sshuttle
diff --git a/‎.vscode/settings.json
Lines changed: 4 additions & 0 deletions b/‎.vscode/settings.json
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/client.rs
Lines changed: 68 additions & 23 deletions b/‎src/client.rs
Lines changed: 68 additions & 23 deletions
diff --git a/‎src/firewall.rs
Lines changed: 7 additions & 3 deletions b/‎src/firewall.rs
Lines changed: 7 additions & 3 deletions
diff --git a/‎src/firewall/nat.rs
Lines changed: 40 additions & 15 deletions b/‎src/firewall/nat.rs
Lines changed: 40 additions & 15 deletions
@@ -10,9 +10,13 @@
         "getaddrinfo",
         "getsockopt",
         "INET",
+        "IPPROTO",
+        "IPPROTO_IP",
+        "libc",
         "lport",
         "noncommercially",
         "PREROUTING",
+        "RECVORIGDSTADDR",
         "reprs",
         "rustfmt",
         "setsocketopt",
 
@@ -1,10 +1,13 @@
-use std::net::IpAddr;
+use std::io::IoSliceMut;
+use std::net::{IpAddr, UdpSocket};
+use std::os::unix::prelude::AsRawFd;
 use std::sync::Arc;
 use std::time::Duration;
 use std::{error::Error, fmt::Display, net::SocketAddr};
 
 use fast_socks5::client::Socks5Stream;
 
+use nix::sys::socket::{recvmsg, MsgFlags, RecvMsg};
 use tokio::io::copy_bidirectional;
 use tokio::net::{TcpListener, TcpStream};
 use tokio::select;
@@ -17,14 +20,14 @@ use crate::command::CommandError;
 use crate::firewall::{
     Firewall, FirewallConfig, FirewallError, FirewallListenerConfig, FirewallSubnetConfig,
 };
-use crate::network::Subnets;
+use crate::network::{ListenerAddr, Subnets};
 use crate::options::FirewallType;
 
 pub struct Config {
     pub includes: Subnets,
     pub excludes: Subnets,
     pub remote: Option<String>,
-    pub listen: Vec<SocketAddr>,
+    pub listen: Vec<ListenerAddr>,
     pub socks_addr: SocketAddr,
     pub firewall: FirewallType,
 }
@@ -225,13 +228,13 @@ fn get_firewall_config(config: &Config) -> FirewallConfig {
         .map(|addr| match addr.ip() {
             IpAddr::V4(_) => FirewallListenerConfig::Ipv4(FirewallSubnetConfig {
                 enable: true,
-                port: addr.port(),
+                listener: addr.clone(),
                 includes: config.includes.ipv4(),
                 excludes: config.excludes.ipv4(),
             }),
             IpAddr::V6(_) => FirewallListenerConfig::Ipv6(FirewallSubnetConfig {
                 enable: true,
-                port: addr.port(),
+                listener: addr.clone(),
                 includes: config.includes.ipv6(),
                 excludes: config.excludes.ipv6(),
             }),
@@ -307,32 +310,74 @@ async fn run_client(
     let listen = config.listen.clone();
 
     let firewall: Arc<dyn Firewall + Send + Sync> = Arc::from(firewall);
-    for addr in listen {
-        let firewall = Arc::clone(&firewall);
-        let listener = TcpListener::bind(addr).await?;
-        firewall.setup_tcp_listener(&listener)?;
-
-        let _handle = tokio::spawn(async move {
-            firewall.setup_tcp_listener(&listener).unwrap();
-
-            loop {
-                let firewall = Arc::clone(&firewall);
-                let (socket, _) = listener.accept().await.unwrap();
-                tokio::spawn(async move {
-                    handle_tcp_client(socket, addr, socks_addr, firewall).await;
-                });
-            }
-        });
+    for l_addr in listen {
+        println!("----> {}", l_addr);
+        match l_addr.protocol {
+            crate::network::Protocol::Tcp => listen_tcp(&firewall, l_addr, socks_addr).await?,
+            crate::network::Protocol::Udp => listen_udp(&firewall, l_addr, socks_addr).await?,
+        }
     }
 
     loop {
         sleep(Duration::from_secs(60)).await;
     }
 }
 
+async fn listen_tcp(
+    firewall: &Arc<dyn Firewall + Send + Sync>,
+    l_addr: ListenerAddr,
+    socks_addr: SocketAddr,
+) -> Result<(), ClientError> {
+    let firewall = Arc::clone(firewall);
+    let listener = TcpListener::bind(l_addr.addr).await?;
+    firewall.setup_tcp_listener(&listener)?;
+
+    let _handle = tokio::spawn(async move {
+        loop {
+            let firewall = Arc::clone(&firewall);
+            let (socket, _) = listener.accept().await.unwrap();
+            let l_addr = l_addr.clone();
+            tokio::spawn(async move {
+                handle_tcp_client(socket, &l_addr, socks_addr, firewall).await;
+            });
+        }
+    });
+    Ok(())
+}
+
+async fn listen_udp(
+    firewall: &Arc<dyn Firewall + Send + Sync>,
+    l_addr: ListenerAddr,
+    _socks_addr: SocketAddr,
+) -> Result<(), ClientError> {
+    let firewall = Arc::clone(firewall);
+    tokio::task::spawn_blocking(move || {
+        // let firewall = Arc::clone(firewall);
+        let local = UdpSocket::bind(l_addr.addr)?;
+        local.set_nonblocking(false)?;
+        firewall.setup_udp_socket(&local)?;
+        std::thread::spawn(move || loop {
+            let mut buf = vec![0u8; 1024];
+            let ioslice = IoSliceMut::new(&mut buf);
+            let mut cmsg_buffer = vec![0u8; 24];
+            println!("{l_addr} UDP waiting");
+            let cmsg: RecvMsg<nix::sys::socket::SockAddr> = recvmsg(
+                local.as_raw_fd(),
+                &mut [ioslice],
+                Some(&mut cmsg_buffer),
+                MsgFlags::empty(),
+            )
+            .unwrap();
+            println!("{l_addr} UDP {cmsg:?}");
+        });
+        Ok(())
+    })
+    .await?
+}
+
 async fn handle_tcp_client(
     socket: TcpStream,
-    addr: SocketAddr,
+    l_addr: &ListenerAddr,
     socks_addr: SocketAddr,
     firewall: Arc<dyn Firewall + Send + Sync>,
 ) {
@@ -341,7 +386,7 @@ async fn handle_tcp_client(
     log::debug!("new connection from: {}", local_addr);
 
     let remote_addr = firewall.get_dst_addr(&local).unwrap();
-    log::info!("{addr} got connection from {local_addr} to {remote_addr}");
+    log::info!("{l_addr} got connection from {local_addr} to {remote_addr}");
 
     let (addr_str, port) = {
         let addr = remote_addr.ip().to_string();
 
@@ -1,7 +1,7 @@
 use std::{
     error::Error,
     fmt::Display,
-    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
+    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, UdpSocket},
     os::unix::prelude::AsRawFd,
 };
 
@@ -16,8 +16,8 @@ use tokio::net::{TcpListener, TcpStream};
 
 use crate::{
     commands::Commands,
-    network::SubnetsV4,
     network::{Family, SubnetsFamily, SubnetsV6},
+    network::{ListenerAddr, SubnetsV4},
 };
 
 pub mod nat;
@@ -81,6 +81,10 @@ pub trait Firewall {
         Ok(())
     }
 
+    fn setup_udp_socket(&self, _l: &UdpSocket) -> Result<(), FirewallError> {
+        Ok(())
+    }
+
     fn get_dst_addr(&self, s: &TcpStream) -> Result<SocketAddr, FirewallError> {
         get_dst_addr_sockopt(s)
     }
@@ -91,7 +95,7 @@ pub trait Firewall {
 
 pub struct FirewallSubnetConfig<T: SubnetsFamily> {
     pub enable: bool,
-    pub port: u16,
+    pub listener: ListenerAddr,
     pub includes: T,
     pub excludes: T,
 }
 
@@ -1,4 +1,5 @@
 use crate::network::Ports;
+use crate::network::Protocol;
 use crate::network::SubnetFamily;
 use crate::network::SubnetsFamily;
 
@@ -18,7 +19,13 @@ impl NatFirewall {
         fconfig: &FirewallSubnetConfig<T>,
         commands: &mut Commands,
     ) -> Result<(), FirewallError> {
-        let port = fconfig.port.to_string();
+        if !matches!(fconfig.listener.protocol, Protocol::Tcp) {
+            return Err(FirewallError {
+                message: "Only TCP is supported for NAT".to_string(),
+            });
+        }
+
+        let port = fconfig.listener.port().to_string();
         let chain = format!("sshuttle-{}", port);
         let family = fconfig.family();
 
