26 return ipt(family, table, *args)
27
28 def _ipm(*args):
29 return ipt(family, "mangle", *args)
30
31 chain = 'sshuttle-%s' % port
32
33 # basic cleanup/setup of chains
34 self.restore_firewall(port, family, udp, user, group)
35
36 _ipt('-N', chain)
37 _ipt('-F', chain)
38 if user is not None or group is not None:
39 margs = ['-I', 'OUTPUT', '1', '-m', 'owner']
40 if user is not None:
41 margs += ['--uid-owner', str(user)]
42 if group is not None:
43 margs += ['--gid-owner', str(group)]
44 margs += ['-j', 'MARK', '--set-mark', str(port)]
45 nonfatal(_ipm, *margs)
46 args = '-m', 'mark', '--mark', str(port), '-j', chain
47 else:
48 args = '-j', chain
49
50 _ipt('-I', 'OUTPUT', '1', *args)
51 _ipt('-I', 'PREROUTING', '1', *args)
52
53 # Redirect DNS traffic as requested. This includes routing traffic
54 # to localhost DNS servers through sshuttle.
55 for _, ip in [i for i in nslist if i[0] == family]:
56 _ipt('-A', chain, '-j', 'REDIRECT',
57 '--dest', '%s' % ip,
58 '-p', 'udp',
59 '--dport', '53',
60 '--to-ports', str(dnsport))
61
62 # create new subnet entries.
63 for _, swidth, sexclude, snet, fport, lport \
64 in sorted(subnets, key=subnet_weight, reverse=True):
65 tcp_ports = ('-p', 'tcp')
66 if fport:
67 tcp_ports = tcp_ports + ('--dport', '%d:%d' % (fport, lport))
68
69 if sexclude:
70 _ipt('-A', chain, '-j', 'RETURN',
71 '--dest', '%s/%s' % (snet, swidth),
72 *tcp_ports)

Callers

nothing calls this directly

Calls 3

restore_firewallMethod · 0.95
family_to_stringFunction · 0.90
nonfatalFunction · 0.90

Tested by

no test coverage detected