Update changelog for 0.78.3

Get version for sphinx from sshuttle.version
Fix error in requirements.rst
2025-07-04 16:50:34 +02:00 · 2017-07-09 09:12:04 +10:00 · 2017-07-09 09:08:48 +10:00 · 2017-07-09 09:08:48 +10:00 · 2017-07-09 09:08:48 +10:00 · 2017-07-09 09:08:48 +10:00
98 changed files with 6873 additions and 6491 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,15 @@
 /sshuttle/version.py
 /tmp/
 /.cache/
 /.eggs/
 /.tox/
 /build/
 /dist/
 /sshuttle.egg-info/
 /docs/_build/
 *.pyc
 *~
 *.8
 /.do_built
 /.do_built.dir
 /.redo
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,13 @@
 language: python
 python:
 - 2.6
 - 2.7
 - 3.4
 - 3.5
 - pypy
 install:
    - travis_retry pip install -q pytest mock
 script:
  - PYTHONPATH=. py.test
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -0,0 +1,119 @@
 ==========
 Change log
 ==========
 All notable changes to this project will be documented in this file. The format
 is based on `Keep a Changelog`_ and this project
 adheres to `Semantic Versioning`_.
 .. _`Keep a Changelog`: http://keepachangelog.com/
 .. _`Semantic Versioning`: http://semver.org/
 0.78.3 - 2017-07-09
 -------------------
 The "I should have done a git pull" first release.
 Fixed
 ~~~~~
 * Order first by port range and only then by swidth
 0.78.2 - 2017-07-09
 -------------------
 Added
 ~~~~~
 * Adds support for tunneling specific port ranges (#144).
 * Add support for iproute2.
 * Allow remote hosts with colons in the username.
 * Re-introduce ipfw support for sshuttle on FreeBSD with support for --DNS option as well.
 * Add support for PfSense.
 * Tests and documentation for systemd integration.
 * Allow subnets to be given only by file (-s).
 Fixed
 ~~~~~
 * Work around non tabular headers in BSD netstat.
 * Fix UDP and DNS support on Python 2.7 with tproxy method.
 * Fixed tests after adding support for iproute2.
 * Small refactoring of netstat/iproute parsing.
 * Set started_by_sshuttle False after disabling pf.
 * Fix punctuation and explain Type=notify.
 * Move pytest-runner to tests_require.
 * Fix warning: closed channel got=STOP_SENDING.
 * Support sdnotify for better systemd integration.
 * Fix #117 to allow for no subnets via file (-s).
 * Fix argument splitting for multi-word arguments.
 * requirements.rst: Fix mistakes.
 * Fix typo, space not required here.
 * Update installation instructions.
 * Support using run from different directory.
 * Ensure we update sshuttle/version.py in run.
 * Don't print python version in run.
 * Add CWD to PYTHONPATH in run.
 0.78.1 - 2016-08-06
 -------------------
 * Fix readthedocs versioning.
 * Don't crash on ENETUNREACH.
 * Various bug fixes.
 * Improvements to BSD and OSX support.
 0.78.0 - 2016-04-08
 -------------------
 * Don't force IPv6 if IPv6 nameservers supplied. Fixes #74.
 * Call /bin/sh as users shell may not be POSIX compliant. Fixes #77.
 * Use argparse for command line processing. Fixes #75.
 * Remove useless --server option.
 * Support multiple -s (subnet) options. Fixes #86.
 * Make server parts work with old versions of Python. Fixes #81.
 0.77.2 - 2016-03-07
 -------------------
 * Accidentally switched LGPL2 license with GPL2 license in 0.77.1 - now fixed.
 0.77.1 - 2016-03-07
 -------------------
 * Use semantic versioning. http://semver.org/
 * Update GPL 2 license text.
 * New release to fix PyPI.
 0.77 - 2016-03-03
 -----------------
 * Various bug fixes.
 * Fix Documentation.
 * Add fix for MacOS X issue.
 * Add support for OpenBSD.
 0.76 - 2016-01-17
 -----------------
 * Add option to disable IPv6 support.
 * Update documentation.
 * Move documentation, including man page, to Sphinx.
 * Use setuptools-scm for automatic versioning.
 0.75 - 2016-01-12
 -----------------
 * Revert change that broke sshuttle entry point.
 0.74 - 2016-01-10
 -----------------
 * Add CHANGES.rst file.
 * Numerous bug fixes.
 * Python 3.5 fixes.
 * PF fixes, especially for BSD.
--- a/20
+++ b/20
@ -1,15 +1,15 @@
-		  GNU LIBRARY GENERAL PUBLIC LICENSE
+                  GNU LIBRARY GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
+                       Version 2, June 1991
 Copyright (C) 1991 Free Software Foundation, Inc.
-                    675 Mass Ave, Cambridge, MA 02139, USA
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
 [This is the first released version of the library GPL.  It is
 numbered 2 because it goes with version 2 of the ordinary GPL.]
-			    Preamble
+                            Preamble
  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@ -99,7 +99,7 @@ works together with the library.
  Note that it is possible for a library to be covered by the ordinary
 General Public License rather than by this special one.
-		  GNU LIBRARY GENERAL PUBLIC LICENSE
+                  GNU LIBRARY GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  0. This License Agreement applies to any software library which
@ -411,7 +411,7 @@ decision will be guided by the two goals of preserving the free status
 of all derivatives of our free software and of promoting the sharing
 and reuse of software generally.
-			    NO WARRANTY
+                            NO WARRANTY
  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
 WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
@ -434,9 +434,9 @@ FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
 SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
-		     END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
-     Appendix: How to Apply These Terms to Your New Libraries
+           How to Apply These Terms to Your New Libraries
  If you develop a new library, and you want it to be of the greatest
 possible use to the public, we recommend making it free software that
@ -463,8 +463,8 @@ convey the exclusion of warranty; and each file should have at least the
    Library General Public License for more details.
    You should have received a copy of the GNU Library General Public
-    License along with this library; if not, write to the Free
+    License along with this library; if not, write to the Free Software
-    Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 Also add information on how to contact you by electronic and paper mail.
--- a/MANIFEST.in
+++ b/MANIFEST.in
@ -0,0 +1,14 @@
 include *.txt
 include *.rst
 include *.py
 include MANIFEST.in
 include LICENSE
 include run
 include tox.ini
 exclude sshuttle/version.py
 recursive-include docs *.bat
 recursive-include docs *.py
 recursive-include docs *.rst
 recursive-include docs Makefile
 recursive-include sshuttle *.py
 recursive-exclude docs/_build *
--- a/19
+++ b/19
@ -1,19 +0,0 @@
 PANDOC:=$(shell \
 	if pandoc </dev/null 2>/dev/null; then \
 		echo pandoc; \
 	else \
 		echo "Warning: pandoc not installed; can't generate manpages." >&2; \
 		echo '@echo Skipping: pandoc'; \
 	fi)
 default: all
 all: sshuttle.8
 sshuttle.8: sshuttle.md
 %.8: %.md
 	$(PANDOC) -s -r markdown -w man -o $@ $<
 clean:
 	rm -f *~ */*~ .*~ */.*~ *.8 *.tmp */*.tmp *.pyc */*.pyc
--- a/README.md
+++ b/README.md
@ -1,166 +0,0 @@
 sshuttle: where transparent proxy meets VPN meets ssh
 =====================================================
 As far as I know, sshuttle is the only program that solves the following
 common case:
 - Your client machine (or router) is Linux, FreeBSD, or MacOS.
 - You have access to a remote network via ssh.
 - You don't necessarily have admin access on the remote network.
 - The remote network has no VPN, or only stupid/complex VPN
    protocols (IPsec, PPTP, etc). Or maybe you <i>are</i> the
    admin and you just got frustrated with the awful state of
    VPN tools.
 - You don't want to create an ssh port forward for every
    single host/port on the remote network.
 - You hate openssh's port forwarding because it's randomly
    slow and/or stupid.
 - You can't use openssh's PermitTunnel feature because
    it's disabled by default on openssh servers; plus it does
    TCP-over-TCP, which has terrible performance (see below).
 Prerequisites
 -------------
 - sudo, su, or logged in as root on your client machine.
   (The server doesn't need admin access.)
 - If you use Linux on your client machine:
   iptables installed on the client, including at
   least the iptables DNAT, REDIRECT, and ttl modules. 
   These are installed by default on most Linux distributions. 
   (The server doesn't need iptables and doesn't need to be
   Linux.)
 - If you use MacOS or BSD on your client machine:
   Your kernel needs to be compiled with IPFIREWALL_FORWARD
   (MacOS has this by default) and you need to have ipfw
   available. (The server doesn't need to be MacOS or BSD.)
 This is how you use it:
 -----------------------
 - <tt>git clone git://github.com/apenwarr/sshuttle</tt>
    on your client machine. You'll need root or sudo
    access, and python needs to be installed.
 - <tt>./sshuttle -r username@sshserver 0.0.0.0/0 -vv</tt>
 (You may be prompted for one or more passwords; first, the
 local password to become root using either sudo or su, and
 then the remote ssh password.  Or you might have sudo and ssh set
 up to not require passwords, in which case you won't be
 prompted at all.)
 That's it!  Now your local machine can access the remote network as if you
 were right there.  And if your "client" machine is a router, everyone on
 your local network can make connections to your remote network.
 You don't need to install sshuttle on the remote server;
 the remote server just needs to have python available. 
 sshuttle will automatically upload and run its source code
 to the remote python interpreter.
 This creates a transparent proxy server on your local machine for all IP
 addresses that match 0.0.0.0/0.  (You can use more specific IP addresses if
 you want; use any number of IP addresses or subnets to change which
 addresses get proxied.  Using 0.0.0.0/0 proxies <i>everything</i>, which is
 interesting if you don't trust the people on your local network.)
 Any TCP session you initiate to one of the proxied IP addresses will be
 captured by sshuttle and sent over an ssh session to the remote copy of
 sshuttle, which will then regenerate the connection on that end, and funnel
 the data back and forth through ssh.
 Fun, right?  A poor man's instant VPN, and you don't even have to have
 admin access on the server.
 Theory of Operation
 -------------------
 sshuttle is not exactly a VPN, and not exactly port forwarding.  It's kind
 of both, and kind of neither.
 It's like a VPN, since it can forward every port on an entire network, not
 just ports you specify.  Conveniently, it lets you use the "real" IP
 addresses of each host rather than faking port numbers on localhost.
 On the other hand, the way it *works* is more like ssh port forwarding than
 a VPN.  Normally, a VPN forwards your data one packet at a time, and
 doesn't care about individual connections; ie. it's "stateless" with respect
 to the traffic.  sshuttle is the opposite of stateless; it tracks every
 single connection.
 You could compare sshuttle to something like the old <a
 href="http://en.wikipedia.org/wiki/Slirp">Slirp</a> program, which was a
 userspace TCP/IP implementation that did something similar.  But it
 operated on a packet-by-packet basis on the client side, reassembling the
 packets on the server side.  That worked okay back in the "real live serial
 port" days, because serial ports had predictable latency and buffering.
 But you can't safely just forward TCP packets over a TCP session (like ssh),
 because TCP's performance depends fundamentally on packet loss; it
 <i>must</i> experience packet loss in order to know when to slow down!  At
 the same time, the outer TCP session (ssh, in this case) is a reliable
 transport, which means that what you forward through the tunnel <i>never</i>
 experiences packet loss.  The ssh session itself experiences packet loss, of
 course, but TCP fixes it up and ssh (and thus you) never know the
 difference.  But neither does your inner TCP session, and extremely screwy
 performance ensues.
 sshuttle assembles the TCP stream locally, multiplexes it statefully over
 an ssh session, and disassembles it back into packets at the other end.  So
 it never ends up doing TCP-over-TCP.  It's just data-over-TCP, which is
 safe.
 Useless Trivia
 --------------
 Back in 1998 (12 years ago!  Yikes!), I released the first version of <a
 href="http://alumnit.ca/wiki/?TunnelVisionReadMe">Tunnel Vision</a>, a
 semi-intelligent VPN client for Linux.  Unfortunately, I made two big mistakes: 
 I implemented the key exchange myself (oops), and I ended up doing
 TCP-over-TCP (double oops).  The resulting program worked okay - and people
 used it for years - but the performance was always a bit funny.  And nobody
 ever found any security flaws in my key exchange, either, but that doesn't
 mean anything. :)
 The same year, dcoombs and I also released Fast Forward, a proxy server
 supporting transparent proxying.  Among other things, we used it for
 automatically splitting traffic across more than one Internet connection (a
 tool we called "Double Vision").
 I was still in university at the time.  A couple years after that, one of my
 professors was working with some graduate students on the technology that
 would eventually become <a href="http://www.slipstream.com/">Slipstream
 Internet Acceleration</a>.  He asked me to do a contract for him to build an
 initial prototype of a transparent proxy server for mobile networks.  The
 idea was similar to sshuttle: if you reassemble and then disassemble the TCP
 packets, you can reduce latency and improve performance vs.  just forwarding
 the packets over a plain VPN or mobile network.  (It's unlikely that any of
 my code has persisted in the Slipstream product today, but the concept is
 still pretty cool.  I'm still horrified that people use plain TCP on
 complex mobile networks with crazily variable latency, for which it was
 never really intended.)
 That project I did for Slipstream was what first gave me the idea to merge
 the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
 program that was the best of all worlds.  And here we are, at last, 10 years
 later.  You're welcome.
 --
 Avery Pennarun <apenwarr@gmail.com>
 Mailing list:
   Subscribe by sending a message to <sshuttle+subscribe@googlegroups.com>
   List archives are at: http://groups.google.com/group/sshuttle
--- a/README.rst
+++ b/README.rst
@ -0,0 +1,66 @@
 sshuttle: where transparent proxy meets VPN meets ssh
 =====================================================
 As far as I know, sshuttle is the only program that solves the following
 common case:
 - Your client machine (or router) is Linux, FreeBSD, or MacOS.
 - You have access to a remote network via ssh.
 - You don't necessarily have admin access on the remote network.
 - The remote network has no VPN, or only stupid/complex VPN
  protocols (IPsec, PPTP, etc). Or maybe you *are* the
  admin and you just got frustrated with the awful state of
  VPN tools.
 - You don't want to create an ssh port forward for every
  single host/port on the remote network.
 - You hate openssh's port forwarding because it's randomly
  slow and/or stupid.
 - You can't use openssh's PermitTunnel feature because
  it's disabled by default on openssh servers; plus it does
  TCP-over-TCP, which has terrible performance (see below).
 Obtaining sshuttle
 ------------------
 - Debian stretch or later::
      apt-get install sshuttle
 - From PyPI::
      sudo pip install sshuttle
 - Clone::
      git clone https://github.com/sshuttle/sshuttle.git
      sudo ./setup.py install
 It is also possible to install into a virtualenv as a non-root user.
 - From PyPI::
      virtualenv -p python3 /tmp/sshuttle
      . /tmp/sshuttle/bin/activate
      pip install sshuttle
 - Clone::
      virtualenv -p python3 /tmp/sshuttle
      . /tmp/sshuttle/bin/activate
      git clone https://github.com/sshuttle/sshuttle.git
      ./setup.py install
 Documentation
 -------------
 The documentation for the stable version is available at:
 http://sshuttle.readthedocs.org/
 The documentation for the latest development version is available at:
 http://sshuttle.readthedocs.org/en/latest/
--- a/assembler.py
+++ b/assembler.py
@ -1,26 +0,0 @@
 import sys, zlib
 z = zlib.decompressobj()
 mainmod = sys.modules[__name__]
 while 1:
    name = sys.stdin.readline().strip()
    if name:
        nbytes = int(sys.stdin.readline())
        if verbosity >= 2:
            sys.stderr.write('server: assembling %r (%d bytes)\n'
                             % (name, nbytes))
        content = z.decompress(sys.stdin.read(nbytes))
        exec compile(content, name, "exec")
        # FIXME: this crushes everything into a single module namespace,
        # then makes each of the module names point at this one. Gross.
        assert(name.endswith('.py'))
        modname = name[:-3]
        mainmod.__dict__[modname] = mainmod
    else:
        break
 verbose = verbosity
 sys.stderr.flush()
 sys.stdout.flush()
 main()
--- a/client.py
+++ b/client.py
@ -1,383 +0,0 @@
 import struct, socket, select, errno, re, signal, time
 import compat.ssubprocess as ssubprocess
 import helpers, ssnet, ssh, ssyslog
 from ssnet import SockWrapper, Handler, Proxy, Mux, MuxWrapper
 from helpers import *
 _extra_fd = os.open('/dev/null', os.O_RDONLY)
 def got_signal(signum, frame):
    log('exiting on signal %d\n' % signum)
    sys.exit(1)
 _pidname = None
 def check_daemon(pidfile):
    global _pidname
    _pidname = os.path.abspath(pidfile)
    try:
        oldpid = open(_pidname).read(1024)
    except IOError, e:
        if e.errno == errno.ENOENT:
            return  # no pidfile, ok
        else:
            raise Fatal("can't read %s: %s" % (_pidname, e))
    if not oldpid:
        os.unlink(_pidname)
        return  # invalid pidfile, ok
    oldpid = int(oldpid.strip() or 0)
    if oldpid <= 0:
        os.unlink(_pidname)
        return  # invalid pidfile, ok
    try:
        os.kill(oldpid, 0)
    except OSError, e:
        if e.errno == errno.ESRCH:
            os.unlink(_pidname)
            return  # outdated pidfile, ok
        elif e.errno == errno.EPERM:
            pass
        else:
            raise
    raise Fatal("%s: sshuttle is already running (pid=%d)"
                % (_pidname, oldpid))
 def daemonize():
    if os.fork():
        os._exit(0)
    os.setsid()
    if os.fork():
        os._exit(0)
    outfd = os.open(_pidname, os.O_WRONLY|os.O_CREAT|os.O_EXCL, 0666)
    try:
        os.write(outfd, '%d\n' % os.getpid())
    finally:
        os.close(outfd)
    os.chdir("/")
    # Normal exit when killed, or try/finally won't work and the pidfile won't
    # be deleted.
    signal.signal(signal.SIGTERM, got_signal)
    si = open('/dev/null', 'r+')
    os.dup2(si.fileno(), 0)
    os.dup2(si.fileno(), 1)
    si.close()
    ssyslog.stderr_to_syslog()
 def daemon_cleanup():
    try:
        os.unlink(_pidname)
    except OSError, e:
        if e.errno == errno.ENOENT:
            pass
        else:
            raise
 def original_dst(sock):
    try:
        SO_ORIGINAL_DST = 80
        SOCKADDR_MIN = 16
        sockaddr_in = sock.getsockopt(socket.SOL_IP,
                                      SO_ORIGINAL_DST, SOCKADDR_MIN)
        (proto, port, a,b,c,d) = struct.unpack('!HHBBBB', sockaddr_in[:8])
        assert(socket.htons(proto) == socket.AF_INET)
        ip = '%d.%d.%d.%d' % (a,b,c,d)
        return (ip,port)
    except socket.error, e:
        if e.args[0] == errno.ENOPROTOOPT:
            return sock.getsockname()
        raise
 class FirewallClient:
    def __init__(self, port, subnets_include, subnets_exclude, dnsport):
        self.port = port
        self.auto_nets = []
        self.subnets_include = subnets_include
        self.subnets_exclude = subnets_exclude
        self.dnsport = dnsport
        argvbase = ([sys.argv[0]] +
                    ['-v'] * (helpers.verbose or 0) +
                    ['--firewall', str(port), str(dnsport)])
        if ssyslog._p:
            argvbase += ['--syslog']
        argv_tries = [
            ['sudo', '-p', '[local sudo] Password: '] + argvbase,
            ['su', '-c', ' '.join(argvbase)],
            argvbase
        ]
        # we can't use stdin/stdout=subprocess.PIPE here, as we normally would,
        # because stupid Linux 'su' requires that stdin be attached to a tty.
        # Instead, attach a *bidirectional* socket to its stdout, and use
        # that for talking in both directions.
        (s1,s2) = socket.socketpair()
        def setup():
            # run in the child process
            s2.close()
        e = None
        if os.getuid() == 0:
            argv_tries = argv_tries[-1:]  # last entry only
        for argv in argv_tries:
            try:
                if argv[0] == 'su':
                    sys.stderr.write('[local su] ')
                self.p = ssubprocess.Popen(argv, stdout=s1, preexec_fn=setup)
                e = None
                break
            except OSError, e:
                pass
        self.argv = argv
        s1.close()
        self.pfile = s2.makefile('wb+')
        if e:
            log('Spawning firewall manager: %r\n' % self.argv)
            raise Fatal(e)
        line = self.pfile.readline()
        self.check()
        if line != 'READY\n':
            raise Fatal('%r expected READY, got %r' % (self.argv, line))
    def check(self):
        rv = self.p.poll()
        if rv:
            raise Fatal('%r returned %d' % (self.argv, rv))
    def start(self):
        self.pfile.write('ROUTES\n')
        for (ip,width) in self.subnets_include+self.auto_nets:
            self.pfile.write('%d,0,%s\n' % (width, ip))
        for (ip,width) in self.subnets_exclude:
            self.pfile.write('%d,1,%s\n' % (width, ip))
        self.pfile.write('GO\n')
        self.pfile.flush()
        line = self.pfile.readline()
        self.check()
        if line != 'STARTED\n':
            raise Fatal('%r expected STARTED, got %r' % (self.argv, line))
    def sethostip(self, hostname, ip):
        assert(not re.search(r'[^-\w]', hostname))
        assert(not re.search(r'[^0-9.]', ip))
        self.pfile.write('HOST %s,%s\n' % (hostname, ip))
        self.pfile.flush()
    def done(self):
        self.pfile.close()
        rv = self.p.wait()
        if rv:
            raise Fatal('cleanup: %r returned %d' % (self.argv, rv))
 def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
          dnslistener, seed_hosts, auto_nets,
          syslog, daemon):
    handlers = []
    if helpers.verbose >= 1:
        helpers.logprefix = 'c : '
    else:
        helpers.logprefix = 'client: '
    debug1('connecting to server...\n')
    try:
        (serverproc, serversock) = ssh.connect(ssh_cmd, remotename, python,
                        stderr=ssyslog._p and ssyslog._p.stdin,
                        options=dict(latency_control=latency_control))
    except socket.error, e:
        if e.args[0] == errno.EPIPE:
            raise Fatal("failed to establish ssh session (1)")
        else:
            raise
    mux = Mux(serversock, serversock)
    handlers.append(mux)
    expected = 'SSHUTTLE0001'
    try:
        initstring = serversock.recv(len(expected))
    except socket.error, e:
        if e.args[0] == errno.ECONNRESET:
            raise Fatal("failed to establish ssh session (2)")
        else:
            raise
    rv = serverproc.poll()
    if rv:
        raise Fatal('server died with error code %d' % rv)
    if initstring != expected:
        raise Fatal('expected server init string %r; got %r'
                        % (expected, initstring))
    debug1('connected.\n')
    print 'Connected.'
    sys.stdout.flush()
    if daemon:
        daemonize()
        log('daemonizing (%s).\n' % _pidname)
    elif syslog:
        debug1('switching to syslog.\n')
        ssyslog.stderr_to_syslog()
    def onroutes(routestr):
        if auto_nets:
            for line in routestr.strip().split('\n'):
                (ip,width) = line.split(',', 1)
                fw.auto_nets.append((ip,int(width)))
        # we definitely want to do this *after* starting ssh, or we might end
        # up intercepting the ssh connection!
        #
        # Moreover, now that we have the --auto-nets option, we have to wait
        # for the server to send us that message anyway.  Even if we haven't
        # set --auto-nets, we might as well wait for the message first, then
        # ignore its contents.
        mux.got_routes = None
        fw.start()
    mux.got_routes = onroutes
    def onhostlist(hostlist):
        debug2('got host list: %r\n' % hostlist)
        for line in hostlist.strip().split():
            if line:
                name,ip = line.split(',', 1)
                fw.sethostip(name, ip)
    mux.got_host_list = onhostlist
    def onaccept():
        global _extra_fd
        try:
            sock,srcip = listener.accept()
        except socket.error, e:
            if e.args[0] in [errno.EMFILE, errno.ENFILE]:
                debug1('Rejected incoming connection: too many open files!\n')
                # free up an fd so we can eat the connection
                os.close(_extra_fd)
                try:
                    sock,srcip = listener.accept()
                    sock.close()
                finally:
                    _extra_fd = os.open('/dev/null', os.O_RDONLY)
                return
            else:
                raise
        dstip = original_dst(sock)
        debug1('Accept: %s:%r -> %s:%r.\n' % (srcip[0],srcip[1],
                                              dstip[0],dstip[1]))
        if dstip[1] == listener.getsockname()[1] and islocal(dstip[0]):
            debug1("-- ignored: that's my address!\n")
            sock.close()
            return
        chan = mux.next_channel()
        mux.send(chan, ssnet.CMD_CONNECT, '%s,%s' % dstip)
        outwrap = MuxWrapper(mux, chan)
        handlers.append(Proxy(SockWrapper(sock, sock), outwrap))
    handlers.append(Handler([listener], onaccept))
    dnsreqs = {}
    def dns_done(chan, data):
        peer,timeout = dnsreqs.get(chan) or (None,None)
        debug3('dns_done: channel=%r peer=%r\n' % (chan, peer))
        if peer:
            del dnsreqs[chan]
            debug3('doing sendto %r\n' % (peer,))
            dnslistener.sendto(data, peer)
    def ondns():
        pkt,peer = dnslistener.recvfrom(4096)
        now = time.time()
        if pkt:
            debug1('DNS request from %r: %d bytes\n' % (peer, len(pkt)))
            chan = mux.next_channel()
            dnsreqs[chan] = peer,now+30
            mux.send(chan, ssnet.CMD_DNS_REQ, pkt)
            mux.channels[chan] = lambda cmd,data: dns_done(chan,data)
        for chan,(peer,timeout) in dnsreqs.items():
            if timeout < now:
                del dnsreqs[chan]
        debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
    if dnslistener:
        handlers.append(Handler([dnslistener], ondns))
    if seed_hosts != None:
        debug1('seed_hosts: %r\n' % seed_hosts)
        mux.send(0, ssnet.CMD_HOST_REQ, '\n'.join(seed_hosts))
    while 1:
        rv = serverproc.poll()
        if rv:
            raise Fatal('server died with error code %d' % rv)
        ssnet.runonce(handlers, mux)
        if latency_control:
            mux.check_fullness()
        mux.callback()
 def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
         seed_hosts, auto_nets,
         subnets_include, subnets_exclude, syslog, daemon, pidfile):
    if syslog:
        ssyslog.start_syslog()
    if daemon:
        try:
            check_daemon(pidfile)
        except Fatal, e:
            log("%s\n" % e)
            return 5
    debug1('Starting sshuttle proxy.\n')
    if listenip[1]:
        ports = [listenip[1]]
    else:
        ports = xrange(12300,9000,-1)
    last_e = None
    bound = False
    debug2('Binding:')
    for port in ports:
        debug2(' %d' % port)
        listener = socket.socket()
        listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        dnslistener = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        dnslistener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        try:
            listener.bind((listenip[0], port))
            dnslistener.bind((listenip[0], port))
            bound = True
            break
        except socket.error, e:
            last_e = e
    debug2('\n')
    if not bound:
        assert(last_e)
        raise last_e
    listener.listen(10)
    listenip = listener.getsockname()
    debug1('Listening on %r.\n' % (listenip,))
    if dns:
        dnsip = dnslistener.getsockname()
        debug1('DNS listening on %r.\n' % (dnsip,))
        dnsport = dnsip[1]
    else:
        dnsport = 0
        dnslistener = None
    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport)
    try:
        return _main(listener, fw, ssh_cmd, remotename,
                     python, latency_control, dnslistener,
                     seed_hosts, auto_nets, syslog, daemon)
    finally:
        try:
            if daemon:
                # it's not our child anymore; can't waitpid
                fw.p.returncode = 0
            fw.done()
        finally:
            if daemon:
                daemon_cleanup()
--- a/compat/init.py
+++ b/compat/init.py
--- a/compat/ssubprocess.py
+++ b/compat/ssubprocess.py
--- a/conftest.py
+++ b/conftest.py
@ -0,0 +1,10 @@
 import sys
 if sys.version_info >= (3, 0):
    good_python = sys.version_info >= (3, 5)
 else:
    good_python = sys.version_info >= (2, 7)
 collect_ignore = []
 if not good_python:
    collect_ignore.append("sshuttle/tests/client")
--- a/docs/Makefile
+++ b/docs/Makefile
@ -0,0 +1,177 @@
 # Makefile for Sphinx documentation
 #
 # You can set these variables from the command line.
 SPHINXOPTS    =
 SPHINXBUILD   = sphinx-build
 PAPER         =
 BUILDDIR      = _build
 # User-friendly check for sphinx-build
 ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
 $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
 endif
 # Internal variables.
 PAPEROPT_a4     = -D latex_paper_size=a4
 PAPEROPT_letter = -D latex_paper_size=letter
 ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
 # the i18n builder cannot share the environment and doctrees with the others
 I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
 .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
 help:
 	@echo "Please use \`make <target>' where <target> is one of"
 	@echo "  html       to make standalone HTML files"
 	@echo "  dirhtml    to make HTML files named index.html in directories"
 	@echo "  singlehtml to make a single large HTML file"
 	@echo "  pickle     to make pickle files"
 	@echo "  json       to make JSON files"
 	@echo "  htmlhelp   to make HTML files and a HTML help project"
 	@echo "  qthelp     to make HTML files and a qthelp project"
 	@echo "  devhelp    to make HTML files and a Devhelp project"
 	@echo "  epub       to make an epub"
 	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
 	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
 	@echo "  latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
 	@echo "  text       to make text files"
 	@echo "  man        to make manual pages"
 	@echo "  texinfo    to make Texinfo files"
 	@echo "  info       to make Texinfo files and run them through makeinfo"
 	@echo "  gettext    to make PO message catalogs"
 	@echo "  changes    to make an overview of all changed/added/deprecated items"
 	@echo "  xml        to make Docutils-native XML files"
 	@echo "  pseudoxml  to make pseudoxml-XML files for display purposes"
 	@echo "  linkcheck  to check all external links for integrity"
 	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
 clean:
 	rm -rf $(BUILDDIR)/*
 html:
 	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
 	@echo
 	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
 dirhtml:
 	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
 	@echo
 	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
 singlehtml:
 	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
 	@echo
 	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
 pickle:
 	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
 	@echo
 	@echo "Build finished; now you can process the pickle files."
 json:
 	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
 	@echo
 	@echo "Build finished; now you can process the JSON files."
 htmlhelp:
 	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
 	@echo
 	@echo "Build finished; now you can run HTML Help Workshop with the" \
 	      ".hhp project file in $(BUILDDIR)/htmlhelp."
 qthelp:
 	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
 	@echo
 	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
 	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
 	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/sshuttle.qhcp"
 	@echo "To view the help file:"
 	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/sshuttle.qhc"
 devhelp:
 	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
 	@echo
 	@echo "Build finished."
 	@echo "To view the help file:"
 	@echo "# mkdir -p $$HOME/.local/share/devhelp/sshuttle"
 	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/sshuttle"
 	@echo "# devhelp"
 epub:
 	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
 	@echo
 	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
 latex:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo
 	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
 	@echo "Run \`make' in that directory to run these through (pdf)latex" \
 	      "(use \`make latexpdf' here to do that automatically)."
 latexpdf:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo "Running LaTeX files through pdflatex..."
 	$(MAKE) -C $(BUILDDIR)/latex all-pdf
 	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
 latexpdfja:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo "Running LaTeX files through platex and dvipdfmx..."
 	$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
 	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
 text:
 	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
 	@echo
 	@echo "Build finished. The text files are in $(BUILDDIR)/text."
 man:
 	$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
 	@echo
 	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
 texinfo:
 	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
 	@echo
 	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
 	@echo "Run \`make' in that directory to run these through makeinfo" \
 	      "(use \`make info' here to do that automatically)."
 info:
 	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
 	@echo "Running Texinfo files through makeinfo..."
 	make -C $(BUILDDIR)/texinfo info
 	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
 gettext:
 	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
 	@echo
 	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
 changes:
 	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
 	@echo
 	@echo "The overview file is in $(BUILDDIR)/changes."
 linkcheck:
 	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
 	@echo
 	@echo "Link check complete; look for any errors in the above output " \
 	      "or in $(BUILDDIR)/linkcheck/output.txt."
 doctest:
 	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
 	@echo "Testing of doctests in the sources finished, look at the " \
 	      "results in $(BUILDDIR)/doctest/output.txt."
 xml:
 	$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
 	@echo
 	@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
 pseudoxml:
 	$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
 	@echo
 	@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
--- a/docs/changes.rst
+++ b/docs/changes.rst
@ -0,0 +1 @@
 .. include:: ../CHANGES.rst
--- a/docs/conf.py
+++ b/docs/conf.py
@ -0,0 +1,261 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 #
 # sshuttle documentation build configuration file, created by
 # sphinx-quickstart on Sun Jan 17 12:13:47 2016.
 #
 # This file is execfile()d with the current directory set to its
 # containing dir.
 #
 # Note that not all possible configuration values are present in this
 # autogenerated file.
 #
 # All configuration values have a default; values that are commented out
 # serve to show the default.
 import sys
 import os
 sys.path.insert(0, os.path.abspath('..'))
 import sshuttle.version  # NOQA
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
 # sys.path.insert(0, os.path.abspath('.'))
 # -- General configuration ------------------------------------------------
 # If your documentation needs a minimal Sphinx version, state it here.
 # needs_sphinx = '1.0'
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
    'sphinx.ext.todo',
 ]
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
 # The suffix of source filenames.
 source_suffix = '.rst'
 # The encoding of source files.
 # source_encoding = 'utf-8-sig'
 # The master toctree document.
 master_doc = 'index'
 # General information about the project.
 project = 'sshuttle'
 copyright = '2016, Brian May'
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The full version, including alpha/beta/rc tags.
 release = sshuttle.version.version
 # The short X.Y version.
 version = '.'.join(release.split('.')[:2])
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
 # language = None
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
 # today = ''
 # Else, today_fmt is used as the format for a strftime call.
 # today_fmt = '%B %d, %Y'
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
 exclude_patterns = ['_build']
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
 # default_role = None
 # If true, '()' will be appended to :func: etc. cross-reference text.
 # add_function_parentheses = True
 # If true, the current module name will be prepended to all description
 # unit titles (such as .. function::).
 # add_module_names = True
 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
 # show_authors = False
 # The name of the Pygments (syntax highlighting) style to use.
 pygments_style = 'sphinx'
 # A list of ignored prefixes for module index sorting.
 # modindex_common_prefix = []
 # If true, keep warnings as "system message" paragraphs in the built documents.
 # keep_warnings = False
 # -- Options for HTML output ----------------------------------------------
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 html_theme = 'default'
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 # html_theme_options = {}
 # Add any paths that contain custom themes here, relative to this directory.
 # html_theme_path = []
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
 # html_title = None
 # A shorter title for the navigation bar.  Default is the same as html_title.
 # html_short_title = None
 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
 # html_logo = None
 # The name of an image file (within the static path) to use as favicon of the
 # docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
 # pixels large.
 # html_favicon = None
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
 html_static_path = ['_static']
 # Add any extra paths that contain custom files (such as robots.txt or
 # .htaccess) here, relative to this directory. These files are copied
 # directly to the root of the documentation.
 # html_extra_path = []
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
 # html_last_updated_fmt = '%b %d, %Y'
 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
 # html_use_smartypants = True
 # Custom sidebar templates, maps document names to template names.
 # html_sidebars = {}
 # Additional templates that should be rendered to pages, maps page names to
 # template names.
 # html_additional_pages = {}
 # If false, no module index is generated.
 # html_domain_indices = True
 # If false, no index is generated.
 # html_use_index = True
 # If true, the index is split into individual pages for each letter.
 # html_split_index = False
 # If true, links to the reST sources are added to the pages.
 # html_show_sourcelink = True
 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
 # html_show_sphinx = True
 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
 # html_show_copyright = True
 # If true, an OpenSearch description file will be output, and all pages will
 # contain a <link> tag referring to it.  The value of this option must be the
 # base URL from which the finished HTML is served.
 # html_use_opensearch = ''
 # This is the file name suffix for HTML files (e.g. ".xhtml").
 # html_file_suffix = None
 # Output file base name for HTML help builder.
 htmlhelp_basename = 'sshuttledoc'
 # -- Options for LaTeX output ---------------------------------------------
 latex_elements = {
    # The paper size ('letterpaper' or 'a4paper').
    # 'papersize': 'letterpaper',
    # The font size ('10pt', '11pt' or '12pt').
    # 'pointsize': '10pt',
    # Additional stuff for the LaTeX preamble.
    # 'preamble': '',
 }
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
    ('index', 'sshuttle.tex', 'sshuttle documentation', 'Brian May', 'manual'),
 ]
 # The name of an image file (relative to this directory) to place at the top of
 # the title page.
 # latex_logo = None
 # For "manual" documents, if this is true, then toplevel headings are parts,
 # not chapters.
 # latex_use_parts = False
 # If true, show page references after internal links.
 # latex_show_pagerefs = False
 # If true, show URL addresses after external links.
 # latex_show_urls = False
 # Documents to append as an appendix to all manuals.
 # latex_appendices = []
 # If false, no module index is generated.
 # latex_domain_indices = True
 # -- Options for manual page output ---------------------------------------
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
    ('manpage', 'sshuttle', 'sshuttle documentation', ['Brian May'], 1)
 ]
 # If true, show URL addresses after external links.
 # man_show_urls = False
 # -- Options for Texinfo output -------------------------------------------
 # Grouping the document tree into Texinfo files. List of tuples
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
    ('index', 'sshuttle', 'sshuttle documentation',
     'Brian May', 'sshuttle', 'A transparent proxy-based VPN using ssh',
     'Miscellaneous'),
 ]
 # Documents to append as an appendix to all manuals.
 # texinfo_appendices = []
 # If false, no module index is generated.
 # texinfo_domain_indices = True
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
 # texinfo_show_urls = 'footnote'
 # If true, do not generate a @detailmenu in the "Top" node's menu.
 # texinfo_no_detailmenu = False
--- a/docs/how-it-works.rst
+++ b/docs/how-it-works.rst
@ -0,0 +1,37 @@
 How it works
 ============
 sshuttle is not exactly a VPN, and not exactly port forwarding.  It's kind
 of both, and kind of neither.