@@ -95,8 +102,14 @@ impl NatFirewall {
         fconfig: &FirewallSubnetConfig<T>,
         commands: &mut Commands,
     ) -> Result<(), FirewallError> {
-        let port = fconfig.port.to_string();
-        let chain = format!("sshuttle-{}", fconfig.port);
+        if !matches!(fconfig.listener.protocol, Protocol::Tcp) {
+            return Err(FirewallError {
+                message: "Only TCP is supported for NAT".to_string(),
+            });
+        }
+
+        let port = fconfig.listener.port().to_string();
+        let chain = format!("sshuttle-{}", port);
         let family = fconfig.family();
 
         macro_rules! ipt {
@@ -167,7 +180,7 @@ impl Firewall for NatFirewall {
 mod tests {
     use crate::{
         command::CommandLine,
-        network::{SubnetsV4, SubnetsV6},
+        network::{ListenerAddr, SubnetsV4, SubnetsV6},
     };
 
     use super::*;
@@ -177,7 +190,10 @@ mod tests {
         let firewall = NatFirewall::new();
         let ipv4_family = FirewallSubnetConfig {
             enable: true,
-            port: 1025,
+            listener: ListenerAddr {
+                protocol: Protocol::Tcp,
+                addr: "127.0.0.1:1024".parse().unwrap(),
+            },
             includes: "1.2.3.0/24:8000-9000".parse::<SubnetsV4>().unwrap(),
             excludes: "1.2.3.66:8080".parse::<SubnetsV4>().unwrap(),
         };
@@ -187,13 +203,13 @@ mod tests {
         };
 
         let expected_ipv4: [&str; 7] = [
-            "iptables -w -t nat -N sshuttle-1025",
-            "iptables -w -t nat -F sshuttle-1025",
-            "iptables -w -t nat -I OUTPUT 1 -j sshuttle-1025",
-            "iptables -w -t nat -I PREROUTING 1 -j sshuttle-1025",
-            "iptables -w -t nat -A sshuttle-1025 -j RETURN -m addrtype --dst-type LOCAL",
-            "iptables -w -t nat -A sshuttle-1025 -j RETURN --dest 1.2.3.66/32 -p tcp --dport 8080",
-            "iptables -w -t nat -A sshuttle-1025 -j REDIRECT --dest 1.2.3.0/24 -p tcp --dport 8000:9000 --to-ports 1025",
+            "iptables -w -t nat -N sshuttle-1024",
+            "iptables -w -t nat -F sshuttle-1024",
+            "iptables -w -t nat -I OUTPUT 1 -j sshuttle-1024",
+            "iptables -w -t nat -I PREROUTING 1 -j sshuttle-1024",
+            "iptables -w -t nat -A sshuttle-1024 -j RETURN -m addrtype --dst-type LOCAL",
+            "iptables -w -t nat -A sshuttle-1024 -j RETURN --dest 1.2.3.66/32 -p tcp --dport 8080",
+            "iptables -w -t nat -A sshuttle-1024 -j REDIRECT --dest 1.2.3.0/24 -p tcp --dport 8000:9000 --to-ports 1024",
         ];
 
         let mut commands = Commands::default();
@@ -213,7 +229,10 @@ mod tests {
         let firewall = NatFirewall::new();
         let ipv6_family = FirewallSubnetConfig {
             enable: true,
-            port: 1024,
+            listener: ListenerAddr {
+                protocol: Protocol::Tcp,
+                addr: "127.0.0.1:1024".parse().unwrap(),
+            },
             includes: "2404:6800:4004:80c::/64".parse::<SubnetsV6>().unwrap(),
             excludes: "[2404:6800:4004:80c::101f]:80".parse().unwrap(),
         };
@@ -248,7 +267,10 @@ mod tests {
         let firewall = NatFirewall::new();
         let ipv4_family = FirewallSubnetConfig {
             enable: true,
-            port: 1024,
+            listener: ListenerAddr {
+                protocol: Protocol::Tcp,
+                addr: "127.0.0.1:1024".parse().unwrap(),
+            },
             includes: "1.2.3.0/32".parse::<SubnetsV4>().unwrap(),
             excludes: "1.2.3.66".parse::<SubnetsV4>().unwrap(),
         };
@@ -281,7 +303,10 @@ mod tests {
         let firewall = NatFirewall::new();
         let ipv6_family = FirewallSubnetConfig {
             enable: true,
-            port: 1024,
+            listener: ListenerAddr {
+                protocol: Protocol::Tcp,
+                addr: "127.0.0.1:1024".parse().unwrap(),
+            },
             includes: "2404:6800:4004:80c::/64".parse::<SubnetsV6>().unwrap(),
             excludes: "[2404:6800:4004:80c::101f]:80".parse().unwrap(),
         };