Remove ttl hack & require -r option.

Previously, it was possible to run sshuttle locally without using ssh
and connecting to a remote server. In this configuration, traffic was
redirected to the sshuttle server running on the localhost. However,
the firewall needed to distinguish between traffic leaving the
sshuttle server and traffic that originated from the machine that
still needed to be routed through the sshuttle server. The TTL of the
packets leaving the sshuttle server were manipulated to indicate to
the firewall what should happen. The TTL was adjusted for all packets
leaving the sshuttle server (even if it wasn't necessary because the
server and client were running on different machines).

Changing the TTL caused trouble and some machines, and
the --ttl option was added as a workaround to change how the TTL was
set for traffic leaving sshuttle. All of this added complexity to the
code for a feature (running the server on localhost) that is likely
only used for testing and rarely used by others.

This commit updates the associated documentation, but doesn't fully
fix the ipfw method since I am unable to test that.

This change will also make sshuttle fail to work if -r is used to
specify a localhost. Pull request sshuttle#610 partially addresses that issue.

For example, see: sshuttle#240, sshuttle#490, sshuttle#660, sshuttle#606.

Author: skuhl

docs/manpage.rst

@@ -4,7 +4,7 @@ sshuttle
 
 Synopsis
 --------
-**sshuttle** [*options*] [**-r** *[username@]sshserver[:port]*] \<*subnets* ...\>
+**sshuttle** [*options*] **-r** *[username@]sshserver[:port]* \<*subnets* ...\>
 
 
 Description
@@ -441,9 +441,7 @@ Example configuration file::
 Discussion
 ----------
 When it starts, :program:`sshuttle` creates an ssh session to the
-server specified by the ``-r`` option.  If ``-r`` is omitted,
-it will start both its client and server locally, which is
-sometimes useful for testing.
+server specified by the ``-r`` option.
 
 After connecting to the remote server, :program:`sshuttle` uploads its
 (python) source code to the remote end and executes it

docs/requirements.rst

@@ -20,7 +20,7 @@ Supports:
 
 Requires:
 
-* iptables DNAT, REDIRECT, and ttl modules. ip6tables for IPv6.
+* iptables DNAT and REDIRECT modules. ip6tables for IPv6.
 
 Linux with nft method
 ~~~~~~~~~~~~~~~~~~~~~

sshuttle/assembler.py

@@ -42,4 +42,4 @@
 from sshuttle.server import main  # noqa: E402
 main(options.latency_control, options.latency_buffer_size,
      options.auto_hosts, options.to_nameserver,
-     options.auto_nets, options.ttl)
+     options.auto_nets)

sshuttle/client.py

@@ -44,6 +44,7 @@ def got_signal(signum, frame):
     sys.exit(1)
 
 
+# Filename of the pidfile created by the sshuttle client.
 _pidname = None
 
 
@@ -198,7 +199,7 @@ def print_listening(self, what):
 
 class FirewallClient:
 
-    def __init__(self, method_name, sudo_pythonpath, ttl):
+    def __init__(self, method_name, sudo_pythonpath):
         self.auto_nets = []
 
         argvbase = ([sys.executable, sys.argv[0]] +
@@ -260,7 +261,7 @@ def setup():
 
     def setup(self, subnets_include, subnets_exclude, nslist,
               redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp,
-              user, ttl, tmark):
+              user, tmark):
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.nslist = nslist
@@ -271,7 +272,6 @@ def setup(self, subnets_include, subnets_exclude, nslist,
         self.udp = udp
         self.user = user
         self.tmark = tmark
-        self.ttl = ttl
 
     def check(self):
         rv = self.p.poll()
@@ -310,9 +310,8 @@ def start(self):
         else:
             user = b'%d' % self.user
 
-        self.pfile.write(b'GO %d %s %d %s\n' %
-                         (udp, user, self.ttl,
-                          bytes(self.tmark, 'ascii')))
+        self.pfile.write(b'GO %d %s %s\n' %
+                         (udp, user, bytes(self.tmark, 'ascii')))
         self.pfile.flush()
 
         line = self.pfile.readline()
@@ -457,7 +456,7 @@ def ondns(listener, method, mux, handlers):
 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
           python, latency_control, latency_buffer_size,
           dns_listener, seed_hosts, auto_hosts, auto_nets, daemon,
-          to_nameserver, ttl):
+          to_nameserver):
 
     helpers.logprefix = 'c : '
     debug1('Starting client with Python version %s'
@@ -476,8 +475,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                          latency_buffer_size=latency_buffer_size,
                          auto_hosts=auto_hosts,
                          to_nameserver=to_nameserver,
-                         auto_nets=auto_nets,
-                         ttl=ttl))
+                         auto_nets=auto_nets))
     except socket.error as e:
         if e.args[0] == errno.EPIPE:
             raise Fatal("failed to establish ssh session (1)")
@@ -587,6 +585,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                     % (expected, initstring))
     log('Connected to server.')
     sys.stdout.flush()
+
     if daemon:
         daemonize()
         log('daemonizing (%s).' % _pidname)
@@ -673,12 +672,11 @@ def main(listenip_v6, listenip_v4,
          latency_buffer_size, dns, nslist,
          method_name, seed_hosts, auto_hosts, auto_nets,
          subnets_include, subnets_exclude, daemon, to_nameserver, pidfile,
-         user, sudo_pythonpath, tmark, ttl):
+         user, sudo_pythonpath, tmark):
 
     if not remotename:
-        print("WARNING: You must specify -r/--remote to securely route "
-              "traffic to a remote machine. Running without -r/--remote "
-              "is only recommended for testing.")
+        raise Fatal("You must use -r/--remote to specify a remote "
+                    "host to route traffic through.")
 
     if daemon:
         try:
@@ -689,7 +687,7 @@ def main(listenip_v6, listenip_v4,
     debug1('Starting sshuttle proxy (version %s).' % __version__)
     helpers.logprefix = 'c : '
 
-    fw = FirewallClient(method_name, sudo_pythonpath, ttl)
+    fw = FirewallClient(method_name, sudo_pythonpath)
 
     # nslist is the list of name severs to intercept. If --dns is
     # used, we add all DNS servers in resolv.conf. Otherwise, the list
@@ -1006,14 +1004,14 @@ def feature_status(label, enabled, available):
     # start the firewall
     fw.setup(subnets_include, subnets_exclude, nslist,
              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4,
-             required.udp, user, ttl, tmark)
+             required.udp, user, tmark)
 
     # start the client process
     try:
         return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                      python, latency_control, latency_buffer_size,
                      dns_listener, seed_hosts, auto_hosts, auto_nets,
-                     daemon, to_nameserver, ttl)
+                     daemon, to_nameserver)
     finally:
         try:
             if daemon:

sshuttle/cmdline.py

@@ -43,7 +43,7 @@ def main():
         if opt.firewall:
             if opt.subnets or opt.subnets_file:
                 parser.error('exactly zero arguments expected')
-            return firewall.main(opt.method, opt.syslog, opt.ttl)
+            return firewall.main(opt.method, opt.syslog)
         elif opt.hostwatch:
             return hostwatch.hw_main(opt.subnets, opt.auto_hosts)
         else:
@@ -116,8 +116,7 @@ def main():
                                       opt.pidfile,
                                       opt.user,
                                       opt.sudo_pythonpath,
-                                      opt.tmark,
-                                      opt.ttl)
+                                      opt.tmark)
 
             if return_code == 0:
                 log('Normal exit code, exiting...')

sshuttle/firewall.py

@@ -121,7 +121,7 @@ def flush_systemd_dns_cache():