 It's like a VPN, since it can forward every port on an entire network, not
 just ports you specify.  Conveniently, it lets you use the "real" IP
 addresses of each host rather than faking port numbers on localhost.
 On the other hand, the way it *works* is more like ssh port forwarding than
 a VPN.  Normally, a VPN forwards your data one packet at a time, and
 doesn't care about individual connections; ie. it's "stateless" with respect
 to the traffic.  sshuttle is the opposite of stateless; it tracks every
 single connection.
 You could compare sshuttle to something like the old `Slirp
 <http://en.wikipedia.org/wiki/Slirp>`_ program, which was a userspace TCP/IP
 implementation that did something similar.  But it operated on a
 packet-by-packet basis on the client side, reassembling the packets on the
 server side.  That worked okay back in the "real live serial port" days,
 because serial ports had predictable latency and buffering.
 But you can't safely just forward TCP packets over a TCP session (like ssh),
 because TCP's performance depends fundamentally on packet loss; it
 *must* experience packet loss in order to know when to slow down!  At
 the same time, the outer TCP session (ssh, in this case) is a reliable
 transport, which means that what you forward through the tunnel *never*
 experiences packet loss.  The ssh session itself experiences packet loss, of
 course, but TCP fixes it up and ssh (and thus you) never know the
 difference.  But neither does your inner TCP session, and extremely screwy
 performance ensues.
 sshuttle assembles the TCP stream locally, multiplexes it statefully over
 an ssh session, and disassembles it back into packets at the other end.  So
 it never ends up doing TCP-over-TCP.  It's just data-over-TCP, which is
 safe.
--- a/docs/index.rst
+++ b/docs/index.rst
@ -0,0 +1,29 @@
 sshuttle: where transparent proxy meets VPN meets ssh
 =====================================================
 :Date: |today|
 :Version: |version|
 Contents:
 .. toctree::
   :maxdepth: 2
   overview
   requirements
   installation
   usage
   platform
   Man Page <manpage>
   how-it-works
   support
   trivia
   changes
 Indices and tables
 ==================
 * :ref:`genindex`
 * :ref:`search`
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -0,0 +1,11 @@
 Installation
 ============
 - From PyPI::
      pip install sshuttle
 - Clone::
      git clone https://github.com/sshuttle/sshuttle.git
      ./setup.py install
--- a/docs/make.bat
+++ b/docs/make.bat
@ -0,0 +1,242 @@
@ECHO OFF
 REM Command file for Sphinx documentation
 if "%SPHINXBUILD%" == "" (
 	set SPHINXBUILD=sphinx-build
 )
 set BUILDDIR=_build
 set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% .
 set I18NSPHINXOPTS=%SPHINXOPTS% .
 if NOT "%PAPER%" == "" (
 	set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
 	set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS%
 )
 if "%1" == "" goto help
 if "%1" == "help" (
 	:help
 	echo.Please use `make ^<target^>` where ^<target^> is one of
 	echo.  html       to make standalone HTML files
 	echo.  dirhtml    to make HTML files named index.html in directories
 	echo.  singlehtml to make a single large HTML file
 	echo.  pickle     to make pickle files
 	echo.  json       to make JSON files
 	echo.  htmlhelp   to make HTML files and a HTML help project
 	echo.  qthelp     to make HTML files and a qthelp project
 	echo.  devhelp    to make HTML files and a Devhelp project
 	echo.  epub       to make an epub
 	echo.  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter
 	echo.  text       to make text files
 	echo.  man        to make manual pages
 	echo.  texinfo    to make Texinfo files
 	echo.  gettext    to make PO message catalogs
 	echo.  changes    to make an overview over all changed/added/deprecated items
 	echo.  xml        to make Docutils-native XML files
 	echo.  pseudoxml  to make pseudoxml-XML files for display purposes
 	echo.  linkcheck  to check all external links for integrity
 	echo.  doctest    to run all doctests embedded in the documentation if enabled
 	goto end
 )
 if "%1" == "clean" (
 	for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
 	del /q /s %BUILDDIR%\*
 	goto end
 )
 %SPHINXBUILD% 2> nul
 if errorlevel 9009 (
 	echo.
 	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
 	echo.installed, then set the SPHINXBUILD environment variable to point
 	echo.to the full path of the 'sphinx-build' executable. Alternatively you
 	echo.may add the Sphinx directory to PATH.
 	echo.
 	echo.If you don't have Sphinx installed, grab it from
 	echo.http://sphinx-doc.org/
 	exit /b 1
 )
 if "%1" == "html" (
 	%SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The HTML pages are in %BUILDDIR%/html.
 	goto end
 )
 if "%1" == "dirhtml" (
 	%SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
 	goto end
 )
 if "%1" == "singlehtml" (
 	%SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
 	goto end
 )
 if "%1" == "pickle" (
 	%SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can process the pickle files.
 	goto end
 )
 if "%1" == "json" (
 	%SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can process the JSON files.
 	goto end
 )
 if "%1" == "htmlhelp" (
 	%SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can run HTML Help Workshop with the ^
 .hhp project file in %BUILDDIR%/htmlhelp.
 	goto end
 )
 if "%1" == "qthelp" (
 	%SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; now you can run "qcollectiongenerator" with the ^
 .qhcp project file in %BUILDDIR%/qthelp, like this:
 	echo.^> qcollectiongenerator %BUILDDIR%\qthelp\sshuttle.qhcp
 	echo.To view the help file:
 	echo.^> assistant -collectionFile %BUILDDIR%\qthelp\sshuttle.ghc
 	goto end
 )
 if "%1" == "devhelp" (
 	%SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished.
 	goto end
 )
 if "%1" == "epub" (
 	%SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The epub file is in %BUILDDIR%/epub.
 	goto end
 )
 if "%1" == "latex" (
 	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
 	goto end
 )
 if "%1" == "latexpdf" (
 	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
 	cd %BUILDDIR%/latex
 	make all-pdf
 	cd %BUILDDIR%/..
 	echo.
 	echo.Build finished; the PDF files are in %BUILDDIR%/latex.
 	goto end
 )
 if "%1" == "latexpdfja" (
 	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
 	cd %BUILDDIR%/latex
 	make all-pdf-ja
 	cd %BUILDDIR%/..
 	echo.
 	echo.Build finished; the PDF files are in %BUILDDIR%/latex.
 	goto end
 )
 if "%1" == "text" (
 	%SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The text files are in %BUILDDIR%/text.
 	goto end
 )
 if "%1" == "man" (
 	%SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The manual pages are in %BUILDDIR%/man.
 	goto end
 )
 if "%1" == "texinfo" (
 	%SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo.
 	goto end
 )
 if "%1" == "gettext" (
 	%SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The message catalogs are in %BUILDDIR%/locale.
 	goto end
 )
 if "%1" == "changes" (
 	%SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.The overview file is in %BUILDDIR%/changes.
 	goto end
 )
 if "%1" == "linkcheck" (
 	%SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Link check complete; look for any errors in the above output ^
 or in %BUILDDIR%/linkcheck/output.txt.
 	goto end
 )
 if "%1" == "doctest" (
 	%SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Testing of doctests in the sources finished, look at the ^
 results in %BUILDDIR%/doctest/output.txt.
 	goto end
 )
 if "%1" == "xml" (
 	%SPHINXBUILD% -b xml %ALLSPHINXOPTS% %BUILDDIR%/xml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The XML files are in %BUILDDIR%/xml.
 	goto end
 )
 if "%1" == "pseudoxml" (
 	%SPHINXBUILD% -b pseudoxml %ALLSPHINXOPTS% %BUILDDIR%/pseudoxml
 	if errorlevel 1 exit /b 1
 	echo.
 	echo.Build finished. The pseudo-XML files are in %BUILDDIR%/pseudoxml.
 	goto end
 )
 :end
--- a/docs/manpage.rst
+++ b/docs/manpage.rst
@ -0,0 +1,302 @@
 sshuttle
 ========
 Synopsis
 --------
 **sshuttle** [*options*] [**-r** *[username@]sshserver[:port]*] \<*subnets* ...\>
 Description
 -----------
 :program:`sshuttle` allows you to create a VPN connection from your
 machine to any remote server that you can connect to via
 ssh, as long as that server has python 2.3 or higher.
 To work, you must have root access on the local machine,
 but you can have a normal account on the server.
 It's valid to run :program:`sshuttle` more than once simultaneously on
 a single client machine, connecting to a different server
 every time, so you can be on more than one VPN at once.
 If run on a router, :program:`sshuttle` can forward traffic for your
 entire subnet to the VPN.
 Options
 -------
 .. program:: sshuttle
 .. option:: subnets
    A list of subnets to route over the VPN, in the form
    ``a.b.c.d[/width][port[-port]]``.  Valid examples are 1.2.3.4 (a
    single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4),
    1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0
    netmask), and 0/0 ('just route everything through the
    VPN'). Any of the previous examples are also valid if you append
    a port or a port range, so 1.2.3.4:8000 will only tunnel traffic
    that has as the destination port 8000 of 1.2.3.4 and 
    1.2.3.0/24:8000-9000 will tunnel traffic going to any port between
    8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet.
    It is also possible to use a name in which case the first IP it resolves
    to during startup will be routed over the VPN. Valid examples are
    example.com, example.com:8000 and example.com:8000-9000.
 .. option:: --method [auto|nat|tproxy|pf]
   Which firewall method should sshuttle use? For auto, sshuttle attempts to
   guess the appropriate method depending on what it can find in PATH. The
   default value is auto.
 .. option:: -l, --listen=[ip:]port
    Use this ip address and port number as the transparent
    proxy port.  By default :program:`sshuttle` finds an available
    port automatically and listens on IP 127.0.0.1
    (localhost), so you don't need to override it, and
    connections are only proxied from the local machine,
    not from outside machines.  If you want to accept
    connections from other machines on your network (ie. to
    run :program:`sshuttle` on a router) try enabling IP Forwarding in
    your kernel, then using ``--listen 0.0.0.0:0``.
    You can use any name resolving to an IP address of the machine running
    :program:`sshuttle`, e.g. ``--listen localhost``.
    For the tproxy and pf methods this can be an IPv6 address. Use this option 
    twice if required, to provide both IPv4 and IPv6 addresses.
 .. option:: -H, --auto-hosts
    Scan for remote hostnames and update the local /etc/hosts
    file with matching entries for as long as the VPN is
    open.  This is nicer than changing your system's DNS
    (/etc/resolv.conf) settings, for several reasons.  First,
    hostnames are added without domain names attached, so
    you can ``ssh thatserver`` without worrying if your local
    domain matches the remote one.  Second, if you :program:`sshuttle`
    into more than one VPN at a time, it's impossible to
    use more than one DNS server at once anyway, but
    :program:`sshuttle` correctly merges /etc/hosts entries between
    all running copies.  Third, if you're only routing a
    few subnets over the VPN, you probably would prefer to
    keep using your local DNS server for everything else.
 .. option:: -N, --auto-nets
    In addition to the subnets provided on the command
    line, ask the server which subnets it thinks we should
    route, and route those automatically.  The suggestions
    are taken automatically from the server's routing
    table.
 .. option:: --dns
    Capture local DNS requests and forward to the remote DNS
    server.
 .. option:: --python
    Specify the name/path of the remote python interpreter.
    The default is just ``python``, which means to use the
    default python interpreter on the remote system's PATH.
 .. option:: -r, --remote=[username@]sshserver[:port]
    The remote hostname and optional username and ssh
    port number to use for connecting to the remote server.
    For example, example.com, testuser@example.com,
    testuser@example.com:2222, or example.com:2244.
 .. option:: -x, --exclude=subnet
    Explicitly exclude this subnet from forwarding.  The
    format of this option is the same as the ``<subnets>``
    option.  To exclude more than one subnet, specify the
    ``-x`` option more than once.  You can say something like
    ``0/0 -x 1.2.3.0/24`` to forward everything except the
    local subnet over the VPN, for example.
 .. option:: -X, --exclude-from=file
    Exclude the subnets specified in a file, one subnet per
    line. Useful when you have lots of subnets to exclude.
 .. option:: -v, --verbose
    Print more information about the session.  This option
    can be used more than once for increased verbosity.  By
    default, :program:`sshuttle` prints only error messages.
 .. option:: -e, --ssh-cmd
    The command to use to connect to the remote server. The
    default is just ``ssh``.  Use this if your ssh client is
    in a non-standard location or you want to provide extra
    options to the ssh command, for example, ``-e 'ssh -v'``.
 .. option:: --seed-hosts
    A comma-separated list of hostnames to use to
    initialize the :option:`--auto-hosts` scan algorithm.
    :option:`--auto-hosts` does things like poll local SMB servers
    for lists of local hostnames, but can speed things up
    if you use this option to give it a few names to start
    from.
    If this option is used *without* :option:`--auto-hosts`,
    then the listed hostnames will be scanned and added, but
    no further hostnames will be added.
 .. option:: --no-latency-control
    Sacrifice latency to improve bandwidth benchmarks. ssh
    uses really big socket buffers, which can overload the
    connection if you start doing large file transfers,
    thus making all your other sessions inside the same
    tunnel go slowly. Normally, :program:`sshuttle` tries to avoid
    this problem using a "fullness check" that allows only
    a certain amount of outstanding data to be buffered at
    a time.  But on high-bandwidth links, this can leave a
    lot of your bandwidth underutilized.  It also makes
    :program:`sshuttle` seem slow in bandwidth benchmarks (benchmarks
    rarely test ping latency, which is what :program:`sshuttle` is
    trying to control).  This option disables the latency
    control feature, maximizing bandwidth usage.  Use at
    your own risk.
 .. option:: -D, --daemon
    Automatically fork into the background after connecting
    to the remote server.  Implies :option:`--syslog`.
 .. option:: --syslog
    after connecting, send all log messages to the
    :manpage:`syslog(3)` service instead of stderr.  This is
    implicit if you use :option:`--daemon`.
 .. option:: --pidfile=pidfilename
    when using :option:`--daemon`, save :program:`sshuttle`'s pid to
    *pidfilename*.  The default is ``sshuttle.pid`` in the
    current directory.
 .. option:: --disable-ipv6
    If using tproxy or pf methods, this will disable IPv6 support.
 .. option:: --firewall
    (internal use only) run the firewall manager.  This is
    the only part of :program:`sshuttle` that must run as root.  If
    you start :program:`sshuttle` as a non-root user, it will
    automatically run ``sudo`` or ``su`` to start the firewall
    manager, but the core of :program:`sshuttle` still runs as a
    normal user.
 .. option:: --hostwatch
    (internal use only) run the hostwatch daemon.  This
    process runs on the server side and collects hostnames for
    the :option:`--auto-hosts` option.  Using this option by itself
    makes it a lot easier to debug and test the :option:`--auto-hosts`
    feature.
 Examples
 --------
 Test locally by proxying all local connections, without using ssh::
    $ sshuttle -v 0/0
    Starting sshuttle proxy.
    Listening on ('0.0.0.0', 12300).
    [local sudo] Password:
    firewall manager ready.
    c : connecting to server...
     s: available routes:
     s:   192.168.42.0/24
    c : connected.
    firewall manager: starting transproxy.
    c : Accept: 192.168.42.106:50035 -> 192.168.42.121:139.
    c : Accept: 192.168.42.121:47523 -> 77.141.99.22:443.
        ...etc...
    ^C
    firewall manager: undoing changes.
    KeyboardInterrupt
    c : Keyboard interrupt: exiting.
    c : SW#8:192.168.42.121:47523: deleting
    c : SW#6:192.168.42.106:50035: deleting
 Test connection to a remote server, with automatic hostname
 and subnet guessing::
    $ sshuttle -vNHr example.org
    Starting sshuttle proxy.
    Listening on ('0.0.0.0', 12300).
    firewall manager ready.
    c : connecting to server...
     s: available routes:
     s:   77.141.99.0/24
    c : connected.
    c : seed_hosts: []
    firewall manager: starting transproxy.
    hostwatch: Found: testbox1: 1.2.3.4
    hostwatch: Found: mytest2: 5.6.7.8
    hostwatch: Found: domaincontroller: 99.1.2.3
    c : Accept: 192.168.42.121:60554 -> 77.141.99.22:22.
    ^C
    firewall manager: undoing changes.
    c : Keyboard interrupt: exiting.
    c : SW#6:192.168.42.121:60554: deleting
 Discussion
 ----------
 When it starts, :program:`sshuttle` creates an ssh session to the
 server specified by the ``-r`` option.  If ``-r`` is omitted,
 it will start both its client and server locally, which is
 sometimes useful for testing.
 After connecting to the remote server, :program:`sshuttle` uploads its
 (python) source code to the remote end and executes it
 there.  Thus, you don't need to install :program:`sshuttle` on the
 remote server, and there are never :program:`sshuttle` version
 conflicts between client and server.
 Unlike most VPNs, :program:`sshuttle` forwards sessions, not packets.
 That is, it uses kernel transparent proxying (`iptables
 REDIRECT` rules on Linux) to
 capture outgoing TCP sessions, then creates entirely
 separate TCP sessions out to the original destination at
 the other end of the tunnel.
 Packet-level forwarding (eg. using the tun/tap devices on
 Linux) seems elegant at first, but it results in
 several problems, notably the 'tcp over tcp' problem.  The
 tcp protocol depends fundamentally on packets being dropped
 in order to implement its congestion control agorithm; if
 you pass tcp packets through a tcp-based tunnel (such as
 ssh), the inner tcp packets will never be dropped, and so
 the inner tcp stream's congestion control will be
 completely broken, and performance will be terrible.  Thus,
 packet-based VPNs (such as IPsec and openvpn) cannot use
 tcp-based encrypted streams like ssh or ssl, and have to
 implement their own encryption from scratch, which is very
 complex and error prone.
 :program:`sshuttle`'s simplicity comes from the fact that it can
 safely use the existing ssh encrypted tunnel without
 incurring a performance penalty.  It does this by letting
 the client-side kernel manage the incoming tcp stream, and
 the server-side kernel manage the outgoing tcp stream;
 there is no need for congestion control to be shared
 between the two separate streams, so a tcp-based tunnel is
 fine.
 .. seealso::
   :manpage:`ssh(1)`, :manpage:`python(1)`
--- a/docs/overview.rst
+++ b/docs/overview.rst
@ -0,0 +1,26 @@
 Overview
 ========
 As far as I know, sshuttle is the only program that solves the following
 common case:
 - Your client machine (or router) is Linux, MacOS, FreeBSD, OpenBSD or pfSense.
 - You have access to a remote network via ssh.
 - You don't necessarily have admin access on the remote network.
 - The remote network has no VPN, or only stupid/complex VPN
  protocols (IPsec, PPTP, etc). Or maybe you *are* the
  admin and you just got frustrated with the awful state of
  VPN tools.
 - You don't want to create an ssh port forward for every
  single host/port on the remote network.
 - You hate openssh's port forwarding because it's randomly
  slow and/or stupid.
 - You can't use openssh's PermitTunnel feature because
  it's disabled by default on openssh servers; plus it does
  TCP-over-TCP, which has terrible performance (see below).
--- a/docs/platform.rst
+++ b/docs/platform.rst
@ -0,0 +1,10 @@
 Platform Specific Notes
 =======================
 Contents:
 .. toctree::
   :maxdepth: 2
   tproxy
   windows
--- a/docs/requirements.rst
+++ b/docs/requirements.rst
@ -0,0 +1,95 @@
 Requirements
 ============
 Client side Requirements
 ------------------------
 - sudo, or root access on your client machine.
  (The server doesn't need admin access.)
 - Python 2.7 or Python 3.5.
 Linux with NAT method
 ~~~~~~~~~~~~~~~~~~~~~
 Supports:
 * IPv4 TCP
 * IPv4 DNS
 Requires:
 * iptables DNAT, REDIRECT, and ttl modules.
 Linux with TPROXY method
 ~~~~~~~~~~~~~~~~~~~~~~~~
 Supports:
 * IPv4 TCP
 * IPv4 UDP (requires ``recvmsg`` - see below)
 * IPv6 DNS (requires ``recvmsg`` - see below)
 * IPv6 TCP
 * IPv6 UDP (requires ``recvmsg`` - see below)
 * IPv6 DNS (requires ``recvmsg`` - see below)
 .. _PyXAPI: http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
 Full UDP or DNS support with the TPROXY method requires the ``recvmsg()``
 syscall. This is not available in Python 2, however it is in Python 3.5 and
 later. Under Python 2 you might find it sufficient to install PyXAPI_ in
 order to get the ``recvmsg()`` function. See :doc:`tproxy` for more
 information.
 MacOS / FreeBSD / OpenBSD / pfSense
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Method: pf
 Supports:
 * IPv4 TCP
 * IPv4 DNS
 * IPv6 TCP
 * IPv6 DNS
 Requires:
 * You need to have the pfctl command.
 Windows
 ~~~~~~~
 Not officially supported, however can be made to work with Vagrant. Requires
 cmd.exe with Administrator access. See :doc:`windows` for more information.
 Server side Requirements
 ------------------------
 The server can run in any version of Python between 2.4 and 3.6.
 However it is recommended that you use Python 2.7, Python 3.5 or later whenever
 possible as support for older versions might be dropped in the future.
 Additional Suggested Software
 -----------------------------
 - You may want to use autossh, available in various package management
  systems.
 - If you are using systemd, sshuttle can notify it when the connection to
  the remote end is established and the firewall rules are installed. For
  this feature to work you must configure the process start-up type for the
  sshuttle service unit to notify, as shown in the example below. 
 .. code-block:: ini
   :emphasize-lines: 6
   [Unit]
   Description=sshuttle
   After=network.target
   [Service]
   Type=notify
   ExecStart=/usr/bin/sshuttle --dns --remote <user>@<server> <subnets...>
   [Install]
   WantedBy=multi-user.target
--- a/docs/support.rst
+++ b/docs/support.rst
@ -0,0 +1,11 @@
 Support
 =======
 Mailing list:
 * Subscribe by sending a message to <sshuttle+subscribe@googlegroups.com>
 * List archives are at: http://groups.google.com/group/sshuttle
 Issue tracker and pull requests at github:
 * https://github.com/sshuttle/sshuttle
--- a/docs/tproxy.rst
+++ b/docs/tproxy.rst
@ -0,0 +1,42 @@
 TPROXY
 ======
 TPROXY is the only method that has full support of IPv6 and UDP.
 There are some things you need to consider for TPROXY to work:
 - The following commands need to be run first as root. This only needs to be
  done once after booting up::
      ip route add local default dev lo table 100
      ip rule add fwmark 1 lookup 100
      ip -6 route add local default dev lo table 100
      ip -6 rule add fwmark 1 lookup 100
 - The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
  routes manually. e.g. by adding ``'::/0'`` to the end of the command line.
 - The client needs to be run as root. e.g.::
      sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle  --method=tproxy ...
 - You may need to exclude the IP address of the server you are connecting to.
  Otherwise sshuttle may attempt to intercept the ssh packets, which will not
  work. Use the ``--exclude`` parameter for this.
 - Similarly, UDP return packets (including DNS) could get intercepted and
  bounced back. This is the case if you have a broad subnet such as
  ``0.0.0.0/0`` or ``::/0`` that includes the IP address of the client. Use the
  ``--exclude`` parameter for this.
 - You need the ``--method=tproxy`` parameter, as above.
 - The routes for the outgoing packets must already exist. For example, if your
  connection does not have IPv6 support, no IPv6 routes will exist, IPv6
  packets will not be generated and sshuttle cannot intercept them::
      telnet -6 www.google.com 80
      Trying 2404:6800:4001:805::1010...
      telnet: Unable to connect to remote host: Network is unreachable
  Add some dummy routes to external interfaces. Make sure they get removed
  however after sshuttle exits.
--- a/docs/trivia.rst
+++ b/docs/trivia.rst
@ -0,0 +1,36 @@
 Useless Trivia
 ==============
 This section written by the original author, Avery Pennarun
 <apenwarr@gmail.com>.
 Back in 1998, I released the first version of `Tunnel
 Vision <http://alumnit.ca/wiki/?TunnelVisionReadMe>`_, a semi-intelligent VPN
 client for Linux.  Unfortunately, I made two big mistakes: I implemented the
 key exchange myself (oops), and I ended up doing TCP-over-TCP (double oops).
 The resulting program worked okay - and people used it for years - but the
 performance was always a bit funny.  And nobody ever found any security flaws
 in my key exchange, either, but that doesn't mean anything. :)
 The same year, dcoombs and I also released Fast Forward, a proxy server
 supporting transparent proxying.  Among other things, we used it for
 automatically splitting traffic across more than one Internet connection (a
 tool we called "Double Vision").
 I was still in university at the time.  A couple years after that, one of my
 professors was working with some graduate students on the technology that would
 eventually become `Slipstream Internet Acceleration
 <http://www.slipstream.com/>`_.  He asked me to do a contract for him to build
 an initial prototype of a transparent proxy server for mobile networks.  The
 idea was similar to sshuttle: if you reassemble and then disassemble the TCP
 packets, you can reduce latency and improve performance vs.  just forwarding
 the packets over a plain VPN or mobile network.  (It's unlikely that any of my
 code has persisted in the Slipstream product today, but the concept is still
 pretty cool.  I'm still horrified that people use plain TCP on complex mobile
 networks with crazily variable latency, for which it was never really
 intended.)
 That project I did for Slipstream was what first gave me the idea to merge
 the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
 program that was the best of all worlds.  And here we are, at last.
 You're welcome.
--- a/docs/usage.rst
+++ b/docs/usage.rst
@ -0,0 +1,62 @@
 Usage
 =====
 .. note::
    For information on usage with Windows, see the :doc:`windows` section.
    For information on using the TProxy method, see the :doc:`tproxy` section.
 Forward all traffic::
    sshuttle -r username@sshserver 0.0.0.0/0
 - Use the :option:`sshuttle -r` parameter to specify a remote server.
 - By default sshuttle will automatically choose a method to use. Override with
  the :option:`sshuttle --method` parameter.
 - There is a shortcut for 0.0.0.0/0 for those that value
  their wrists::
      sshuttle -r username@sshserver 0/0
 If you would also like your DNS queries to be proxied
 through the DNS server of the server you are connect to::
  sshuttle --dns -r username@sshserver 0/0
 The above is probably what you want to use to prevent
 local network attacks such as Firesheep and friends.
 See the documentation for the :option:`sshuttle --dns` parameter.
 (You may be prompted for one or more passwords; first, the local password to
 become root using sudo, and then the remote ssh password.  Or you might have
 sudo and ssh set up to not require passwords, in which case you won't be
 prompted at all.)
 Usage Notes
 -----------
 That's it!  Now your local machine can access the remote network as if you
 were right there.  And if your "client" machine is a router, everyone on
 your local network can make connections to your remote network.
 You don't need to install sshuttle on the remote server;
 the remote server just needs to have python available. 
 sshuttle will automatically upload and run its source code
 to the remote python interpreter.
 This creates a transparent proxy server on your local machine for all IP
 addresses that match 0.0.0.0/0.  (You can use more specific IP addresses if
 you want; use any number of IP addresses or subnets to change which
 addresses get proxied.  Using 0.0.0.0/0 proxies *everything*, which is
 interesting if you don't trust the people on your local network.)
 Any TCP session you initiate to one of the proxied IP addresses will be
 captured by sshuttle and sent over an ssh session to the remote copy of
 sshuttle, which will then regenerate the connection on that end, and funnel
 the data back and forth through ssh.
 Fun, right?  A poor man's instant VPN, and you don't even have to have
 admin access on the server.
--- a/docs/windows.rst
+++ b/docs/windows.rst
@ -0,0 +1,19 @@
 Microsoft Windows
 =================
 Currently there is no built in support for running sshuttle directly on
 Microsoft Windows.
 What we can really do is to create a Linux VM with Vagrant (or simply
 Virtualbox if you like). In the Vagrant settings, remember to turn on bridged
 NIC. Then, run sshuttle inside the VM like below::
    sshuttle -l 0.0.0.0 -x 10.0.0.0/8 -x 192.168.0.0/16 0/0
 10.0.0.0/8 excludes NAT traffic of Vagrant and 192.168.0.0/16 excludes
 traffic to local area network (assuming that we're using 192.168.0.0 subnet).
 Assuming the VM has the IP 192.168.1.200 obtained on the bridge NIC (we can
 configure that in Vagrant), we can then ask Windows to route all its traffic
 via the VM by running the following in cmd.exe with admin right::
     route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
--- a/firewall.py
+++ b/firewall.py
@ -1,433 +0,0 @@
 import re, errno, socket, select, struct
 import compat.ssubprocess as ssubprocess
 import helpers, ssyslog
 from helpers import *
 # python doesn't have a definition for this
 IPPROTO_DIVERT = 254
 def ipt_chain_exists(name):
    argv = ['iptables', '-t', 'nat', '-nL']
    p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
    for line in p.stdout:
        if line.startswith('Chain %s ' % name):
            return True
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
 def ipt(*args):
    argv = ['iptables', '-t', 'nat'] + list(args)
    debug1('>> %s\n' % ' '.join(argv))
    rv = ssubprocess.call(argv)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
 _no_ttl_module = False
 def ipt_ttl(*args):
    global _no_ttl_module
    if not _no_ttl_module:
        # we avoid infinite loops by generating server-side connections
        # with ttl 42.  This makes the client side not recapture those
        # connections, in case client == server.
        try:
            argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '42']
            ipt(*argsplus)
        except Fatal:
            ipt(*args)
            # we only get here if the non-ttl attempt succeeds
            log('sshuttle: warning: your iptables is missing '
                'the ttl module.\n')
            _no_ttl_module = True
    else:
        ipt(*args)
 # We name the chain based on the transproxy port number so that it's possible
 # to run multiple copies of sshuttle at the same time.  Of course, the
 # multiple copies shouldn't have overlapping subnets, or only the most-
 # recently-started one will win (because we use "-I OUTPUT 1" instead of
 # "-A OUTPUT").
 def do_iptables(port, dnsport, subnets):
    chain = 'sshuttle-%s' % port
    # basic cleanup/setup of chains
    if ipt_chain_exists(chain):
        ipt('-D', 'OUTPUT', '-j', chain)
        ipt('-D', 'PREROUTING', '-j', chain)
        ipt('-F', chain)
        ipt('-X', chain)
    if subnets or dnsport:
        ipt('-N', chain)
        ipt('-F', chain)
        ipt('-I', 'OUTPUT', '1', '-j', chain)
        ipt('-I', 'PREROUTING', '1', '-j', chain)
    if subnets:
        # create new subnet entries.  Note that we're sorting in a very
        # particular order: we need to go from most-specific (largest swidth)
        # to least-specific, and at any given level of specificity, we want
        # excludes to come first.  That's why the columns are in such a non-
        # intuitive order.
        for swidth,sexclude,snet in sorted(subnets, reverse=True):
            if sexclude:
                ipt('-A', chain, '-j', 'RETURN',
                    '--dest', '%s/%s' % (snet,swidth),
                    '-p', 'tcp')
            else:
                ipt_ttl('-A', chain, '-j', 'REDIRECT',
                        '--dest', '%s/%s' % (snet,swidth),
                        '-p', 'tcp',
                        '--to-ports', str(port))
    if dnsport:
        nslist = resolvconf_nameservers()
        for ip in nslist:
            ipt_ttl('-A', chain, '-j', 'REDIRECT',
                    '--dest', '%s/32' % ip,
                    '-p', 'udp',
                    '--dport', '53',
                    '--to-ports', str(dnsport))
 def ipfw_rule_exists(n):
    argv = ['ipfw', 'list']
    p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
    found = False
    for line in p.stdout:
        if line.startswith('%05d ' % n):
            if not ('ipttl 42' in line
                    or ('skipto %d' % (n+1)) in line
                    or 'check-state' in line):
                log('non-sshuttle ipfw rule: %r\n' % line.strip())
                raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
            found = True
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
    return found
 _oldctls = {}
 def _fill_oldctls(prefix):
    argv = ['sysctl', prefix]
    p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
    for line in p.stdout:
        assert(line[-1] == '\n')
        (k,v) = line[:-1].split(': ', 1)
        _oldctls[k] = v
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
    if not line:
        raise Fatal('%r returned no data' % (argv,))
 def _sysctl_set(name, val):
    argv = ['sysctl', '-w', '%s=%s' % (name, val)]
    debug1('>> %s\n' % ' '.join(argv))
    rv = ssubprocess.call(argv, stdout = open('/dev/null', 'w'))
 _changedctls = []
 def sysctl_set(name, val):
    PREFIX = 'net.inet.ip'
    assert(name.startswith(PREFIX + '.'))
    val = str(val)
    if not _oldctls:
        _fill_oldctls(PREFIX)
    if not (name in _oldctls):
        debug1('>> No such sysctl: %r\n' % name)
        return
    oldval = _oldctls[name]
    if val != oldval:
        _changedctls.append(name)
        return _sysctl_set(name, val)
 def _udp_unpack(p):
    src = (socket.inet_ntoa(p[12:16]), struct.unpack('!H', p[20:22])[0])
    dst = (socket.inet_ntoa(p[16:20]), struct.unpack('!H', p[22:24])[0])
    return src, dst
 def _udp_repack(p, src, dst):
    addrs = socket.inet_aton(src[0]) + socket.inet_aton(dst[0])
    ports = struct.pack('!HH', src[1], dst[1])
    return p[:12] + addrs + ports + p[24:]
 _real_dns_server = [None]
 def _handle_diversion(divertsock, dnsport):
    p,tag = divertsock.recvfrom(4096)
    src,dst = _udp_unpack(p)
    debug3('got diverted packet from %r to %r\n' % (src, dst))
    if dst[1] == 53:
        # outgoing DNS
        debug3('...packet is a DNS request.\n')
        _real_dns_server[0] = dst
        dst = ('127.0.0.1', dnsport)
    elif src[1] == dnsport:
        if islocal(src[0]):
            debug3('...packet is a DNS response.\n')
            src = _real_dns_server[0]
    else:
        log('weird?! unexpected divert from %r to %r\n' % (src, dst))
        assert(0)
    newp = _udp_repack(p, src, dst)
    divertsock.sendto(newp, tag)
 def ipfw(*args):
    argv = ['ipfw', '-q'] + list(args)
    debug1('>> %s\n' % ' '.join(argv))
    rv = ssubprocess.call(argv)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
 def do_ipfw(port, dnsport, subnets):
    sport = str(port)
    xsport = str(port+1)
    # cleanup any existing rules
    if ipfw_rule_exists(port):
        ipfw('delete', sport)
    while _changedctls:
        name = _changedctls.pop()
        oldval = _oldctls[name]
        _sysctl_set(name, oldval)
    if subnets or dnsport:
        sysctl_set('net.inet.ip.fw.enable', 1)
        sysctl_set('net.inet.ip.scopedroute', 0)
        ipfw('add', sport, 'check-state', 'ip',
             'from', 'any', 'to', 'any')
    if subnets:
        # create new subnet entries
        for swidth,sexclude,snet in sorted(subnets, reverse=True):
            if sexclude:
                ipfw('add', sport, 'skipto', xsport,
                     'log', 'tcp',
                     'from', 'any', 'to', '%s/%s' % (snet,swidth))
            else:
                ipfw('add', sport, 'fwd', '127.0.0.1,%d' % port,
                     'log', 'tcp',
                     'from', 'any', 'to', '%s/%s' % (snet,swidth),
                     'not', 'ipttl', '42', 'keep-state', 'setup')
    # This part is much crazier than it is on Linux, because MacOS (at least
    # 10.6, and probably other versions, and maybe FreeBSD too) doesn't
    # correctly fixup the dstip/dstport for UDP packets when it puts them
    # through a 'fwd' rule.  It also doesn't fixup the srcip/srcport in the
    # response packet.  In Linux iptables, all that happens magically for us,
    # so we just redirect the packets and relax.
    #
    # On MacOS, we have to fix the ports ourselves.  For that, we use a
    # 'divert' socket, which receives raw packets and lets us mangle them.
    #
    # Here's how it works.  Let's say the local DNS server is 1.1.1.1:53,
    # and the remote DNS server is 2.2.2.2:53, and the local transproxy port
    # is 10.0.0.1:12300, and a client machine is making a request from
    # 10.0.0.5:9999. We see a packet like this:
    #    10.0.0.5:9999 -> 1.1.1.1:53
    # Since the destip:port matches one of our local nameservers, it will
    # match a 'fwd' rule, thus grabbing it on the local machine.  However,
    # the local kernel will then see a packet addressed to *:53 and
    # not know what to do with it; there's nobody listening on port 53.  Thus,
    # we divert it, rewriting it into this:
    #    10.0.0.5:9999 -> 10.0.0.1:12300
    # This gets proxied out to the server, which sends it to 2.2.2.2:53,
    # and the answer comes back, and the proxy sends it back out like this:
    #    10.0.0.1:12300 -> 10.0.0.5:9999
    # But that's wrong!  The original machine expected an answer from
    # 1.1.1.1:53, so we have to divert the *answer* and rewrite it:
    #    1.1.1.1:53 -> 10.0.0.5:9999
    #
    # See?  Easy stuff.
    if dnsport:
        divertsock = socket.socket(socket.AF_INET, socket.SOCK_RAW,
                                   IPPROTO_DIVERT)
        divertsock.bind(('0.0.0.0', port)) # IP field is ignored
        nslist = resolvconf_nameservers()
        for ip in nslist:
            # relabel and then catch outgoing DNS requests
            ipfw('add', sport, 'divert', sport,
                 'log', 'udp',
                 'from', 'any', 'to', '%s/32' % ip, '53',
                 'not', 'ipttl', '42')
        # relabel DNS responses
        ipfw('add', sport, 'divert', sport,
             'log', 'udp',
             'from', 'any', str(dnsport), 'to', 'any',
             'not', 'ipttl', '42')
        def do_wait():
            while 1:
                r,w,x = select.select([sys.stdin, divertsock], [], [])
                if divertsock in r:
                    _handle_diversion(divertsock, dnsport)
                if sys.stdin in r:
                    return
    else:
        do_wait = None
    return do_wait
 def program_exists(name):
    paths = (os.getenv('PATH') or os.defpath).split(os.pathsep)
    for p in paths:
        fn = '%s/%s' % (p, name)
        if os.path.exists(fn):
            return not os.path.isdir(fn) and os.access(fn, os.X_OK)
 hostmap = {}
 def rewrite_etc_hosts(port):
    HOSTSFILE='/etc/hosts'
    BAKFILE='%s.sbak' % HOSTSFILE
    APPEND='# sshuttle-firewall-%d AUTOCREATED' % port
    old_content = ''
    st = None
    try:
        old_content = open(HOSTSFILE).read()
        st = os.stat(HOSTSFILE)
    except IOError, e:
        if e.errno == errno.ENOENT:
            pass
        else:
            raise
    if old_content.strip() and not os.path.exists(BAKFILE):
        os.link(HOSTSFILE, BAKFILE)
    tmpname = "%s.%d.tmp" % (HOSTSFILE, port)
    f = open(tmpname, 'w')
    for line in old_content.rstrip().split('\n'):
        if line.find(APPEND) >= 0:
            continue
        f.write('%s\n' % line)
    for (name,ip) in sorted(hostmap.items()):
        f.write('%-30s %s\n' % ('%s %s' % (ip,name), APPEND))
    f.close()
    if st:
        os.chown(tmpname, st.st_uid, st.st_gid)
        os.chmod(tmpname, st.st_mode)
    else:
        os.chown(tmpname, 0, 0)
        os.chmod(tmpname, 0644)
    os.rename(tmpname, HOSTSFILE)
 def restore_etc_hosts(port):
    global hostmap
    hostmap = {}
    rewrite_etc_hosts(port)
 # This is some voodoo for setting up the kernel's transparent
 # proxying stuff.  If subnets is empty, we just delete our sshuttle rules;
 # otherwise we delete it, then make them from scratch.
 #
 # This code is supposed to clean up after itself by deleting its rules on
 # exit.  In case that fails, it's not the end of the world; future runs will
 # supercede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
 def main(port, dnsport, syslog):
    assert(port > 0)
    assert(port <= 65535)
    assert(dnsport >= 0)
    assert(dnsport <= 65535)
    if os.getuid() != 0:
        raise Fatal('you must be root (or enable su/sudo) to set the firewall')
    if program_exists('ipfw'):
        do_it = do_ipfw
    elif program_exists('iptables'):
        do_it = do_iptables
    else:
        raise Fatal("can't find either ipfw or iptables; check your PATH")
    # because of limitations of the 'su' command, the *real* stdin/stdout
    # are both attached to stdout initially.  Clone stdout into stdin so we
    # can read from it.
    os.dup2(1, 0)
    if syslog:
        ssyslog.start_syslog()
        ssyslog.stderr_to_syslog()
    debug1('firewall manager ready.\n')
    sys.stdout.write('READY\n')
    sys.stdout.flush()
    # ctrl-c shouldn't be passed along to me.  When the main sshuttle dies,
    # I'll die automatically.
    os.setsid()
    # we wait until we get some input before creating the rules.  That way,
    # sshuttle can launch us as early as possible (and get sudo password
    # authentication as early in the startup process as possible).
    line = sys.stdin.readline(128)
    if not line:
        return  # parent died; nothing to do
    subnets = []
    if line != 'ROUTES\n':
        raise Fatal('firewall: expected ROUTES but got %r' % line)
    while 1:
        line = sys.stdin.readline(128)
        if not line:
            raise Fatal('firewall: expected route but got %r' % line)
        elif line == 'GO\n':
            break
        try:
            (width,exclude,ip) = line.strip().split(',', 2)
        except:
            raise Fatal('firewall: expected route or GO but got %r' % line)
        subnets.append((int(width), bool(int(exclude)), ip))
    try:
        if line:
            debug1('firewall manager: starting transproxy.\n')
            do_wait = do_it(port, dnsport, subnets)
            sys.stdout.write('STARTED\n')
        try:
            sys.stdout.flush()
        except IOError:
            # the parent process died for some reason; he's surely been loud
            # enough, so no reason to report another error
            return
        # Now we wait until EOF or any other kind of exception.  We need
        # to stay running so that we don't need a *second* password
        # authentication at shutdown time - that cleanup is important!
        while 1:
            if do_wait: do_wait()
            line = sys.stdin.readline(128)
            if line.startswith('HOST '):
                (name,ip) = line[5:].strip().split(',', 1)
                hostmap[name] = ip
                rewrite_etc_hosts(port)
            elif line:
                raise Fatal('expected EOF, got %r' % line)
            else:
                break
    finally:
        try:
            debug1('firewall manager: undoing changes.\n')
        except:
            pass
        do_it(port, 0, [])
        restore_etc_hosts(port)
--- a/main.py
+++ b/main.py
@ -1,127 +0,0 @@
 #!/usr/bin/env python
 import sys, os, re
 import helpers, options, client, server, firewall, hostwatch
 import compat.ssubprocess as ssubprocess
 from helpers import *
 # list of:
 # 1.2.3.4/5 or just 1.2.3.4
 def parse_subnets(subnets_str):
    subnets = []
    for s in subnets_str:
        m = re.match(r'(\d+)(?:\.(\d+)\.(\d+)\.(\d+))?(?:/(\d+))?$', s)
        if not m:
            raise Fatal('%r is not a valid IP subnet format' % s)
        (a,b,c,d,width) = m.groups()
        (a,b,c,d) = (int(a or 0), int(b or 0), int(c or 0), int(d or 0))
        if width == None:
            width = 32
        else:
            width = int(width)
        if a > 255 or b > 255 or c > 255 or d > 255:
            raise Fatal('%d.%d.%d.%d has numbers > 255' % (a,b,c,d))
        if width > 32:
            raise Fatal('*/%d is greater than the maximum of 32' % width)
        subnets.append(('%d.%d.%d.%d' % (a,b,c,d), width))
    return subnets
 # 1.2.3.4:567 or just 1.2.3.4 or just 567
 def parse_ipport(s):
    s = str(s)
    m = re.match(r'(?:(\d+)\.(\d+)\.(\d+)\.(\d+))?(?::)?(?:(\d+))?$', s)
    if not m:
        raise Fatal('%r is not a valid IP:port format' % s)
    (a,b,c,d,port) = m.groups()
    (a,b,c,d,port) = (int(a or 0), int(b or 0), int(c or 0), int(d or 0),
                      int(port or 0))
    if a > 255 or b > 255 or c > 255 or d > 255:
        raise Fatal('%d.%d.%d.%d has numbers > 255' % (a,b,c,d))
    if port > 65535:
        raise Fatal('*:%d is greater than the maximum of 65535' % port)
    if a == None:
        a = b = c = d = 0
    return ('%d.%d.%d.%d' % (a,b,c,d), port)
 optspec = """
 sshuttle [-l [ip:]port] [-r [username@]sshserver[:port]] <subnets...>
 sshuttle --server
 sshuttle --firewall <port> <subnets...>
 sshuttle --hostwatch
 --
 l,listen=  transproxy to this ip address and port number [127.0.0.1:0]
 H,auto-hosts scan for remote hostnames and update local /etc/hosts
 N,auto-nets  automatically determine subnets to route
 dns        capture local DNS requests and forward to the remote DNS server
 python=    path to python interpreter on the remote server [python]
 r,remote=  ssh hostname (and optional username) of remote sshuttle server
 x,exclude= exclude this subnet (can be used more than once)
 v,verbose  increase debug message verbosity
 e,ssh-cmd= the command to use to connect to the remote [ssh]
 seed-hosts= with -H, use these hostnames for initial scan (comma-separated)
 no-latency-control  sacrifice latency to improve bandwidth benchmarks
 D,daemon   run in the background as a daemon
 syslog     send log messages to syslog (default if you use --daemon)
 pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
 server     (internal use only)
 firewall   (internal use only)
 hostwatch  (internal use only)
 """
 o = options.Options(optspec)
 (opt, flags, extra) = o.parse(sys.argv[1:])
 if opt.daemon:
    opt.syslog = 1
 helpers.verbose = opt.verbose
 try:
    if opt.server:
        if len(extra) != 0:
            o.fatal('no arguments expected')
        server.latency_control = opt.latency_control
        sys.exit(server.main())
    elif opt.firewall:
        if len(extra) != 2:
            o.fatal('exactly two arguments expected')
        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog))
    elif opt.hostwatch:
        sys.exit(hostwatch.hw_main(extra))
    else:
        if len(extra) < 1 and not opt.auto_nets:
            o.fatal('at least one subnet (or -N) expected')
        includes = extra
        excludes = ['127.0.0.0/8']
        for k,v in flags:
            if k in ('-x','--exclude'):
                excludes.append(v)
        remotename = opt.remote
        if remotename == '' or remotename == '-':
            remotename = None
        if opt.seed_hosts and not opt.auto_hosts:
            o.fatal('--seed-hosts only works if you also use -H')
        if opt.seed_hosts:
            sh = re.split(r'[\s,]+', (opt.seed_hosts or "").strip())
        elif opt.auto_hosts:
            sh = []
        else:
            sh = None
        sys.exit(client.main(parse_ipport(opt.listen or '0.0.0.0:0'),
                             opt.ssh_cmd,
                             remotename,
                             opt.python,
                             opt.latency_control,
                             opt.dns,
                             sh,
                             opt.auto_nets,
                             parse_subnets(includes),
                             parse_subnets(excludes),
                             opt.syslog, opt.daemon, opt.pidfile))
 except Fatal, e:
    log('fatal: %s\n' % e)
    sys.exit(99)
 except KeyboardInterrupt:
    log('\n')
    log('Keyboard interrupt: exiting.\n')
    sys.exit(1)
--- a/options.py
+++ b/options.py
@ -1,200 +0,0 @@
 """Command-line options parser.
 With the help of an options spec string, easily parse command-line options.
 """
 import sys, os, textwrap, getopt, re, struct
 class OptDict:
    def __init__(self):
        self._opts = {}
    def __setitem__(self, k, v):
        if k.startswith('no-') or k.startswith('no_'):
            k = k[3:]
            v = not v
        self._opts[k] = v
    def __getitem__(self, k):
        if k.startswith('no-') or k.startswith('no_'):
            return not self._opts[k[3:]]
        return self._opts[k]
    def __getattr__(self, k):
        return self[k]
 def _default_onabort(msg):
    sys.exit(97)
 def _intify(v):
    try:
        vv = int(v or '')
        if str(vv) == v:
            return vv
    except ValueError:
        pass
    return v
 def _atoi(v):
    try:
        return int(v or 0)
    except ValueError:
        return 0
 def _remove_negative_kv(k, v):
    if k.startswith('no-') or k.startswith('no_'):
        return k[3:], not v
    return k,v
 def _remove_negative_k(k):
    return _remove_negative_kv(k, None)[0]
 def _tty_width():
    s = struct.pack("HHHH", 0, 0, 0, 0)
    try:
        import fcntl, termios
        s = fcntl.ioctl(sys.stderr.fileno(), termios.TIOCGWINSZ, s)
    except (IOError, ImportError):
        return _atoi(os.environ.get('WIDTH')) or 70
    (ysize,xsize,ypix,xpix) = struct.unpack('HHHH', s)
    return xsize or 70
 class Options:
    """Option parser.
    When constructed, two strings are mandatory. The first one is the command
    name showed before error messages. The second one is a string called an
    optspec that specifies the synopsis and option flags and their description.
    For more information about optspecs, consult the bup-options(1) man page.
    Two optional arguments specify an alternative parsing function and an
    alternative behaviour on abort (after having output the usage string).
    By default, the parser function is getopt.gnu_getopt, and the abort
    behaviour is to exit the program.
    """
    def __init__(self, optspec, optfunc=getopt.gnu_getopt,
                 onabort=_default_onabort):
        self.optspec = optspec
        self._onabort = onabort
        self.optfunc = optfunc
        self._aliases = {}
        self._shortopts = 'h?'
        self._longopts = ['help']
        self._hasparms = {}
        self._defaults = {}
        self._usagestr = self._gen_usage()
    def _gen_usage(self):
        out = []
        lines = self.optspec.strip().split('\n')
        lines.reverse()
        first_syn = True
        while lines:
            l = lines.pop()
            if l == '--': break
            out.append('%s: %s\n' % (first_syn and 'usage' or '   or', l))
            first_syn = False
        out.append('\n')
        last_was_option = False
        while lines:
            l = lines.pop()
            if l.startswith(' '):
                out.append('%s%s\n' % (last_was_option and '\n' or '',
                                       l.lstrip()))
                last_was_option = False
            elif l:
                (flags, extra) = l.split(' ', 1)
                extra = extra.strip()
                if flags.endswith('='):
                    flags = flags[:-1]
                    has_parm = 1
                else:
                    has_parm = 0
                g = re.search(r'\[([^\]]*)\]$', extra)
                if g:
                    defval = g.group(1)
                else:
                    defval = None
                flagl = flags.split(',')
                flagl_nice = []
                for _f in flagl:
                    f,dvi = _remove_negative_kv(_f, _intify(defval))
                    self._aliases[f] = _remove_negative_k(flagl[0])
                    self._hasparms[f] = has_parm
                    self._defaults[f] = dvi
                    if len(f) == 1:
                        self._shortopts += f + (has_parm and ':' or '')
                        flagl_nice.append('-' + f)
                    else:
                        f_nice = re.sub(r'\W', '_', f)
                        self._aliases[f_nice] = _remove_negative_k(flagl[0])
                        self._longopts.append(f + (has_parm and '=' or ''))
                        self._longopts.append('no-' + f)
                        flagl_nice.append('--' + _f)
                flags_nice = ', '.join(flagl_nice)
                if has_parm:
                    flags_nice += ' ...'
                prefix = '    %-20s  ' % flags_nice
                argtext = '\n'.join(textwrap.wrap(extra, width=_tty_width(),
                                                initial_indent=prefix,
                                                subsequent_indent=' '*28))
                out.append(argtext + '\n')
                last_was_option = True
            else:
                out.append('\n')
                last_was_option = False
        return ''.join(out).rstrip() + '\n'
    def usage(self, msg=""):
        """Print usage string to stderr and abort."""
        sys.stderr.write(self._usagestr)
        e = self._onabort and self._onabort(msg) or None
        if e:
            raise e
    def fatal(self, s):
        """Print an error message to stderr and abort with usage string."""
        msg = 'error: %s\n' % s
        sys.stderr.write(msg)
        return self.usage(msg)
    def parse(self, args):
        """Parse a list of arguments and return (options, flags, extra).
        In the returned tuple, "options" is an OptDict with known options,
        "flags" is a list of option flags that were used on the command-line,
        and "extra" is a list of positional arguments.
        """
        try:
            (flags,extra) = self.optfunc(args, self._shortopts, self._longopts)
        except getopt.GetoptError, e:
            self.fatal(e)
        opt = OptDict()
        for k,v in self._defaults.iteritems():
            k = self._aliases[k]
            opt[k] = v
        for (k,v) in flags:
            k = k.lstrip('-')
            if k in ('h', '?', 'help'):
                self.usage()
            if k.startswith('no-'):
                k = self._aliases[k[3:]]
                v = 0
            else:
                k = self._aliases[k]
                if not self._hasparms[k]:
                    assert(v == '')
                    v = (opt._opts.get(k) or 0) + 1
                else:
                    v = _intify(v)
            opt[k] = v
        for (f1,f2) in self._aliases.iteritems():
            opt[f1] = opt._opts.get(f2)
        return (opt,flags,extra)
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1 @@
 setuptools-scm==1.15.6
--- a/11
+++ b/11
@ -0,0 +1,11 @@
 #!/bin/sh
 source_dir="$(dirname $0)"
 (cd "$source_dir" && "$source_dir/setup.py" --version > /dev/null)
 export PYTHONPATH="$source_dir:$PYTHONPATH"
 if python3.5 -V >/dev/null 2>&1; then
 	exec python3.5 -m "sshuttle" "$@"
 elif python2.7 -V >/dev/null 2>&1; then
 	exec python2.7 -m "sshuttle" "$@"
 else
 	exec python -m "sshuttle" "$@"
 fi
--- a/server.py
+++ b/server.py
@ -1,212 +0,0 @@
 import re, struct, socket, select, traceback, time
 if not globals().get('skip_imports'):
    import ssnet, helpers, hostwatch
    import compat.ssubprocess as ssubprocess
    from ssnet import SockWrapper, Handler, Proxy, Mux, MuxWrapper
    from helpers import *
 def _ipmatch(ipstr):
    if ipstr == 'default':
        ipstr = '0.0.0.0/0'
    m = re.match(r'^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
    if m:
        g = m.groups()
        ips = g[0]
        width = int(g[4] or 32)
        if g[1] == None:
            ips += '.0.0.0'
            width = min(width, 8)
        elif g[2] == None:
            ips += '.0.0'
            width = min(width, 16)
        elif g[3] == None:
            ips += '.0'
            width = min(width, 24)
        return (struct.unpack('!I', socket.inet_aton(ips))[0], width)
 def _ipstr(ip, width):
    if width >= 32:
        return ip
    else:
        return "%s/%d" % (ip, width)
 def _maskbits(netmask):
    if not netmask:
        return 32
    for i in range(32):
        if netmask[0] & _shl(1, i):
            return 32-i
    return 0
 def _shl(n, bits):
    return n * int(2**bits)
 def _list_routes():
    argv = ['netstat', '-rn']
    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE)
    routes = []
    for line in p.stdout:
        cols = re.split(r'\s+', line)
        ipw = _ipmatch(cols[0])
        if not ipw:
            continue  # some lines won't be parseable; never mind
        maskw = _ipmatch(cols[2])  # linux only
        mask = _maskbits(maskw)   # returns 32 if maskw is null
        width = min(ipw[1], mask)
        ip = ipw[0] & _shl(_shl(1, width) - 1, 32-width)
        routes.append((socket.inet_ntoa(struct.pack('!I', ip)), width))
    rv = p.wait()
    if rv != 0:
        log('WARNING: %r returned %d\n' % (argv, rv))
        log('WARNING: That prevents --auto-nets from working.\n')
    return routes
 def list_routes():
    for (ip,width) in _list_routes():
        if not ip.startswith('0.') and not ip.startswith('127.'):
            yield (ip,width)
 def _exc_dump():
    exc_info = sys.exc_info()
    return ''.join(traceback.format_exception(*exc_info))
 def start_hostwatch(seed_hosts):
    s1,s2 = socket.socketpair()
    pid = os.fork()
    if not pid:
        # child
        rv = 99
        try:
            try:
                s2.close()
                os.dup2(s1.fileno(), 1)
                os.dup2(s1.fileno(), 0)
                s1.close()
                rv = hostwatch.hw_main(seed_hosts) or 0
            except Exception, e:
                log('%s\n' % _exc_dump())
                rv = 98
        finally:
            os._exit(rv)
    s1.close()
    return pid,s2
 class Hostwatch:
    def __init__(self):
        self.pid = 0
        self.sock = None
 class DnsProxy(Handler):
    def __init__(self, mux, chan, request):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        Handler.__init__(self, [sock])
        self.sock = sock
        self.timeout = time.time()+30
        self.mux = mux
        self.chan = chan
        self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
        self.sock.connect((resolvconf_random_nameserver(), 53))
        self.sock.send(request)
    def callback(self):
        data = self.sock.recv(4096)
        debug2('DNS response: %d bytes\n' % len(data))
        self.mux.send(self.chan, ssnet.CMD_DNS_RESPONSE, data)
        self.ok = False
 def main():
    if helpers.verbose >= 1:
        helpers.logprefix = ' s: '
    else:
        helpers.logprefix = 'server: '
    debug1('latency control setting = %r\n' % latency_control)
    routes = list(list_routes())
    debug1('available routes:\n')
    for r in routes:
        debug1('  %s/%d\n' % r)
    # synchronization header
    sys.stdout.write('SSHUTTLE0001')
    sys.stdout.flush()
    handlers = []
    mux = Mux(socket.fromfd(sys.stdin.fileno(),
                            socket.AF_INET, socket.SOCK_STREAM),
              socket.fromfd(sys.stdout.fileno(),
                            socket.AF_INET, socket.SOCK_STREAM))
    handlers.append(mux)
    routepkt = ''
    for r in routes:
        routepkt += '%s,%d\n' % r
    mux.send(0, ssnet.CMD_ROUTES, routepkt)
    hw = Hostwatch()
    hw.leftover = ''
    def hostwatch_ready():
        assert(hw.pid)
        content = hw.sock.recv(4096)
        if content:
            lines = (hw.leftover + content).split('\n')
            if lines[-1]:
                # no terminating newline: entry isn't complete yet!
                hw.leftover = lines.pop()
                lines.append('')
            else:
                hw.leftover = ''
            mux.send(0, ssnet.CMD_HOST_LIST, '\n'.join(lines))
        else:
            raise Fatal('hostwatch process died')
    def got_host_req(data):
        if not hw.pid:
            (hw.pid,hw.sock) = start_hostwatch(data.strip().split())
            handlers.append(Handler(socks = [hw.sock],
                                    callback = hostwatch_ready))
    mux.got_host_req = got_host_req
    def new_channel(channel, data):
        (dstip,dstport) = data.split(',', 1)
        dstport = int(dstport)
        outwrap = ssnet.connect_dst(dstip,dstport)
        handlers.append(Proxy(MuxWrapper(mux, channel), outwrap))
    mux.new_channel = new_channel
    dnshandlers = {}
    def dns_req(channel, data):
        debug2('Incoming DNS request.\n')
        h = DnsProxy(mux, channel, data)
        handlers.append(h)
        dnshandlers[channel] = h
    mux.got_dns_req = dns_req
    while mux.ok:
        if hw.pid:
            assert(hw.pid > 0)
            (rpid, rv) = os.waitpid(hw.pid, os.WNOHANG)
            if rpid:
                raise Fatal('hostwatch exited unexpectedly: code 0x%04x\n' % rv)
        ssnet.runonce(handlers, mux)
        if latency_control:
            mux.check_fullness()
        mux.callback()
        if dnshandlers:
            now = time.time()
            for channel,h in dnshandlers.items():
                if h.timeout < now or not h.ok:
                    del dnshandlers[channel]
                    h.ok = False
--- a/setup.cfg
+++ b/setup.cfg
@ -0,0 +1,9 @@
 [aliases]
 test=pytest
 [bdist_wheel]
 universal = 1
 [upload]
 sign=true
 identity=0x1784577F811F6EAC
--- a/setup.py
+++ b/setup.py
@ -0,0 +1,62 @@
 #!/usr/bin/env python
 # Copyright 2012-2014 Brian May
 #
 # This file is part of python-tldap.
 #
 # python-tldap is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # python-tldap is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with python-tldap  If not, see <http://www.gnu.org/licenses/>.
 from setuptools import setup, find_packages
 def version_scheme(version):
    from setuptools_scm.version import guess_next_dev_version
    version = guess_next_dev_version(version)
    return version.lstrip("v")
 setup(
    name="sshuttle",
    use_scm_version={
        'write_to': "sshuttle/version.py",
        'version_scheme': version_scheme,
    },
    setup_requires=['setuptools_scm'],
    # version=version,
    url='https://github.com/sshuttle/sshuttle',
    author='Brian May',
    author_email='brian@linuxpenguins.xyz',
    description='Full-featured" VPN over an SSH tunnel',
    packages=find_packages(),
    license="GPL2+",
    long_description=open('README.rst').read(),
    classifiers=[
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Developers",
        "Intended Audience :: End Users/Desktop",
        "License :: OSI Approved :: "
            "GNU General Public License v2 or later (GPLv2+)",
        "Operating System :: OS Independent",
        "Programming Language :: Python :: 2.7",
        "Programming Language :: Python :: 3.5",
        "Topic :: System :: Networking",
    ],
    entry_points={
        'console_scripts': [
            'sshuttle = sshuttle.cmdline:main',
        ],
    },
    tests_require=['pytest', 'pytest-runner', 'mock'],
    keywords="ssh vpn",
 )
--- a/ssh.py
+++ b/ssh.py
@ -1,99 +0,0 @@
 import sys, os, re, socket, zlib
 import compat.ssubprocess as ssubprocess
 import helpers
 from helpers import *
 def readfile(name):
    basedir = os.path.dirname(os.path.abspath(sys.argv[0]))
    path = [basedir] + sys.path
    for d in path:
        fullname = os.path.join(d, name)
        if os.path.exists(fullname):
            return open(fullname, 'rb').read()
    raise Exception("can't find file %r in any of %r" % (name, path))
 def empackage(z, filename, data=None):
    (path,basename) = os.path.split(filename)
    if not data:
        data = readfile(filename)
    content = z.compress(data)
    content += z.flush(zlib.Z_SYNC_FLUSH)
    return '%s\n%d\n%s' % (basename, len(content), content)
 def connect(ssh_cmd, rhostport, python, stderr, options):
    main_exe = sys.argv[0]
    portl = []
    rhostIsIPv6 = False
    if (rhostport or '').count(':') > 1:
        rhostIsIPv6 = True
        if rhostport.count(']') or rhostport.count('['):
            result = rhostport.split(']')
            rhost = result[0].strip('[')
            if len(result) > 1:
                result[1] = result[1].strip(':')
                if result[1] is not '':
                    portl = ['-p', str(int(result[1]))]
        else: # can't disambiguate IPv6 colons and a port number. pass the hostname through.
            rhost = rhostport
    else: # IPv4
        l = (rhostport or '').split(':', 1)
        rhost = l[0]
        if len(l) > 1:
            portl = ['-p', str(int(l[1]))]
    if rhost == '-':
        rhost = None
    ipv6flag = []
    if rhostIsIPv6:
        ipv6flag = ['-6']
    z = zlib.compressobj(1)
    content = readfile('assembler.py')
    optdata = ''.join("%s=%r\n" % (k,v) for (k,v) in options.items())
    content2 = (empackage(z, 'cmdline_options.py', optdata) +
                empackage(z, 'helpers.py') +
                empackage(z, 'compat/ssubprocess.py') +
                empackage(z, 'ssnet.py') +
                empackage(z, 'hostwatch.py') +
                empackage(z, 'server.py') +
                "\n")
    pyscript = r"""
                import sys;
                skip_imports=1;
                verbosity=%d;
                exec compile(sys.stdin.read(%d), "assembler.py", "exec")
                """ % (helpers.verbose or 0, len(content))
    pyscript = re.sub(r'\s+', ' ', pyscript.strip())
    if not rhost:
        argv = [python, '-c', pyscript]
    else:
        if ssh_cmd:
            sshl = ssh_cmd.split(' ')
        else:
            sshl = ['ssh']
        argv = (sshl + 
                portl + 
                ipv6flag + 
                [rhost, '--', "'%s' -c '%s'" % (python, pyscript)])
    (s1,s2) = socket.socketpair()
    def setup():
        # runs in the child process
        s2.close()
    s1a,s1b = os.dup(s1.fileno()), os.dup(s1.fileno())
    s1.close()
    debug2('executing: %r\n' % argv)
    p = ssubprocess.Popen(argv, stdin=s1a, stdout=s1b, preexec_fn=setup,
                          close_fds=True, stderr=stderr)
    os.close(s1a)
    os.close(s1b)
    s2.sendall(content)
    s2.sendall(content2)
    return p, s2
--- a/1
+++ b/1
@ -1 +0,0 @@
 main.py
--- a/sshuttle.md
+++ b/sshuttle.md
@ -1,259 +0,0 @@
 % sshuttle(8) Sshuttle 0.46
 % Avery Pennarun <apenwarr@gmail.com>
 % 2011-01-25
 # NAME
 sshuttle - a transparent proxy-based VPN using ssh
 # SYNOPSIS
 sshuttle [options...] [-r [username@]sshserver[:port]] \<subnets...\>
 # DESCRIPTION
 sshuttle allows you to create a VPN connection from your
 machine to any remote server that you can connect to via
 ssh, as long as that server has python 2.3 or higher.
 To work, you must have root access on the local machine,
 but you can have a normal account on the server.
 It's valid to run sshuttle more than once simultaneously on
 a single client machine, connecting to a different server
 every time, so you can be on more than one VPN at once.
 If run on a router, sshuttle can forward traffic for your
 entire subnet to the VPN.
 # OPTIONS
 \<subnets...\>
 :   a list of subnets to route over the VPN, in the form
    `a.b.c.d[/width]`.  Valid examples are 1.2.3.4 (a
    single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4),
    1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0
    netmask), and 0/0 ('just route everything through the
    VPN').
 -l, --listen=*[ip:]port*
 :   use this ip address and port number as the transparent
    proxy port.  By default sshuttle finds an available
    port automatically and listens on IP 127.0.0.1
    (localhost), so you don't need to override it, and
    connections are only proxied from the local machine,
    not from outside machines.  If you want to accept
    connections from other machines on your network (ie. to
    run sshuttle on a router) try enabling IP Forwarding in
    your kernel, then using `--listen 0.0.0.0:0`. 
 -H, --auto-hosts
 :   scan for remote hostnames and update the local /etc/hosts
    file with matching entries for as long as the VPN is
    open.  This is nicer than changing your system's DNS
    (/etc/resolv.conf) settings, for several reasons.  First,
    hostnames are added without domain names attached, so
    you can `ssh thatserver` without worrying if your local
    domain matches the remote one.  Second, if you sshuttle
    into more than one VPN at a time, it's impossible to
    use more than one DNS server at once anyway, but
    sshuttle correctly merges /etc/hosts entries between
    all running copies.  Third, if you're only routing a
    few subnets over the VPN, you probably would prefer to
    keep using your local DNS server for everything else.
 -N, --auto-nets
 :   in addition to the subnets provided on the command
    line, ask the server which subnets it thinks we should
    route, and route those automatically.  The suggestions
    are taken automatically from the server's routing
    table.
 --python
 :   specify the name/path of the remote python interpreter. 
    The default is just `python`, which means to use the
    default python interpreter on the remote system's PATH.
 -r, --remote=*[username@]sshserver[:port]*
 :   the remote hostname and optional username and ssh
    port number to use for connecting to the remote server. 
    For example, example.com, testuser@example.com,
    testuser@example.com:2222, or example.com:2244.
 -x, --exclude=*subnet*
 :   explicitly exclude this subnet from forwarding.  The
    format of this option is the same as the `<subnets>`
    option.  To exclude more than one subnet, specify the
    `-x` option more than once.  You can say something like
    `0/0 -x 1.2.3.0/24` to forward everything except the
    local subnet over the VPN, for example.
 -v, --verbose
 :   print more information about the session.  This option
    can be used more than once for increased verbosity.  By
    default, sshuttle prints only error messages.
 -e, --ssh-cmd
 :   the command to use to connect to the remote server. The
    default is just `ssh`.  Use this if your ssh client is
    in a non-standard location or you want to provide extra
    options to the ssh command, for example, `-e 'ssh -v'`.
 --seed-hosts
 :   a comma-separated list of hostnames to use to
    initialize the `--auto-hosts` scan algorithm. 
    `--auto-hosts` does things like poll local SMB servers
    for lists of local hostnames, but can speed things up
    if you use this option to give it a few names to start
    from.
 --no-latency-control
 :   sacrifice latency to improve bandwidth benchmarks. ssh
    uses really big socket buffers, which can overload the
    connection if you start doing large file transfers,
    thus making all your other sessions inside the same
    tunnel go slowly. Normally, sshuttle tries to avoid
    this problem using a "fullness check" that allows only
    a certain amount of outstanding data to be buffered at
    a time.  But on high-bandwidth links, this can leave a
    lot of your bandwidth underutilized.  It also makes
    sshuttle seem slow in bandwidth benchmarks (benchmarks
    rarely test ping latency, which is what sshuttle is
    trying to control).  This option disables the latency
    control feature, maximizing bandwidth usage.  Use at
    your own risk.
 -D, --daemon
 :   automatically fork into the background after connecting
    to the remote server.  Implies `--syslog`.
 --syslog
 :   after connecting, send all log messages to the
    `syslog`(3) service instead of stderr.  This is
    implicit if you use `--daemon`.
 --pidfile=*pidfilename*
 :   when using `--daemon`, save sshuttle's pid to
    *pidfilename*.  The default is `sshuttle.pid` in the
    current directory.
 --server
 :   (internal use only) run the sshuttle server on
    stdin/stdout.  This is what the client runs on
    the remote end.
 --firewall
 :   (internal use only) run the firewall manager.  This is
    the only part of sshuttle that must run as root.  If
    you start sshuttle as a non-root user, it will
    automatically run `sudo` or `su` to start the firewall
    manager, but the core of sshuttle still runs as a
    normal user.
 --hostwatch
 :   (internal use only) run the hostwatch daemon.  This
    process runs on the server side and collects hostnames for
    the `--auto-hosts` option.  Using this option by itself
    makes it a lot easier to debug and test the `--auto-hosts`
    feature.
 # EXAMPLES
 Test locally by proxying all local connections, without using ssh:
    $ sshuttle -v 0/0
    Starting sshuttle proxy.
    Listening on ('0.0.0.0', 12300).
    [local sudo] Password: 
    firewall manager ready.
    c : connecting to server...
     s: available routes:
     s:   192.168.42.0/24
    c : connected.
    firewall manager: starting transproxy.
    c : Accept: 192.168.42.106:50035 -> 192.168.42.121:139.
    c : Accept: 192.168.42.121:47523 -> 77.141.99.22:443.
        ...etc...
    ^C
    firewall manager: undoing changes.
    KeyboardInterrupt
    c : Keyboard interrupt: exiting.
    c : SW#8:192.168.42.121:47523: deleting
    c : SW#6:192.168.42.106:50035: deleting
 Test connection to a remote server, with automatic hostname
 and subnet guessing:
    $ sshuttle -vNHr example.org
    Starting sshuttle proxy.
    Listening on ('0.0.0.0', 12300).
    firewall manager ready.
    c : connecting to server...
     s: available routes:
     s:   77.141.99.0/24
    c : connected.
    c : seed_hosts: []
    firewall manager: starting transproxy.
    hostwatch: Found: testbox1: 1.2.3.4
    hostwatch: Found: mytest2: 5.6.7.8
    hostwatch: Found: domaincontroller: 99.1.2.3
    c : Accept: 192.168.42.121:60554 -> 77.141.99.22:22.
    ^C
    firewall manager: undoing changes.
    c : Keyboard interrupt: exiting.
    c : SW#6:192.168.42.121:60554: deleting
 # DISCUSSION
 When it starts, sshuttle creates an ssh session to the
 server specified by the `-r` option.  If `-r` is omitted,
 it will start both its client and server locally, which is
 sometimes useful for testing.
 After connecting to the remote server, sshuttle uploads its
 (python) source code to the remote end and executes it
 there.  Thus, you don't need to install sshuttle on the
 remote server, and there are never sshuttle version
 conflicts between client and server.
 Unlike most VPNs, sshuttle forwards sessions, not packets. 
 That is, it uses kernel transparent proxying (`iptables
 REDIRECT` rules on Linux, or `ipfw fwd` rules on BSD) to
 capture outgoing TCP sessions, then creates entirely
 separate TCP sessions out to the original destination at
 the other end of the tunnel.
 Packet-level forwarding (eg. using the tun/tap devices on
 Linux) seems elegant at first, but it results in
 several problems, notably the 'tcp over tcp' problem.  The
 tcp protocol depends fundamentally on packets being dropped
 in order to implement its congestion control agorithm; if
 you pass tcp packets through a tcp-based tunnel (such as
 ssh), the inner tcp packets will never be dropped, and so
 the inner tcp stream's congestion control will be
 completely broken, and performance will be terrible.  Thus,
 packet-based VPNs (such as IPsec and openvpn) cannot use
 tcp-based encrypted streams like ssh or ssl, and have to
 implement their own encryption from scratch, which is very
 complex and error prone.
 sshuttle's simplicity comes from the fact that it can
 safely use the existing ssh encrypted tunnel without
 incurring a performance penalty.  It does this by letting
 the client-side kernel manage the incoming tcp stream, and
 the server-side kernel manage the outgoing tcp stream;
 there is no need for congestion control to be shared
 between the two separate streams, so a tcp-based tunnel is
 fine.
