(self, port, dnsport, nslist, family, subnets, udp,
user, group, tmark)
| 114 | udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1) |
| 115 | |
| 116 | def setup_firewall(self, port, dnsport, nslist, family, subnets, udp, |
| 117 | user, group, tmark): |
| 118 | if family not in [socket.AF_INET, socket.AF_INET6]: |
| 119 | raise Exception( |
| 120 | 'Address family "%s" unsupported by tproxy method' |
| 121 | % family_to_string(family)) |
| 122 | |
| 123 | table = "mangle" |
| 124 | |
| 125 | def _ipt(*args): |
| 126 | return ipt(family, table, *args) |
| 127 | |
| 128 | def _ipt_proto_ports(proto, fport, lport): |
| 129 | return proto + ('--dport', '%d:%d' % (fport, lport)) \ |
| 130 | if fport else proto |
| 131 | |
| 132 | mark_chain = 'sshuttle-m-%s' % port |
| 133 | tproxy_chain = 'sshuttle-t-%s' % port |
| 134 | divert_chain = 'sshuttle-d-%s' % port |
| 135 | |
| 136 | # basic cleanup/setup of chains |
| 137 | self.restore_firewall(port, family, udp, user, group) |
| 138 | |
| 139 | _ipt('-N', mark_chain) |
| 140 | _ipt('-F', mark_chain) |
| 141 | _ipt('-N', divert_chain) |
| 142 | _ipt('-F', divert_chain) |
| 143 | _ipt('-N', tproxy_chain) |
| 144 | _ipt('-F', tproxy_chain) |
| 145 | _ipt('-I', 'OUTPUT', '1', '-j', mark_chain) |
| 146 | _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain) |
| 147 | |
| 148 | for _, ip in [i for i in nslist if i[0] == family]: |
| 149 | _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark, |
| 150 | '--dest', '%s/32' % ip, |
| 151 | '-m', 'udp', '-p', 'udp', '--dport', '53') |
| 152 | _ipt('-A', tproxy_chain, '-j', 'TPROXY', |
| 153 | '--tproxy-mark', tmark, |
| 154 | '--dest', '%s/32' % ip, |
| 155 | '-m', 'udp', '-p', 'udp', '--dport', '53', |
| 156 | '--on-port', str(dnsport)) |
| 157 | |
| 158 | # Don't have packets sent to any of our local IP addresses go |
| 159 | # through the tproxy or mark chains (except DNS ones). |
| 160 | # |
| 161 | # Without this fix, if a large subnet is redirected through |
| 162 | # sshuttle (i.e., 0/0), then the user may be unable to receive |
| 163 | # UDP responses or connect to their own machine using an IP |
| 164 | # besides (127.0.0.1). Prior to including these lines, the |
| 165 | # documentation reminded the user to use -x to exclude their |
| 166 | # own IP addresses to receive UDP responses if they are |
| 167 | # redirecting a large subnet through sshuttle (i.e., 0/0). |
| 168 | _ipt('-A', tproxy_chain, '-j', 'RETURN', '-m', 'addrtype', |
| 169 | '--dst-type', 'LOCAL') |
| 170 | _ipt('-A', mark_chain, '-j', 'RETURN', '-m', 'addrtype', |
| 171 | '--dst-type', 'LOCAL') |
| 172 | |
| 173 | _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', tmark) |
nothing calls this directly
no test coverage detected