Fix --tmark option

Even when --tmark was used, the iptables code always used '1' for the
mark. This patch corrects the problem.

Previously, it wasn't clear if the tmark should be supplied in
hexadecimal or as an integer. This makes it use hexadecimal, checks
that the input is hexadecimal, and updates the associated
documentation.

This patch also makes --ttl information get passed to the firewall in
a way that matches how other information gets passed. The ttl and
tmark information are passed next to each other in many places and
this patch also makes the order consistent.

Author: skuhl

docs/manpage.rst

@@ -274,9 +274,10 @@ Options
     Set the file name for the sudoers.d file to be added. Default is
     "sshuttle_auto". Only works with --sudoers.
 
-.. option:: -t, --tmark
+.. option:: -t <mark>, --tmark=<mark>
 
-    Transproxy optional traffic mark with provided MARK value.
+    An option used by the tproxy method: Use the specified traffic
+    mark. The mark must be a hexadecimal value. Defaults to 0x01.
 
 .. option:: --version
 

docs/tproxy.rst

@@ -12,7 +12,8 @@ There are some things you need to consider for TPROXY to work:
       ip -6 route add local default dev lo table 100
       ip -6 rule add fwmark {TMARK} lookup 100
   
-  where {TMARK} is the identifier mark passed with -t or --tmark flag (default value is 1).
+  where {TMARK} is the identifier mark passed with -t or --tmark flag
+  as a hexadecimal string (default value is '0x01').
 
 - The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
   routes manually. e.g. by adding ``'::/0'`` to the end of the command line.

sshuttle/client.py

@@ -205,8 +205,7 @@ def __init__(self, method_name, sudo_pythonpath, ttl):
         argvbase = ([sys.executable, sys.argv[0]] +
                     ['-v'] * (helpers.verbose or 0) +
                     ['--method', method_name] +
-                    ['--firewall'] +
-                    ['--ttl', str(ttl)])
+                    ['--firewall'])
         if ssyslog._p:
             argvbase += ['--syslog']
 
@@ -261,7 +260,7 @@ def setup():
 
     def setup(self, subnets_include, subnets_exclude, nslist,
               redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp,
-              user, tmark, ttl):
+              user, ttl, tmark):
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.nslist = nslist
@@ -311,7 +310,9 @@ def start(self):
         else:
             user = b'%d' % self.user
 
-        self.pfile.write(b'GO %d %s\n' % (udp, user))
+        self.pfile.write(b'GO %d %s %d %s\n' %
+                         (udp, user, self.ttl,
+                          bytes(self.tmark, 'ascii')))
         self.pfile.flush()
 
         line = self.pfile.readline()
@@ -1003,7 +1004,7 @@ def feature_status(label, enabled, available):
     # start the firewall
     fw.setup(subnets_include, subnets_exclude, nslist,
              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4,
-             required.udp, user, tmark, ttl)
+             required.udp, user, ttl, tmark)
 
     # start the client process
     try:

sshuttle/cmdline.py

@@ -85,6 +85,13 @@ def main():
                 ipport_v4 = "auto"
                 # parse_ipport6('[::1]:0')
                 ipport_v6 = "auto" if not opt.disable_ipv6 else None
+            try:
+                int(opt.tmark, 16)
+            except ValueError:
+                parser.error("--tmark must be a hexadecimal value")
+            opt.tmark = opt.tmark.lower()   # make 'x' in 0x lowercase
+            if not opt.tmark.startswith("0x"):  # accept without 0x prefix
+                opt.tmark = "0x%s" % opt.tmark
             if opt.syslog:
                 ssyslog.start_syslog()
                 ssyslog.close_stdin()

sshuttle/firewall.py

@@ -223,11 +223,13 @@ def main(method_name, syslog, ttl):
         raise Fatal('expected GO but got %r' % line)
 
     _, _, args = line.partition(" ")
-    udp, user = args.strip().split(" ", 1)
+    udp, user, ttl, tmark = args.strip().split(" ", 3)
     udp = bool(int(udp))
     if user == '-':
         user = None
-    debug2('Got udp: %r, user: %r' % (udp, user))
+    ttl = int(ttl)
+    debug2('Got udp: %r, user: %r, ttl: %s, tmark: %s' %
+           (udp, user, ttl, tmark))
 
     subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
     nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
@@ -242,14 +244,14 @@ def main(method_name, syslog, ttl):
             method.setup_firewall(
                 port_v6, dnsport_v6, nslist_v6,
                 socket.AF_INET6, subnets_v6, udp,
-                user, ttl)
+                user, ttl, tmark)
 
         if subnets_v4 or nslist_v4:
             debug2('setting up IPv4.')
             method.setup_firewall(
                 port_v4, dnsport_v4, nslist_v4,
                 socket.AF_INET, subnets_v4, udp,
-                user, ttl)
+                user, ttl, tmark)
 
         flush_systemd_dns_cache()
         stdout.write('STARTED\n')

sshuttle/methods/__init__.py

@@ -91,7 +91,7 @@ def assert_features(self, features):
                     (key, self.name))
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, ttl, tmark):
         raise NotImplementedError()
 
     def restore_firewall(self, port, family, udp, user):

sshuttle/methods/ipfw.py

@@ -189,7 +189,7 @@ def setup_udp_listener(self, udp_listener):
         #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         # IPv6 not supported
         if family not in [socket.AF_INET]:
             raise Exception(

sshuttle/methods/nat.py

@@ -13,7 +13,7 @@ class Method(BaseMethod):
     # recently-started one will win (because we use "-I OUTPUT 1" instead of
     # "-A OUTPUT").
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         # only ipv4 supported with NAT
         if family != socket.AF_INET:
             raise Exception(

sshuttle/methods/nft.py

@@ -13,7 +13,7 @@ class Method(BaseMethod):
     # recently-started one will win (because we use "-I OUTPUT 1" instead of
     # "-A OUTPUT").
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         if udp:
             raise Exception("UDP not supported by nft")
 

sshuttle/methods/pf.py

@@ -444,7 +444,7 @@ def get_tcp_dstip(self, sock):
         return sock.getsockname()
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl):
+                       user, ttl, tmark):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by pf method_name'