Skip to content

When subnets and excludes are specified with hostnames, use all IPs.#541

Merged
brianmay merged 6 commits intosshuttle:masterfrom
skuhl:use-all-ips
Oct 19, 2020
Merged

When subnets and excludes are specified with hostnames, use all IPs.#541
brianmay merged 6 commits intosshuttle:masterfrom
skuhl:use-all-ips

Conversation

@skuhl
Copy link
Contributor

@skuhl skuhl commented Oct 16, 2020

The list of subnets to route over VPN and the list of subnets to
exclude are parsed in option.py parse_subnetport(). Hostnames or IP
addresses are supported. If a hostname was provided, only the first IP
address was considered. This could result in some traffic not
traversing the VPN that the user might expect should traverse it from
the arguments passed to sshuttle.

This patch makes the function handle all of the IPs if a hostname is
provided. If a user provides a hostname with a CIDR mask, problems can
occur and we warn the user about the issue.

If the user includes a hostname with both an IPv4 and an IPv6 address,
and the underlying method doesn't support IPv6, then this patch will
cause sshuttle to fail. I plan to provide a future patch where failure
won't occur if the only place IPv6 addresses appear is in the exclude
list. In that case it should be safe to ignore the IPv6 address.

This patch also changes parse_ipport() which is used by the --to-ns
option. If the user provides a hostname here, we just use the first IP
from the hostname and warn the user that only one is being used.

@skuhl
When subnets and excludes are specified with hostnames, use all IPs.
036c49e 
The list of subnets to route over VPN and the list of subnets to
exclude are parsed in option.py parse_subnetport(). Hostnames or IP
addresses are supported. If a hostname was provided, only the first IP
address was considered. This could result in some traffic not
traversing the VPN that the user might expect should traverse it from
the arguments passed to sshuttle.

This patch makes the function handle all of the IPs if a hostname is
provided. If a user provides a hostname with a CIDR mask, problems can
occur and we warn the user about the issue.

If the user includes a hostname with both an IPv4 and an IPv6 address,
and the underlying method doesn't support IPv6, then this patch will
cause sshuttle to fail. I plan to provide a future patch where failure
won't occur if the only place IPv6 addresses appear is in the exclude
list. In that case it should be safe to ignore the IPv6 address.

This patch also changes parse_ipport() which is used by the --to-ns
option. If the user provides a hostname here, we just use the first IP
from the hostname and warn the user that only one is being used.
@skuhl skuhl mentioned this pull request Oct 17, 2020
Open
skuhl added 5 commits October 17, 2020 14:43
@skuhl
fix flake8 issues, clarify comment
64d5c77
@skuhl
Make tests for parse_subnetport() expect lists & update expected erro…
cb53d8a 
…r messages in tests
@skuhl
fix flake8 issues in updated tests
cfe14f2
@skuhl
Remove localhost test since it can resolve to either IPv4, IPv6, or b…
c2b1046 
…oth in any particular order
@skuhl
Update/document client's handling of IPv4 and IPv6.
b7a29ac 
Additional comments, checks, warning messages, and diagnostic
information is printed out when the client starts.

We assume IPv4 is always present and enabled. We assume IPv6 is not
supported when it is disabled at the command line or when it is not
supported by the firewall method. Warn if IPv6 is disabled but the
user specified IPv6 subnets, IPv6 DNS servers, or IPv6 excludes that
are effectively ignored.

Instead of indicating which features are on/off, we also indicate if
features are available in the verbose output.

We also more clearly print the subnets that we forward, excludes, and
any redirected DNS servers to the terminal output.

These changes should help handling bug reports and make it clearer to
users what is happening. It should also make it more graceful when a
user specifies a subnet/exclude with hostname that resolves to both
IPv4 and IPv6 (but IPv6 is disabled in sshuttle).
@skuhl
Copy link
Contributor Author

skuhl commented Oct 19, 2020

I think I'm done with this. The last commit makes more changes than what is strictly necessary to support what the original comment says. Initially, I wanted to have some sane behavior when an IPv4+IPv6 hostname is used as a part of a subnet to include or exclude (but IPv6 might not be enabled). However, once I started making changes, I ended up making some other related changes to the code.

I think the changes, particularly the ones in the last commit, could use some testing. Suggestions and feedback are welcome.

brianmay
brianmay approved these changes Oct 19, 2020
View reviewed changes
Copy link
Member

@brianmay brianmay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. Will merge if you agree it is ready.

@skuhl
Copy link
Contributor Author

skuhl commented Oct 19, 2020

Merge it! I think it is completed and I hope it doesn't break things for anybody. I need this fix in to propose my forthcoming fix for #191 to auto-exclude the ssh host. I believe I found/implemented an appropriate workaround to the problem you mentioned in #191 (comment) . Stay tuned for another pull request.

@brianmay brianmay merged commit c3016f2 into sshuttle:master Oct 19, 2020
@skuhl skuhl deleted the use-all-ips branch October 20, 2020 17:59
@skuhl skuhl mentioned this pull request Oct 25, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmay brianmay brianmay approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skuhl @brianmay