 # exit.  In case that fails, it's not the end of the world; future runs will
 # supercede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
-def main(method_name, syslog, ttl):
+def main(method_name, syslog):
     helpers.logprefix = 'fw: '
     stdin, stdout = setup_daemon()
     hostmap = {}
@@ -223,13 +223,12 @@ def main(method_name, syslog, ttl):
         raise Fatal('expected GO but got %r' % line)
 
     _, _, args = line.partition(" ")
-    udp, user, ttl, tmark = args.strip().split(" ", 3)
+    udp, user, tmark = args.strip().split(" ", 2)
     udp = bool(int(udp))
     if user == '-':
         user = None
-    ttl = int(ttl)
-    debug2('Got udp: %r, user: %r, ttl: %s, tmark: %s' %
-           (udp, user, ttl, tmark))
+    debug2('Got udp: %r, user: %r, tmark: %s' %
+           (udp, user, tmark))
 
     subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
     nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
@@ -244,14 +243,14 @@ def main(method_name, syslog, ttl):
             method.setup_firewall(
                 port_v6, dnsport_v6, nslist_v6,
                 socket.AF_INET6, subnets_v6, udp,
-                user, ttl, tmark)
+                user, tmark)
 
         if subnets_v4 or nslist_v4:
             debug2('setting up IPv4.')
             method.setup_firewall(
                 port_v4, dnsport_v4, nslist_v4,
                 socket.AF_INET, subnets_v4, udp,
-                user, ttl, tmark)
+                user, tmark)
 
         flush_systemd_dns_cache()
         stdout.write('STARTED\n')

sshuttle/linux.py

@@ -49,25 +49,3 @@ def nft(family, table, action, *args):
     rv = ssubprocess.call(argv, env=get_env())
     if rv:
         raise Fatal('%r returned %d' % (argv, rv))
-
-
-_no_ttl_module = False
-
-
-def ipt_ttl(family, *args):
-    global _no_ttl_module
-    if not _no_ttl_module:
-        # we avoid infinite loops by generating server-side connections
-        # with ttl 63.  This makes the client side not recapture those
-        # connections, in case client == server.
-        try:
-            argsplus = list(args)
-            ipt(family, *argsplus)
-        except Fatal:
-            ipt(family, *args)
-            # we only get here if the non-ttl attempt succeeds
-            log('WARNING: your iptables is missing '
-                'the ttl module.')
-            _no_ttl_module = True
-    else:
-        ipt(family, *args)

sshuttle/methods/__init__.py

@@ -91,7 +91,7 @@ def assert_features(self, features):
                     (key, self.name))
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl, tmark):
+                       user, tmark):
         raise NotImplementedError()
 
     def restore_firewall(self, port, family, udp, user):

sshuttle/methods/ipfw.py

@@ -177,7 +177,6 @@ def send_udp(self, sock, srcip, dstip, data):
         sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
         sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
         sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
         sender.bind(srcip)
         sender.sendto(data, dstip)
         sender.close()
@@ -189,7 +188,12 @@ def setup_udp_listener(self, udp_listener):
         #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
 
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl, tmark):
+                       user, tmark):
+        # TODO: The ttl hack to allow the host and server to run on
+        # the same machine has been removed but this method hasn't
+        # been updated yet.
+        ttl = 63
+
         # IPv6 not supported
         if family not in [socket.AF_INET]:
             raise Exception(

sshuttle/methods/nat.py

@@ -1,7 +1,7 @@
 import socket
 from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string, which, debug2
-from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists, nonfatal
+from sshuttle.linux import ipt, ipt_chain_exists, nonfatal
 from sshuttle.methods import BaseMethod
 
 
@@ -13,7 +13,7 @@ class Method(BaseMethod):
     # recently-started one will win (because we use "-I OUTPUT 1" instead of
     # "-A OUTPUT").
     def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user, ttl, tmark):
+                       user, tmark):
         if family != socket.AF_INET and family != socket.AF_INET6:
             raise Exception(
                 'Address family "%s" unsupported by nat method_name'
@@ -25,9 +25,6 @@ def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
         def _ipt(*args):
             return ipt(family, table, *args)
 
-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
         def _ipm(*args):
             return ipt(family, "mangle", *args)
 
@@ -48,16 +45,6 @@ def _ipm(*args):
         _ipt('-I', 'OUTPUT', '1', *args)
         _ipt('-I', 'PREROUTING', '1', *args)
 
-        # This TTL hack allows the client and server to run on the
-        # same host. The connections the sshuttle server makes will
-        # have TTL set to 63.
-        if family == socket.AF_INET:
-            _ipt_ttl('-A', chain, '-j', 'RETURN', '-m', 'ttl', '--ttl',
-                     '%s' % ttl)
-        else:  # ipv6, ttl is renamed to 'hop limit'
-            _ipt_ttl('-A', chain, '-j', 'RETURN', '-m', 'hl', '--hl-eq',
-                     '%s' % ttl)
-
         # Redirect DNS traffic as requested. This includes routing traffic
         # to localhost DNS servers through sshuttle.
         for _, ip in [i for i in nslist if i[0] == family]:
@@ -102,9 +89,6 @@ def restore_firewall(self, port, family, udp, user):
         def _ipt(*args):
             return ipt(family, table, *args)
 
-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
         def _ipm(*args):
             return ipt(family, "mangle", *args)