Not able to exclude localhost about sshuttle HOT 4 CLOSED

I'm seeing this as well under Mac OS X 10.10. You shouldn't even have to specify it explicitly, as main.py has excludes = ['127.0.0.0/8'].

To reproduce:

$ nc -l 7777
$ echo hello | nc -v localhost 7777 (in another terminal)

Expected behavior:
terminal1 prints "hello"

Observed behavior with sshuttle running (sshuttle -r remote-host 0/0)
terminal1: no output
terminal2: nc: connectx to localhost port 7777 (tcp) failed: Connection refused

However, if I run nc -l 7777 on remote-host, the connections goes through, so sshuttle is clearly forwarding localhost across the interface.

$ sudo pfctl -a sshuttle -t exclude_subnets -T show
127.0.0.0/8

So localhost is getting added to the pf exclude_subnets table.

$ sudo pfctl -a sshuttle -sn
rdr pass on lo0 inet proto tcp from any to <include_subnets> -> 127.0.0.1 port 12300

$ sudo pfctl -a sshuttle -sr
pass out route-to lo0 inet proto tcp from any to <include_subnets> flags S/SA keep state
pass out route-to lo0 inet proto tcp from any to <exclude_subnets> flags S/SA keep state

It looks like the include_subnets and exclude_subnets tables are being treated identically. I don't know whether it's intentional, but it looks odd.

edit: upon further thought, maybe that isn't so odd; only the firewall rules are identical, but the include_subnets are (apparently) selected for special treatment in the nat rules. The trouble is that if include_subnets has a subnet that includes an entry in exclude_subnets, it will "swallow" the latter.

from sshuttle.

It looks like the "pass out route-to" issue is a bug in the latest homebrew version, which has been fixed in sshuttle/sshuttle master.

$ sudo pfctl -a sshuttle -sn
rdr pass on lo0 inet proto tcp from any to <include_subnets> -> 127.0.0.1 port 12300

$ sudo pfctl -a sshuttle -sr
pass out route-to lo0 inet proto tcp from any to <include_subnets> flags S/SA keep state
pass out quick proto tcp from any to <exclude_subnets> flags S/SA keep state

Even in master, though, localhost isn't properly excluded because the rdr applies to all lo0 packets, not just ones rerouted there.

The solution is a no rdr on lo0 inet proto tcp from any to 127.0.0.0/8 rule. I have a pull request that fixes the issue by treating the rules the same way as other firewall backends do, sorting the rules by specificity and explicitly adding a 'no rdr' for excluded rules. As long as the pass rules are correct, only 127.0.0.0/8 actually needs the 'no rdr' rule, so someone may want to implement a fix differently.

from sshuttle.

The above pull request is an improvement over my first change, as it still takes advantage of table rules rather than resorting to a (potentially less efficient) list of individual rules.

from sshuttle.

Fixed by merging #16.

from sshuttle.