 # SEE ALSO
 `ssh`(1), `python`(1)
--- a/sshuttle/init.py
+++ b/sshuttle/init.py
@ -0,0 +1,4 @@
 try:
    from sshuttle.version import version as __version__
 except ImportError:
    __version__ = "unknown"
--- a/sshuttle/main.py
+++ b/sshuttle/main.py
@ -0,0 +1,4 @@
 """Coverage.py's main entry point."""
 import sys
 from sshuttle.cmdline import main
 sys.exit(main())
--- a/sshuttle/assembler.py
+++ b/sshuttle/assembler.py
@ -0,0 +1,37 @@
 import sys
 import zlib
 import imp
 z = zlib.decompressobj()
 while 1:
    name = sys.stdin.readline().strip()
    if name:
        name = name.decode("ASCII")
        nbytes = int(sys.stdin.readline())
        if verbosity >= 2:
            sys.stderr.write('server: assembling %r (%d bytes)\n'
                             % (name, nbytes))
        content = z.decompress(sys.stdin.read(nbytes))
        module = imp.new_module(name)
        parents = name.rsplit(".", 1)
        if len(parents) == 2:
            parent, parent_name = parents
            setattr(sys.modules[parent], parent_name, module)
        code = compile(content, name, "exec")
        exec(code, module.__dict__)
        sys.modules[name] = module
    else:
        break
 sys.stderr.flush()
 sys.stdout.flush()
 import sshuttle.helpers
 sshuttle.helpers.verbose = verbosity
 import sshuttle.cmdline_options as options
 from sshuttle.server import main
 main(options.latency_control, options.auto_hosts)
--- a/sshuttle/client.py
+++ b/sshuttle/client.py
@ -0,0 +1,753 @@
 import errno
 import re
 import signal
 import time
 import subprocess as ssubprocess
 import sshuttle.helpers as helpers
 import os
 import sshuttle.ssnet as ssnet
 import sshuttle.ssh as ssh
 import sshuttle.ssyslog as ssyslog
 import sshuttle.sdnotify as sdnotify
 import sys
 import platform
 from sshuttle.ssnet import SockWrapper, Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, islocal, \
    resolvconf_nameservers
 from sshuttle.methods import get_method, Features
 try:
    # try getting recvmsg from python
    import socket as pythonsocket
    getattr(pythonsocket.socket, "recvmsg")
    socket = pythonsocket
 except AttributeError:
    # try getting recvmsg from socket_ext library
    try:
        import socket_ext
        getattr(socket_ext.socket, "recvmsg")
        socket = socket_ext
    except ImportError:
        import socket
 _extra_fd = os.open('/dev/null', os.O_RDONLY)
 def got_signal(signum, frame):
    log('exiting on signal %d\n' % signum)
    sys.exit(1)
 _pidname = None
 def check_daemon(pidfile):
    global _pidname
    _pidname = os.path.abspath(pidfile)
    try:
        oldpid = open(_pidname).read(1024)
    except IOError as e:
        if e.errno == errno.ENOENT:
            return  # no pidfile, ok
        else:
            raise Fatal("can't read %s: %s" % (_pidname, e))
    if not oldpid:
        os.unlink(_pidname)
        return  # invalid pidfile, ok
    oldpid = int(oldpid.strip() or 0)
    if oldpid <= 0:
        os.unlink(_pidname)
        return  # invalid pidfile, ok
    try:
        os.kill(oldpid, 0)
    except OSError as e:
        if e.errno == errno.ESRCH:
            os.unlink(_pidname)
            return  # outdated pidfile, ok
        elif e.errno == errno.EPERM:
            pass
        else:
            raise
    raise Fatal("%s: sshuttle is already running (pid=%d)"
                % (_pidname, oldpid))
 def daemonize():
    if os.fork():
        os._exit(0)
    os.setsid()
    if os.fork():
        os._exit(0)
    outfd = os.open(_pidname, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o666)
    try:
        os.write(outfd, b'%d\n' % os.getpid())
    finally:
        os.close(outfd)
    os.chdir("/")
    # Normal exit when killed, or try/finally won't work and the pidfile won't
    # be deleted.
    signal.signal(signal.SIGTERM, got_signal)
    si = open('/dev/null', 'r+')
    os.dup2(si.fileno(), 0)
    os.dup2(si.fileno(), 1)
    si.close()
 def daemon_cleanup():
    try:
        os.unlink(_pidname)
    except OSError as e:
        if e.errno == errno.ENOENT:
            pass
        else:
            raise
 class MultiListener:
    def __init__(self, type=socket.SOCK_STREAM, proto=0):
        self.type = type
        self.proto = proto
        self.v6 = None
        self.v4 = None
        self.bind_called = False
    def setsockopt(self, level, optname, value):
        assert(self.bind_called)
        if self.v6:
            self.v6.setsockopt(level, optname, value)
        if self.v4:
            self.v4.setsockopt(level, optname, value)
    def add_handler(self, handlers, callback, method, mux):
        assert(self.bind_called)
        socks = []
        if self.v6:
            socks.append(self.v6)
        if self.v4:
            socks.append(self.v4)
        handlers.append(
            Handler(
                socks,
                lambda sock: callback(sock, method, mux, handlers)
            )
        )
    def listen(self, backlog):
        assert(self.bind_called)
        if self.v6:
            self.v6.listen(backlog)
        if self.v4:
            try:
                self.v4.listen(backlog)
            except socket.error as e:
                # on some systems v4 bind will fail if the v6 suceeded,
                # in this case the v6 socket will receive v4 too.
                if e.errno == errno.EADDRINUSE and self.v6:
                    self.v4 = None
                else:
                    raise e
    def bind(self, address_v6, address_v4):
        assert(not self.bind_called)
        self.bind_called = True
        if address_v6 is not None:
            self.v6 = socket.socket(socket.AF_INET6, self.type, self.proto)
            self.v6.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            self.v6.bind(address_v6)
        else:
            self.v6 = None
        if address_v4 is not None:
            self.v4 = socket.socket(socket.AF_INET, self.type, self.proto)
            self.v4.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            self.v4.bind(address_v4)
        else:
            self.v4 = None
    def print_listening(self, what):
        assert(self.bind_called)
        if self.v6:
            listenip = self.v6.getsockname()
            debug1('%s listening on %r.\n' % (what, listenip))
            debug2('%s listening with %r.\n' % (what, self.v6))
        if self.v4:
            listenip = self.v4.getsockname()
            debug1('%s listening on %r.\n' % (what, listenip))
            debug2('%s listening with %r.\n' % (what, self.v4))
 class FirewallClient:
    def __init__(self, method_name):
        self.auto_nets = []
        python_path = os.path.dirname(os.path.dirname(__file__))
        argvbase = ([sys.executable, sys.argv[0]] +
                    ['-v'] * (helpers.verbose or 0) +
                    ['--method', method_name] +
                    ['--firewall'])
        if ssyslog._p:
            argvbase += ['--syslog']
        argv_tries = [
            ['sudo', '-p', '[local sudo] Password: ',
                ('PYTHONPATH=%s' % python_path), '--'] + argvbase,
            argvbase
        ]
        # we can't use stdin/stdout=subprocess.PIPE here, as we normally would,
        # because stupid Linux 'su' requires that stdin be attached to a tty.
        # Instead, attach a *bidirectional* socket to its stdout, and use
        # that for talking in both directions.
        (s1, s2) = socket.socketpair()
        def setup():
            # run in the child process
            s2.close()
        e = None
        if os.getuid() == 0:
            argv_tries = argv_tries[-1:]  # last entry only
        for argv in argv_tries:
            try:
                if argv[0] == 'su':
                    sys.stderr.write('[local su] ')
                self.p = ssubprocess.Popen(argv, stdout=s1, preexec_fn=setup)
                e = None
                break
            except OSError as e:
                pass
        self.argv = argv
        s1.close()
        if sys.version_info < (3, 0):
            # python 2.7
            self.pfile = s2.makefile('wb+')
        else:
            # python 3.5
            self.pfile = s2.makefile('rwb')
        if e:
            log('Spawning firewall manager: %r\n' % self.argv)
            raise Fatal(e)
        line = self.pfile.readline()
        self.check()
        if line[0:5] != b'READY':
            raise Fatal('%r expected READY, got %r' % (self.argv, line))
        method_name = line[6:-1]
        self.method = get_method(method_name.decode("ASCII"))
        self.method.set_firewall(self)
    def setup(self, subnets_include, subnets_exclude, nslist,
              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp):
        self.subnets_include = subnets_include
        self.subnets_exclude = subnets_exclude
        self.nslist = nslist
        self.redirectport_v6 = redirectport_v6
        self.redirectport_v4 = redirectport_v4
        self.dnsport_v6 = dnsport_v6
        self.dnsport_v4 = dnsport_v4
        self.udp = udp
    def check(self):
        rv = self.p.poll()
        if rv:
            raise Fatal('%r returned %d' % (self.argv, rv))
    def start(self):
        self.pfile.write(b'ROUTES\n')
        for (family, ip, width, fport, lport) \
                in self.subnets_include + self.auto_nets:
            self.pfile.write(b'%d,%d,0,%s,%d,%d\n'
                    % (family, width, ip.encode("ASCII"), fport, lport))
        for (family, ip, width, fport, lport) in self.subnets_exclude:
            self.pfile.write(b'%d,%d,1,%s,%d,%d\n'
                    % (family, width, ip.encode("ASCII"), fport, lport))
        self.pfile.write(b'NSLIST\n')
        for (family, ip) in self.nslist:
            self.pfile.write(b'%d,%s\n'
                             % (family, ip.encode("ASCII")))
        self.pfile.write(
            b'PORTS %d,%d,%d,%d\n'
            % (self.redirectport_v6, self.redirectport_v4,
               self.dnsport_v6, self.dnsport_v4))
        udp = 0
        if self.udp:
            udp = 1
        self.pfile.write(b'GO %d\n' % udp)
        self.pfile.flush()
        line = self.pfile.readline()
        self.check()
        if line != b'STARTED\n':
            raise Fatal('%r expected STARTED, got %r' % (self.argv, line))
    def sethostip(self, hostname, ip):
        assert(not re.search(b'[^-\w]', hostname))
        assert(not re.search(b'[^0-9.]', ip))
        self.pfile.write(b'HOST %s,%s\n' % (hostname, ip))
        self.pfile.flush()
    def done(self):
        self.pfile.close()
        rv = self.p.wait()
        if rv:
            raise Fatal('cleanup: %r returned %d' % (self.argv, rv))
 dnsreqs = {}
 udp_by_src = {}
 def expire_connections(now, mux):
    remove = []
    for chan, timeout in dnsreqs.items():
        if timeout < now:
            debug3('expiring dnsreqs channel=%d\n' % chan)
            remove.append(chan)
            del mux.channels[chan]
    for chan in remove:
        del dnsreqs[chan]
    debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
    remove = []
    for peer, (chan, timeout) in udp_by_src.items():
        if timeout < now:
            debug3('expiring UDP channel channel=%d peer=%r\n' % (chan, peer))
            mux.send(chan, ssnet.CMD_UDP_CLOSE, b'')
            remove.append(peer)
            del mux.channels[chan]
    for peer in remove:
        del udp_by_src[peer]
    debug3('Remaining UDP channels: %d\n' % len(udp_by_src))
 def onaccept_tcp(listener, method, mux, handlers):
    global _extra_fd
    try:
        sock, srcip = listener.accept()
    except socket.error as e:
        if e.args[0] in [errno.EMFILE, errno.ENFILE]:
            debug1('Rejected incoming connection: too many open files!\n')
            # free up an fd so we can eat the connection
            os.close(_extra_fd)
            try:
                sock, srcip = listener.accept()
                sock.close()
            finally:
                _extra_fd = os.open('/dev/null', os.O_RDONLY)
            return
        else:
            raise
    dstip = method.get_tcp_dstip(sock)
    debug1('Accept TCP: %s:%r -> %s:%r.\n' % (srcip[0], srcip[1],
                                              dstip[0], dstip[1]))
    if dstip[1] == sock.getsockname()[1] and islocal(dstip[0], sock.family):
        debug1("-- ignored: that's my address!\n")
        sock.close()
        return
    chan = mux.next_channel()
    if not chan:
        log('warning: too many open channels.  Discarded connection.\n')
        sock.close()
        return
    mux.send(chan, ssnet.CMD_TCP_CONNECT, b'%d,%s,%d' %
             (sock.family, dstip[0].encode("ASCII"), dstip[1]))
    outwrap = MuxWrapper(mux, chan)
    handlers.append(Proxy(SockWrapper(sock, sock), outwrap))
    expire_connections(time.time(), mux)
 def udp_done(chan, data, method, sock, dstip):
    (src, srcport, data) = data.split(b",", 2)
    srcip = (src, int(srcport))
    debug3('doing send from %r to %r\n' % (srcip, dstip,))
    method.send_udp(sock, srcip, dstip, data)
 def onaccept_udp(listener, method, mux, handlers):
    now = time.time()
    t = method.recv_udp(listener, 4096)
    if t is None:
        return
    srcip, dstip, data = t
    debug1('Accept UDP: %r -> %r.\n' % (srcip, dstip,))
    if srcip in udp_by_src:
        chan, timeout = udp_by_src[srcip]
    else:
        chan = mux.next_channel()
        mux.channels[chan] = lambda cmd, data: udp_done(
            chan, data, method, listener, dstip=srcip)
        mux.send(chan, ssnet.CMD_UDP_OPEN, b"%d" % listener.family)
    udp_by_src[srcip] = chan, now + 30
    hdr = b"%s,%d," % (dstip[0].encode("ASCII"), dstip[1])
    mux.send(chan, ssnet.CMD_UDP_DATA, hdr + data)
    expire_connections(now, mux)
 def dns_done(chan, data, method, sock, srcip, dstip, mux):
    debug3('dns_done: channel=%d src=%r dst=%r\n' % (chan, srcip, dstip))
    del mux.channels[chan]
    del dnsreqs[chan]
    method.send_udp(sock, srcip, dstip, data)
 def ondns(listener, method, mux, handlers):
    now = time.time()
    t = method.recv_udp(listener, 4096)
    if t is None:
        return
    srcip, dstip, data = t
    debug1('DNS request from %r to %r: %d bytes\n' % (srcip, dstip, len(data)))
    chan = mux.next_channel()
    dnsreqs[chan] = now + 30
    mux.send(chan, ssnet.CMD_DNS_REQ, data)
    mux.channels[chan] = lambda cmd, data: dns_done(
        chan, data, method, listener, srcip=dstip, dstip=srcip, mux=mux)
    expire_connections(now, mux)
 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
          python, latency_control,
          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon):
    debug1('Starting client with Python version %s\n'
           % platform.python_version())
    method = fw.method
    handlers = []
    if helpers.verbose >= 1:
        helpers.logprefix = 'c : '
    else:
        helpers.logprefix = 'client: '
    debug1('connecting to server...\n')
    try:
        (serverproc, serversock) = ssh.connect(
            ssh_cmd, remotename, python,
            stderr=ssyslog._p and ssyslog._p.stdin,
            options=dict(latency_control=latency_control,
                auto_hosts=auto_hosts))
    except socket.error as e:
        if e.args[0] == errno.EPIPE:
            raise Fatal("failed to establish ssh session (1)")
        else:
            raise
    mux = Mux(serversock, serversock)
    handlers.append(mux)
    expected = b'SSHUTTLE0001'
    try:
        v = 'x'
        while v and v != b'\0':
            v = serversock.recv(1)
        v = 'x'
        while v and v != b'\0':
            v = serversock.recv(1)
        initstring = serversock.recv(len(expected))
    except socket.error as e:
        if e.args[0] == errno.ECONNRESET:
            raise Fatal("failed to establish ssh session (2)")
        else:
            raise
    rv = serverproc.poll()
    if rv:
        raise Fatal('server died with error code %d' % rv)
    if initstring != expected:
        raise Fatal('expected server init string %r; got %r'
                    % (expected, initstring))
    log('Connected.\n')
    sys.stdout.flush()
    if daemon:
        daemonize()
        log('daemonizing (%s).\n' % _pidname)
    def onroutes(routestr):
        if auto_nets:
            for line in routestr.strip().split(b'\n'):
                (family, ip, width) = line.split(b',', 2)
                family = int(family)
                width = int(width)
                ip = ip.decode("ASCII")
                if family == socket.AF_INET6 and tcp_listener.v6 is None:
                    debug2("Ignored auto net %d/%s/%d\n" % (family, ip, width))
                if family == socket.AF_INET and tcp_listener.v4 is None:
                    debug2("Ignored auto net %d/%s/%d\n" % (family, ip, width))
                else:
                    debug2("Adding auto net %d/%s/%d\n" % (family, ip, width))
                    fw.auto_nets.append((family, ip, width, 0, 0))
        # we definitely want to do this *after* starting ssh, or we might end
        # up intercepting the ssh connection!
        #
        # Moreover, now that we have the --auto-nets option, we have to wait
        # for the server to send us that message anyway.  Even if we haven't
        # set --auto-nets, we might as well wait for the message first, then
        # ignore its contents.
        mux.got_routes = None
        fw.start()
    mux.got_routes = onroutes
    def onhostlist(hostlist):
        debug2('got host list: %r\n' % hostlist)
        for line in hostlist.strip().split():
            if line:
                name, ip = line.split(b',', 1)
                fw.sethostip(name, ip)
    mux.got_host_list = onhostlist
    tcp_listener.add_handler(handlers, onaccept_tcp, method, mux)
    if udp_listener:
        udp_listener.add_handler(handlers, onaccept_udp, method, mux)
    if dns_listener:
        dns_listener.add_handler(handlers, ondns, method, mux)
    if seed_hosts is not None:
        debug1('seed_hosts: %r\n' % seed_hosts)
        mux.send(0, ssnet.CMD_HOST_REQ, str.encode('\n'.join(seed_hosts)))
    sdnotify.send(sdnotify.ready(),
                  sdnotify.status('Connected to %s.' % remotename))
    while 1:
        rv = serverproc.poll()
        if rv:
            raise Fatal('server died with error code %d' % rv)
        ssnet.runonce(handlers, mux)
        if latency_control:
            mux.check_fullness()
 def main(listenip_v6, listenip_v4,
         ssh_cmd, remotename, python, latency_control, dns, nslist,
         method_name, seed_hosts, auto_hosts, auto_nets,
         subnets_include, subnets_exclude, daemon, pidfile):
    if daemon:
        try:
            check_daemon(pidfile)
        except Fatal as e:
            log("%s\n" % e)
            return 5
    debug1('Starting sshuttle proxy.\n')
    fw = FirewallClient(method_name)
    # Get family specific subnet lists
    if dns:
        nslist += resolvconf_nameservers()
    subnets = subnets_include + subnets_exclude  # we don't care here
    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
    subnets_v4 = [i for i in subnets if i[0] == socket.AF_INET]
    nslist_v4 = [i for i in nslist if i[0] == socket.AF_INET]
    # Check features available
    avail = fw.method.get_supported_features()
    required = Features()
    if listenip_v6 == "auto":
        if avail.ipv6:
            listenip_v6 = ('::1', 0)
        else:
            listenip_v6 = None
    required.ipv6 = len(subnets_v6) > 0 or listenip_v6 is not None
    required.ipv4 = len(subnets_v4) > 0 or listenip_v4 is not None
    required.udp = avail.udp
    required.dns = len(nslist) > 0
    # if IPv6 not supported, ignore IPv6 DNS servers
    if not required.ipv6:
        nslist_v6 = []
        nslist = nslist_v4
    fw.method.assert_features(required)
    if required.ipv6 and listenip_v6 is None:
        raise Fatal("IPv6 required but not listening.")
