Skip to content

Commit

Permalink
Override the skip on lo that ends up in the chain
Browse files Browse the repository at this point in the history
In some cases (see apenwarr#43) it seems that some network configurations may
end up setting a skip on lo. As sshuttle adds rules that rely on
filtering/translating packets on lo, this causes problem. This fix
overrides the skip and makes the rules be applied again.
Should fix at least some of the problems reported on apenwarr#43.
  • Loading branch information
vieira authored and brianmay committed Mar 2, 2016
1 parent 7d8309e commit fae4cb1
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
7 changes: 7 additions & 0 deletions sshuttle/methods/pf.py
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,13 @@ def disable(self):
if _pf_context['Xtoken'] is not None:
pfctl('-X %s' % _pf_context['Xtoken'].decode("ASCII"))

def add_anchors(self):
# before adding anchors and rules we must override the skip lo
# that in some cases ends up in the chain so the rules we will add,
# which rely on translating/filtering packets on lo, can work
pfctl('-f /dev/stdin', b'pass on lo\n')
super(Darwin, self).add_anchors()

def _add_natlook_ports(self, pnl, src_port, dst_port):
pnl.sxport.port = socket.htons(src_port)
pnl.dxport.port = socket.htons(dst_port)
Expand Down
1 change: 1 addition & 0 deletions sshuttle/tests/test_methods_pf.py
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
call(mock_pf_get_dev(), 0xCC20441A, ANY),
]
assert mock_pfctl.mock_calls == [
call('-f /dev/stdin', 'pass on lo\n'),
call('-s all'),
call('-a sshuttle -f /dev/stdin',
b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'
Expand Down

0 comments on commit fae4cb1

Please sign in to comment.