-
Notifications
You must be signed in to change notification settings - Fork 728
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refused connections incorrectly get accepted #899
Comments
disclaimer: I am going purely from memory here. I think because sshuttle is implemented at the application level, there is not much else it can do here. We can't initiate the outgoing connection until after we accept the incoming connection, and by this stage it is too late to properly reject the incoming connection if the outgoing connection fails. i.e. we don't get notified of the incoming connection unless we accept it also. |
I wonder if we could use NFQUEUE for this? |
https://github.com/oremanj/python-netfilterqueue Maybe using set mark to identify packets that need to be rejected by a later iptables rule, since it doesn't seem like nfqueue can reject directly, only drop. |
I just made a quick prototype to see if this worked outside of sshuttle: https://gist.github.com/edmcman/16a47334f569380d00fd6fd80b597e93
So it seems like it could work. |
I've been playing with this here. It's at the point where it configures some iptables chains and intercepts the packets using netfilterqueue. But, there's an architectural problem. SocksWrapper wants a socket, whereas netfilterqueue uses a callback function when a packet is queued. Maybe I could open a local socket and forward data from the netfilterqueue? But I don't see any easy way to send data in the reverse direction. Alternatively, I wonder if I could modify the TPROXY technique to use netfilterqueue only to reject invalid connections, and if the connection goes through, actually do the proxying with TPROXY. So it would look something like this:
|
I noticed the following unexpected behavior: when the TCP connection gets refused by the server, sshuttle doesn't refuse the connection but accepts it and returns an empty response instead.
This is not just an academic difference: when trying to reach an (allegedly misconfigured) server that advertizes both IPv4 and IPv6 addresses through A and AAAA DNS records respectively but refuses IPv6 connections, happy eyeballs will allow the IPv4 connexion to be established if the IPv6 one gets refused, but this fails with the current sshuttle behavior of accepting actually refused connexions.
Could this be fixed, or is it a shortcoming of the sshuttle approach?
Example:
Currently,
cds.cern.ch
has a CNAME DNS record pointing tocds-lb.cern.ch
with the following A & AAAA addresses:However, it refuses IPv6 HTTP connections.
curl
, but browsers behave similarly) falls back to using IPv4:The text was updated successfully, but these errors were encountered: