(self, port, dnsport, nslist, family, subnets, udp,
user, group, tmark)
| 13 | # recently-started one will win (because we use "-I OUTPUT 1" instead of |
| 14 | # "-A OUTPUT"). |
| 15 | def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, |
| 16 | user, group, tmark): |
| 17 | if family != socket.AF_INET and family != socket.AF_INET6: |
| 18 | raise Exception( |
| 19 | 'Address family "%s" unsupported by nat method_name' |
| 20 | % family_to_string(family)) |
| 21 | if udp: |
| 22 | raise Exception("UDP not supported by nat method_name") |
| 23 | table = "nat" |
| 24 | |
| 25 | def _ipt(*args): |
| 26 | return ipt(family, table, *args) |
| 27 | |
| 28 | def _ipm(*args): |
| 29 | return ipt(family, "mangle", *args) |
| 30 | |
| 31 | chain = 'sshuttle-%s' % port |
| 32 | |
| 33 | # basic cleanup/setup of chains |
| 34 | self.restore_firewall(port, family, udp, user, group) |
| 35 | |
| 36 | _ipt('-N', chain) |
| 37 | _ipt('-F', chain) |
| 38 | if user is not None or group is not None: |
| 39 | margs = ['-I', 'OUTPUT', '1', '-m', 'owner'] |
| 40 | if user is not None: |
| 41 | margs += ['--uid-owner', str(user)] |
| 42 | if group is not None: |
| 43 | margs += ['--gid-owner', str(group)] |
| 44 | margs += ['-j', 'MARK', '--set-mark', str(port)] |
| 45 | nonfatal(_ipm, *margs) |
| 46 | args = '-m', 'mark', '--mark', str(port), '-j', chain |
| 47 | else: |
| 48 | args = '-j', chain |
| 49 | |
| 50 | _ipt('-I', 'OUTPUT', '1', *args) |
| 51 | _ipt('-I', 'PREROUTING', '1', *args) |
| 52 | |
| 53 | # Redirect DNS traffic as requested. This includes routing traffic |
| 54 | # to localhost DNS servers through sshuttle. |
| 55 | for _, ip in [i for i in nslist if i[0] == family]: |
| 56 | _ipt('-A', chain, '-j', 'REDIRECT', |
| 57 | '--dest', '%s' % ip, |
| 58 | '-p', 'udp', |
| 59 | '--dport', '53', |
| 60 | '--to-ports', str(dnsport)) |
| 61 | |
| 62 | # create new subnet entries. |
| 63 | for _, swidth, sexclude, snet, fport, lport \ |
| 64 | in sorted(subnets, key=subnet_weight, reverse=True): |
| 65 | tcp_ports = ('-p', 'tcp') |
| 66 | if fport: |
| 67 | tcp_ports = tcp_ports + ('--dport', '%d:%d' % (fport, lport)) |
| 68 | |
| 69 | if sexclude: |
| 70 | _ipt('-A', chain, '-j', 'RETURN', |
| 71 | '--dest', '%s/%s' % (snet, swidth), |
| 72 | *tcp_ports) |
nothing calls this directly
no test coverage detected