Merge branch 'pull/29'

* Merging pull request apenwarr#29.

Author: Hasimir

client.py

@@ -96,7 +96,11 @@ def original_dst(sock):
 
 
 class FirewallClient:
+<<<<<<< HEAD
     def __init__(self, port, subnets_include, subnets_exclude, dnsport, dns_hosts):
+=======
+    def __init__(self, port, subnets_include, subnets_exclude, dnsport, route_username, excludedports):
+>>>>>>> pull/29
         self.port = port
         self.auto_nets = []
         self.subnets_include = subnets_include
@@ -105,7 +109,9 @@ def __init__(self, port, subnets_include, subnets_exclude, dnsport, dns_hosts):
         self.dns_hosts = dns_hosts
         argvbase = ([sys.argv[1], sys.argv[0], sys.argv[1]] +
                     ['-v'] * (helpers.verbose or 0) +
-                    ['--firewall', str(port), str(dnsport)])
+                    ['--firewall', str(port), str(dnsport),
+                     '--username', route_username or '',
+                     '--eports', excludedports or ''])
         if ssyslog._p:
             argvbase += ['--syslog']
         if dnsport:
@@ -343,7 +349,7 @@ def onhostlist(hostlist):
 def main(listenip, ssh_cmd, remotename, python, latency_control,
          dns, dns_hosts,
          seed_hosts, auto_nets,
-         subnets_include, subnets_exclude, syslog, daemon, pidfile):
+         subnets_include, subnets_exclude, syslog, daemon, pidfile, route_username, excludedports):
     if syslog:
         ssyslog.start_syslog()
     if daemon:
@@ -393,7 +399,11 @@ def main(listenip, ssh_cmd, remotename, python, latency_control,
         dnslistener = None
         dns_hosts = []
 
+<<<<<<< HEAD
     fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport, dns_hosts)
+=======
+    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport, route_username, excludedports)
+>>>>>>> pull/29
 
     try:
         return _main(listener, fw, ssh_cmd, remotename,

firewall.py

@@ -70,20 +70,34 @@ def ipt_ttl(*args):
 # multiple copies shouldn't have overlapping subnets, or only the most-
 # recently-started one will win (because we use "-I OUTPUT 1" instead of
 # "-A OUTPUT").
+<<<<<<< HEAD
 def do_iptables(port, dnsport, nslist, subnets):
+=======
+def do_iptables(port, dnsport, route_username, excludedports, subnets):
+>>>>>>> pull/29
     chain = 'sshuttle-%s' % port
 
+    eportsargv = []
+    if excludedports:
+        eportsargv += ['--match', 'multiport', '!', '--dport', excludedports]
+
     # basic cleanup/setup of chains
     if ipt_chain_exists(chain):
-        nonfatal(ipt, '-D', 'OUTPUT', '-j', chain)
+        if not route_username:
+            nonfatal(ipt, '-D', 'OUTPUT', '-j', chain)
+        else:
+            nonfatal(ipt, '-m', 'owner', '--uid-owner', route_username, '-D', 'OUTPUT', '-j', chain)
         nonfatal(ipt, '-D', 'PREROUTING', '-j', chain)
         nonfatal(ipt, '-F', chain)
         ipt('-X', chain)
 
     if subnets or dnsport:
         ipt('-N', chain)
         ipt('-F', chain)
-        ipt('-I', 'OUTPUT', '1', '-j', chain)
+        if not route_username:
+            ipt('-I', 'OUTPUT', '1', '-j', chain)
+        else:
+            ipt('-m', 'owner', '--uid-owner', route_username, '-I', 'OUTPUT', '1', '-j', chain)
         ipt('-I', 'PREROUTING', '1', '-j', chain)
 
     if subnets:
@@ -101,8 +115,9 @@ def do_iptables(port, dnsport, nslist, subnets):
                 ipt_ttl('-A', chain, '-j', 'REDIRECT',
                         '--dest', '%s/%s' % (snet,swidth),
                         '-p', 'tcp',
-                        '--to-ports', str(port))
-                
+                        '--to-ports', str(port),
+                         *eportsargv)
+
     if dnsport:
         for ip in nslist:
             ipt_ttl('-A', chain, '-j', 'REDIRECT',
@@ -254,7 +269,11 @@ def ipfw(*args):
     _call(argv)
 
 
+<<<<<<< HEAD
 def do_ipfw(port, dnsport, nslist, subnets):
+=======
+def do_ipfw(port, dnsport, route_username, excludedports, subnets):
+>>>>>>> pull/29
     sport = str(port)
     xsport = str(port+1)
 
@@ -449,7 +468,11 @@ def ip_in_subnets(ip, subnets):
 # exit.  In case that fails, it's not the end of the world; future runs will
 # supercede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
+<<<<<<< HEAD
 def main(port, dnsport, nslist, syslog):
+=======
+def main(port, dnsport, syslog, route_username, excludedports):
+>>>>>>> pull/29
     assert(port > 0)
     assert(port <= 65535)
     assert(dnsport >= 0)
@@ -514,7 +537,11 @@ def main(port, dnsport, nslist, syslog):
     try:
         if line:
             debug1('firewall manager: starting transproxy.\n')
+<<<<<<< HEAD
             do_wait = do_it(port, dnsport, nslist, subnets)
+=======
+            do_wait = do_it(port, dnsport, route_username, excludedports, subnets)
+>>>>>>> pull/29
             sys.stdout.write('STARTED\n')
 
         try:
@@ -544,5 +571,9 @@ def main(port, dnsport, nslist, syslog):
             debug1('firewall manager: undoing changes.\n')
         except:
             pass
+<<<<<<< HEAD
         do_it(port, 0, [], [])
+=======
+        do_it(port, 0, route_username, excludedports, [])
+>>>>>>> pull/29
         restore_etc_hosts(port)

main.py

@@ -68,6 +68,8 @@ def parse_ipport(s):
 V,version  print sshuttle's version number
 syslog     send log messages to syslog (default if you use --daemon)
 pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
+u,username= route packets only from the specified username (required iptables with -m owner support)
+eports=    Exclude this list of ports (separated by comma with no spaces)
 server     (internal use only)
 firewall   (internal use only)
 hostwatch  (internal use only)
@@ -95,9 +97,13 @@ def parse_ipport(s):
     elif opt.firewall:
         if len(extra) != 2:
             o.fatal('exactly two arguments expected')
+<<<<<<< HEAD
         port, dnsport = int(extra[0]), int(extra[1])
         nslist = re.split(r'[\s,]+', opt.dns_hosts.strip()) if dnsport else []
         sys.exit(firewall.main(port, dnsport, nslist, opt.syslog))
+=======
+        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog, opt.username, str(opt.eports)))
+>>>>>>> pull/29
     elif opt.hostwatch:
         sys.exit(hostwatch.hw_main(extra))
     else:
@@ -133,7 +139,7 @@ def parse_ipport(s):
                              opt.auto_nets,
                              parse_subnets(includes),
                              parse_subnets(excludes),
-                             opt.syslog, opt.daemon, opt.pidfile))
+                             opt.syslog, opt.daemon, opt.pidfile, opt.username, str(opt.eports)))
 except FatalNeedsReboot, e:
     log('You must reboot before using sshuttle.\n')
     sys.exit(EXITCODE_NEEDS_REBOOT)