Added user info

Author: liorm

client.py

@@ -96,15 +96,15 @@ def original_dst(sock):
 
 
 class FirewallClient:
-    def __init__(self, port, subnets_include, subnets_exclude, dnsport):
+    def __init__(self, port, subnets_include, subnets_exclude, dnsport, route_username):
         self.port = port
         self.auto_nets = []
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.dnsport = dnsport
         argvbase = ([sys.argv[1], sys.argv[0], sys.argv[1]] +
                     ['-v'] * (helpers.verbose or 0) +
-                    ['--firewall', str(port), str(dnsport)])
+                    ['--firewall', str(port), str(dnsport), '--username', route_username])
         if ssyslog._p:
             argvbase += ['--syslog']
         argv_tries = [
@@ -338,7 +338,7 @@ def onhostlist(hostlist):
 
 def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
          seed_hosts, auto_nets,
-         subnets_include, subnets_exclude, syslog, daemon, pidfile):
+         subnets_include, subnets_exclude, syslog, daemon, pidfile, route_username):
     if syslog:
         ssyslog.start_syslog()
     if daemon:
@@ -385,7 +385,7 @@ def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
         dnsport = 0
         dnslistener = None
 
-    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport)
+    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport, route_username)
 
     try:
         return _main(listener, fw, ssh_cmd, remotename,

firewall.py

@@ -70,20 +70,26 @@ def ipt_ttl(*args):
 # multiple copies shouldn't have overlapping subnets, or only the most-
 # recently-started one will win (because we use "-I OUTPUT 1" instead of
 # "-A OUTPUT").
-def do_iptables(port, dnsport, subnets):
+def do_iptables(port, dnsport, route_username, subnets):
     chain = 'sshuttle-%s' % port
 
     # basic cleanup/setup of chains
     if ipt_chain_exists(chain):
-        nonfatal(ipt, '-D', 'OUTPUT', '-j', chain)
+        if not route_username:
+            nonfatal(ipt, '-D', 'OUTPUT', '-j', chain)
+        else:
+            nonfatal(ipt, '-m', 'owner', '--uid-owner', route_username, '-D', 'OUTPUT', '-j', chain)
         nonfatal(ipt, '-D', 'PREROUTING', '-j', chain)
         nonfatal(ipt, '-F', chain)
         ipt('-X', chain)
 
     if subnets or dnsport:
         ipt('-N', chain)
         ipt('-F', chain)
-        ipt('-I', 'OUTPUT', '1', '-j', chain)
+        if not route_username:
+            ipt('-I', 'OUTPUT', '1', '-j', chain)
+        else:
+            ipt('-m', 'owner', '--uid-owner', route_username, '-I', 'OUTPUT', '1', '-j', chain)
         ipt('-I', 'PREROUTING', '1', '-j', chain)
 
     if subnets:
@@ -255,7 +261,7 @@ def ipfw(*args):
     _call(argv)
 
 
-def do_ipfw(port, dnsport, subnets):
+def do_ipfw(port, dnsport, route_username, subnets):
     sport = str(port)
     xsport = str(port+1)
 
@@ -451,7 +457,7 @@ def ip_in_subnets(ip, subnets):
 # exit.  In case that fails, it's not the end of the world; future runs will
 # supercede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
-def main(port, dnsport, syslog):
+def main(port, dnsport, syslog, route_username):
     assert(port > 0)
     assert(port <= 65535)
     assert(dnsport >= 0)
@@ -516,7 +522,7 @@ def main(port, dnsport, syslog):
     try:
         if line:
             debug1('firewall manager: starting transproxy.\n')
-            do_wait = do_it(port, dnsport, subnets)
+            do_wait = do_it(port, dnsport, route_username, subnets)
             sys.stdout.write('STARTED\n')
 
         try:
@@ -546,5 +552,5 @@ def main(port, dnsport, syslog):
             debug1('firewall manager: undoing changes.\n')
         except:
             pass
-        do_it(port, 0, [])
+        do_it(port, 0, route_username, [])
         restore_etc_hosts(port)

main.py

@@ -67,6 +67,7 @@ def parse_ipport(s):
 V,version  print sshuttle's version number
 syslog     send log messages to syslog (default if you use --daemon)
 pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
+u,username= route packets only from the specified username (required iptables with -m owner support)
 server     (internal use only)
 firewall   (internal use only)
 hostwatch  (internal use only)
@@ -94,7 +95,7 @@ def parse_ipport(s):
     elif opt.firewall:
         if len(extra) != 2:
             o.fatal('exactly two arguments expected')
-        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog))
+        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog, opt.username))
     elif opt.hostwatch:
         sys.exit(hostwatch.hw_main(extra))
     else:
@@ -128,7 +129,7 @@ def parse_ipport(s):
                              opt.auto_nets,
                              parse_subnets(includes),
                              parse_subnets(excludes),
-                             opt.syslog, opt.daemon, opt.pidfile))
+                             opt.syslog, opt.daemon, opt.pidfile, opt.username))
 except FatalNeedsReboot, e:
     log('You must reboot before using sshuttle.\n')
     sys.exit(EXITCODE_NEEDS_REBOOT)