    # display features enabled
    debug1("IPv6 enabled: %r\n" % required.ipv6)
    debug1("UDP enabled: %r\n" % required.udp)
    debug1("DNS enabled: %r\n" % required.dns)
    # bind to required ports
    if listenip_v4 == "auto":
        listenip_v4 = ('127.0.0.1', 0)
    if required.ipv4 and \
            not any(listenip_v4[0] == sex[1] for sex in subnets_v4):
        subnets_exclude.append((socket.AF_INET, listenip_v4[0], 32, 0, 0))
    if required.ipv6 and \
            not any(listenip_v6[0] == sex[1] for sex in subnets_v6):
        subnets_exclude.append((socket.AF_INET6, listenip_v6[0], 128, 0, 0))
    if listenip_v6 and listenip_v6[1] and listenip_v4 and listenip_v4[1]:
        # if both ports given, no need to search for a spare port
        ports = [0, ]
    else:
        # if at least one port missing, we have to search
        ports = range(12300, 9000, -1)
    # search for free ports and try to bind
    last_e = None
    redirectport_v6 = 0
    redirectport_v4 = 0
    bound = False
    debug2('Binding redirector:')
    for port in ports:
        debug2(' %d' % port)
        tcp_listener = MultiListener()
        if required.udp:
            udp_listener = MultiListener(socket.SOCK_DGRAM)
        else:
            udp_listener = None
        if listenip_v6 and listenip_v6[1]:
            lv6 = listenip_v6
            redirectport_v6 = lv6[1]
        elif listenip_v6:
            lv6 = (listenip_v6[0], port)
            redirectport_v6 = port
        else:
            lv6 = None
            redirectport_v6 = 0
        if listenip_v4 and listenip_v4[1]:
            lv4 = listenip_v4
            redirectport_v4 = lv4[1]
        elif listenip_v4:
            lv4 = (listenip_v4[0], port)
            redirectport_v4 = port
        else:
            lv4 = None
            redirectport_v4 = 0
        try:
            tcp_listener.bind(lv6, lv4)
            if udp_listener:
                udp_listener.bind(lv6, lv4)
            bound = True
            break
        except socket.error as e:
            if e.errno == errno.EADDRINUSE:
                last_e = e
            else:
                raise e
    debug2('\n')
    if not bound:
        assert(last_e)
        raise last_e
    tcp_listener.listen(10)
    tcp_listener.print_listening("TCP redirector")
    if udp_listener:
        udp_listener.print_listening("UDP redirector")
    bound = False
    if required.dns:
        # search for spare port for DNS
        debug2('Binding DNS:')
        ports = range(12300, 9000, -1)
        for port in ports:
            debug2(' %d' % port)
            dns_listener = MultiListener(socket.SOCK_DGRAM)
            if listenip_v6:
                lv6 = (listenip_v6[0], port)
                dnsport_v6 = port
            else:
                lv6 = None
                dnsport_v6 = 0
            if listenip_v4:
                lv4 = (listenip_v4[0], port)
                dnsport_v4 = port
            else:
                lv4 = None
                dnsport_v4 = 0
            try:
                dns_listener.bind(lv6, lv4)
                bound = True
                break
            except socket.error as e:
                if e.errno == errno.EADDRINUSE:
                    last_e = e
                else:
                    raise e
        debug2('\n')
        dns_listener.print_listening("DNS")
        if not bound:
            assert(last_e)
            raise last_e
    else:
        dnsport_v6 = 0
        dnsport_v4 = 0
        dns_listener = None
    # Last minute sanity checks.
    # These should never fail.
    # If these do fail, something is broken above.
    if len(subnets_v6) > 0:
        assert required.ipv6
        if redirectport_v6 == 0:
            raise Fatal("IPv6 subnets defined but not listening")
    if len(nslist_v6) > 0:
        assert required.dns
        assert required.ipv6
        if dnsport_v6 == 0:
            raise Fatal("IPv6 ns servers defined but not listening")
    if len(subnets_v4) > 0:
        if redirectport_v4 == 0:
            raise Fatal("IPv4 subnets defined but not listening")
    if len(nslist_v4) > 0:
        if dnsport_v4 == 0:
            raise Fatal("IPv4 ns servers defined but not listening")
    # setup method specific stuff on listeners
    fw.method.setup_tcp_listener(tcp_listener)
    if udp_listener:
        fw.method.setup_udp_listener(udp_listener)
    if dns_listener:
        fw.method.setup_udp_listener(dns_listener)
    # start the firewall
    fw.setup(subnets_include, subnets_exclude, nslist,
             redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4,
             required.udp)
    # start the client process
    try:
        return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                     python, latency_control, dns_listener,
                     seed_hosts, auto_hosts, auto_nets, daemon)
    finally:
        try:
            if daemon:
                # it's not our child anymore; can't waitpid
                fw.p.returncode = 0
            fw.done()
        finally:
            if daemon:
                daemon_cleanup()
--- a/sshuttle/cmdline.py
+++ b/sshuttle/cmdline.py
@ -0,0 +1,90 @@
 import re
 import socket
 import sshuttle.helpers as helpers
 import sshuttle.client as client
 import sshuttle.firewall as firewall
 import sshuttle.hostwatch as hostwatch
 import sshuttle.ssyslog as ssyslog
 from sshuttle.options import parser, parse_ipport
 from sshuttle.helpers import family_ip_tuple, log, Fatal
 def main():
    opt = parser.parse_args()
    if opt.daemon:
        opt.syslog = 1
    if opt.wrap:
        import sshuttle.ssnet as ssnet
        ssnet.MAX_CHANNEL = opt.wrap
    helpers.verbose = opt.verbose
    try:
        if opt.firewall:
            if opt.subnets or opt.subnets_file:
                parser.error('exactly zero arguments expected')
            return firewall.main(opt.method, opt.syslog)
        elif opt.hostwatch:
            return hostwatch.hw_main(opt.subnets)
        else:
            includes = opt.subnets + opt.subnets_file
            excludes = opt.exclude
            if not includes and not opt.auto_nets:
                parser.error('at least one subnet, subnet file, '
                             'or -N expected')
            remotename = opt.remote
            if remotename == '' or remotename == '-':
                remotename = None
            nslist = [family_ip_tuple(ns) for ns in opt.ns_hosts]
            if opt.seed_hosts:
                sh = re.split(r'[\s,]+', (opt.seed_hosts or "").strip())
            elif opt.auto_hosts:
                sh = []
            else:
                sh = None
            if opt.listen:
                ipport_v6 = None
                ipport_v4 = None
                list = opt.listen.split(",")
                for ip in list:
                    family, ip, port = parse_ipport(ip)
                    if family == socket.AF_INET6:
                        ipport_v6 = (ip, port)
                    else:
                        ipport_v4 = (ip, port)
            else:
                # parse_ipport4('127.0.0.1:0')
                ipport_v4 = "auto"
                # parse_ipport6('[::1]:0')
                ipport_v6 = "auto" if not opt.disable_ipv6 else None
            if opt.syslog:
                ssyslog.start_syslog()
                ssyslog.stderr_to_syslog()
            return_code = client.main(ipport_v6, ipport_v4,
                                      opt.ssh_cmd,
                                      remotename,
                                      opt.python,
                                      opt.latency_control,
                                      opt.dns,
                                      nslist,
                                      opt.method,
                                      sh,
                                      opt.auto_hosts,
                                      opt.auto_nets,
                                      includes,
                                      excludes,
                                      opt.daemon, opt.pidfile)
            if return_code == 0:
                log('Normal exit code, exiting...')
            else:
                log('Abnormal exit code detected, failing...' % return_code)
            return return_code
    except Fatal as e:
        log('fatal: %s\n' % e)
        return 99
    except KeyboardInterrupt:
        log('\n')
        log('Keyboard interrupt: exiting.\n')
        return 1
--- a/sshuttle/firewall.py
+++ b/sshuttle/firewall.py
@ -0,0 +1,282 @@
 import errno
 import socket
 import signal
 import sshuttle.ssyslog as ssyslog
 import sys
 import os
 import platform
 import traceback
 from sshuttle.helpers import debug1, debug2, Fatal
 from sshuttle.methods import get_auto_method, get_method
 HOSTSFILE = '/etc/hosts'
 def rewrite_etc_hosts(hostmap, port):
    BAKFILE = '%s.sbak' % HOSTSFILE
    APPEND = '# sshuttle-firewall-%d AUTOCREATED' % port
    old_content = ''
    st = None
    try:
        old_content = open(HOSTSFILE).read()
        st = os.stat(HOSTSFILE)
    except IOError as e:
        if e.errno == errno.ENOENT:
            pass
        else:
            raise
    if old_content.strip() and not os.path.exists(BAKFILE):
        os.link(HOSTSFILE, BAKFILE)
    tmpname = "%s.%d.tmp" % (HOSTSFILE, port)
    f = open(tmpname, 'w')
    for line in old_content.rstrip().split('\n'):
        if line.find(APPEND) >= 0:
            continue
        f.write('%s\n' % line)
    for (name, ip) in sorted(hostmap.items()):
        f.write('%-30s %s\n' % ('%s %s' % (ip, name), APPEND))
    f.close()
    if st is not None:
        os.chown(tmpname, st.st_uid, st.st_gid)
        os.chmod(tmpname, st.st_mode)
    else:
        os.chown(tmpname, 0, 0)
        os.chmod(tmpname, 0o600)
    os.rename(tmpname, HOSTSFILE)
 def restore_etc_hosts(port):
    rewrite_etc_hosts({}, port)
 # Isolate function that needs to be replaced for tests
 def setup_daemon():
    if os.getuid() != 0:
        raise Fatal('you must be root (or enable su/sudo) to set the firewall')
    # don't disappear if our controlling terminal or stdout/stderr
    # disappears; we still have to clean up.
    signal.signal(signal.SIGHUP, signal.SIG_IGN)
    signal.signal(signal.SIGPIPE, signal.SIG_IGN)
    signal.signal(signal.SIGTERM, signal.SIG_IGN)
    signal.signal(signal.SIGINT, signal.SIG_IGN)
    # ctrl-c shouldn't be passed along to me.  When the main sshuttle dies,
    # I'll die automatically.
    os.setsid()
    # because of limitations of the 'su' command, the *real* stdin/stdout
    # are both attached to stdout initially.  Clone stdout into stdin so we
    # can read from it.
    os.dup2(1, 0)
    return sys.stdin, sys.stdout
 # Note that we're sorting in a very particular order:
 # we need to go from smaller, more specific, port ranges, to larger,
 # less-specific, port ranges. At each level, we order by subnet
 # width, from most-specific subnets (largest swidth) to
 # least-specific. On ties, excludes come first.
 # s:(inet, subnet width, exclude flag, subnet, first port, last port)
 def subnet_weight(s):
    return (-s[-1] + (s[-2] or -65535), s[1], s[2])
 # This is some voodoo for setting up the kernel's transparent
 # proxying stuff.  If subnets is empty, we just delete our sshuttle rules;
 # otherwise we delete it, then make them from scratch.
 #
 # This code is supposed to clean up after itself by deleting its rules on
 # exit.  In case that fails, it's not the end of the world; future runs will
 # supercede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
 def main(method_name, syslog):
    stdin, stdout = setup_daemon()
    hostmap = {}
    debug1('firewall manager: Starting firewall with Python version %s\n'
           % platform.python_version())
    if method_name == "auto":
        method = get_auto_method()
    else:
        method = get_method(method_name)
    if syslog:
        ssyslog.start_syslog()
        ssyslog.stderr_to_syslog()
    debug1('firewall manager: ready method name %s.\n' % method.name)
    stdout.write('READY %s\n' % method.name)
    stdout.flush()
    # we wait until we get some input before creating the rules.  That way,
    # sshuttle can launch us as early as possible (and get sudo password
    # authentication as early in the startup process as possible).
    line = stdin.readline(128)
    if not line:
        return  # parent died; nothing to do
    subnets = []
    if line != 'ROUTES\n':
        raise Fatal('firewall: expected ROUTES but got %r' % line)
    while 1:
        line = stdin.readline(128)
        if not line:
            raise Fatal('firewall: expected route but got %r' % line)
        elif line.startswith("NSLIST\n"):
            break
        try:
            (family, width, exclude, ip, fport, lport) = \
                    line.strip().split(',', 5)
        except:
            raise Fatal('firewall: expected route or NSLIST but got %r' % line)
        subnets.append((
            int(family),
            int(width),
            bool(int(exclude)),
            ip,
            int(fport),
            int(lport)))
    debug2('firewall manager: Got subnets: %r\n' % subnets)
    nslist = []
    if line != 'NSLIST\n':
        raise Fatal('firewall: expected NSLIST but got %r' % line)
    while 1:
        line = stdin.readline(128)
        if not line:
            raise Fatal('firewall: expected nslist but got %r' % line)
        elif line.startswith("PORTS "):
            break
        try:
            (family, ip) = line.strip().split(',', 1)
        except:
            raise Fatal('firewall: expected nslist or PORTS but got %r' % line)
        nslist.append((int(family), ip))
        debug2('firewall manager: Got partial nslist: %r\n' % nslist)
    debug2('firewall manager: Got nslist: %r\n' % nslist)
    if not line.startswith('PORTS '):
        raise Fatal('firewall: expected PORTS but got %r' % line)
    _, _, ports = line.partition(" ")
    ports = ports.split(",")
    if len(ports) != 4:
        raise Fatal('firewall: expected 4 ports but got %n' % len(ports))
    port_v6 = int(ports[0])
    port_v4 = int(ports[1])
    dnsport_v6 = int(ports[2])
    dnsport_v4 = int(ports[3])
    assert(port_v6 >= 0)
    assert(port_v6 <= 65535)
    assert(port_v4 >= 0)
    assert(port_v4 <= 65535)
    assert(dnsport_v6 >= 0)
    assert(dnsport_v6 <= 65535)
    assert(dnsport_v4 >= 0)
    assert(dnsport_v4 <= 65535)
    debug2('firewall manager: Got ports: %d,%d,%d,%d\n'
           % (port_v6, port_v4, dnsport_v6, dnsport_v4))
    line = stdin.readline(128)
    if not line:
        raise Fatal('firewall: expected GO but got %r' % line)
    elif not line.startswith("GO "):
        raise Fatal('firewall: expected GO but got %r' % line)
    _, _, udp = line.partition(" ")
    udp = bool(int(udp))
    debug2('firewall manager: Got udp: %r\n' % udp)
    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
    subnets_v4 = [i for i in subnets if i[0] == socket.AF_INET]
    nslist_v4 = [i for i in nslist if i[0] == socket.AF_INET]
    try:
        debug1('firewall manager: setting up.\n')
        if len(subnets_v6) > 0 or len(nslist_v6) > 0:
            debug2('firewall manager: setting up IPv6.\n')
            method.setup_firewall(
                port_v6, dnsport_v6, nslist_v6,
                socket.AF_INET6, subnets_v6, udp)
        if len(subnets_v4) > 0 or len(nslist_v4) > 0:
            debug2('firewall manager: setting up IPv4.\n')
            method.setup_firewall(
                port_v4, dnsport_v4, nslist_v4,
                socket.AF_INET, subnets_v4, udp)
        stdout.write('STARTED\n')
        try:
            stdout.flush()
        except IOError:
            # the parent process died for some reason; he's surely been loud
            # enough, so no reason to report another error
            return
        # Now we wait until EOF or any other kind of exception.  We need
        # to stay running so that we don't need a *second* password
        # authentication at shutdown time - that cleanup is important!
        while 1:
            line = stdin.readline(128)
            if line.startswith('HOST '):
                (name, ip) = line[5:].strip().split(',', 1)
                hostmap[name] = ip
                debug2('firewall manager: setting up /etc/hosts.\n')
                rewrite_etc_hosts(hostmap, port_v6 or port_v4)
            elif line:
                if not method.firewall_command(line):
                    raise Fatal('firewall: expected command, got %r' % line)
            else:
                break
    finally:
        try:
            sdnotify.send(sdnotify.stop())
            debug1('firewall manager: undoing changes.\n')
        except:
            pass
        try:
            if len(subnets_v6) > 0 or len(nslist_v6) > 0:
                debug2('firewall manager: undoing IPv6 changes.\n')
                method.restore_firewall(port_v6, socket.AF_INET6, udp)
        except:
            try:
                debug1("firewall manager: "
                       "Error trying to undo IPv6 firewall.\n")
                for line in traceback.format_exc().splitlines():
                    debug1("---> %s\n" % line)
            except:
                pass
        try:
            if len(subnets_v4) > 0 or len(nslist_v4) > 0:
                debug2('firewall manager: undoing IPv4 changes.\n')
                method.restore_firewall(port_v4, socket.AF_INET, udp)
        except:
            try:
                debug1("firewall manager: "
                       "Error trying to undo IPv4 firewall.\n")
                for line in traceback.format_exc().splitlines():
                    debug1("firewall manager: ---> %s\n" % line)
            except:
                pass
        try:
            debug2('firewall manager: undoing /etc/hosts changes.\n')
            restore_etc_hosts(port_v6 or port_v4)
        except:
            try:
                debug1("firewall manager: "
                       "Error trying to undo /etc/hosts changes.\n")
                for line in traceback.format_exc().splitlines():
                    debug1("firewall manager: ---> %s\n" % line)
            except:
                pass
--- a/sshuttle/helpers.py
+++ b/sshuttle/helpers.py
@ -1,26 +1,51 @@
-import sys, os, socket
+import sys
 import socket
 import errno
 logprefix = ''
 verbose = 0
 if sys.version_info[0] == 3:
    binary_type = bytes
    def b(s):
        return s.encode("ASCII")
 else:
    binary_type = str
    def b(s):
        return s
 def log(s):
    global logprefix
    try:
        sys.stdout.flush()
-        sys.stderr.write(logprefix + s)
+        if s.find("\n") != -1:
            prefix = logprefix
            s = s.rstrip("\n")
            for line in s.split("\n"):
                sys.stderr.write(prefix + line + "\n")
                prefix = "---> "
        else:
            sys.stderr.write(logprefix + s)
        sys.stderr.flush()
    except IOError:
        # this could happen if stderr gets forcibly disconnected, eg. because
        # our tty closes.  That sucks, but it's no reason to abort the program.
        pass
 def debug1(s):
    if verbose >= 1:
        log(s)
 def debug2(s):
    if verbose >= 2:
        log(s)
 def debug3(s):
    if verbose >= 3:
        log(s)
@ -30,19 +55,12 @@ class Fatal(Exception):
    pass
 def list_contains_any(l, sub):
    for i in sub:
        if i in l:
            return True
    return False
 def resolvconf_nameservers():
    l = []
    for line in open('/etc/resolv.conf'):
        words = line.lower().split()
        if len(words) >= 2 and words[0] == 'nameserver':
-            l.append(words[1])
+            l.append(family_ip_tuple(words[1]))
    return l
@ -55,15 +73,16 @@ def resolvconf_random_nameserver():
            random.shuffle(l)
        return l[0]
    else:
-        return '127.0.0.1'
+        return (socket.AF_INET, '127.0.0.1')
-def islocal(ip):
+def islocal(ip, family):
-    sock = socket.socket()
+    sock = socket.socket(family)
    try:
        try:
            sock.bind((ip, 0))
-        except socket.error, e:
+        except socket.error:
            _, e = sys.exc_info()[:2]
            if e.args[0] == errno.EADDRNOTAVAIL:
                return False  # not a local IP
            else:
@ -73,3 +92,17 @@ def islocal(ip):
    return True  # it's a local IP, or there would have been an error
 def family_ip_tuple(ip):
    if ':' in ip:
        return (socket.AF_INET6, ip)
    else:
        return (socket.AF_INET, ip)
 def family_to_string(family):
    if family == socket.AF_INET6:
        return "AF_INET6"
    elif family == socket.AF_INET:
        return "AF_INET"
    else:
        return str(family)
--- a/sshuttle/hostwatch.py
+++ b/sshuttle/hostwatch.py
@ -1,19 +1,31 @@
-import time, socket, re, select, errno
+import time
-if not globals().get('skip_imports'):
+import socket
-    import compat.ssubprocess as ssubprocess
+import re
-    import helpers
+import select
-    from helpers import *
+import errno
 import os
 import sys
 import platform
-POLL_TIME = 60*15
+import subprocess as ssubprocess
 import sshuttle.helpers as helpers
 from sshuttle.helpers import log, debug1, debug2, debug3
 POLL_TIME = 60 * 15
 NETSTAT_POLL_TIME = 30
-CACHEFILE=os.path.expanduser('~/.sshuttle.hosts')
+CACHEFILE = os.path.expanduser('~/.sshuttle.hosts')
 _nmb_ok = True
 _smb_ok = True
 hostnames = {}
 queue = {}
-null = open('/dev/null', 'rb+')
+try:
    null = open('/dev/null', 'wb')
 except IOError:
    _, e = sys.exc_info()[:2]
    log('warning: %s\n' % e)
    null = os.popen("sh -c 'while read x; do :; done'", 'wb', 4096)
 def _is_ip(s):
@ -24,9 +36,10 @@ def write_host_cache():
    tmpname = '%s.%d.tmp' % (CACHEFILE, os.getpid())
    try:
        f = open(tmpname, 'wb')
-        for name,ip in sorted(hostnames.items()):
+        for name, ip in sorted(hostnames.items()):
-            f.write('%s,%s\n' % (name, ip))
+            f.write(('%s,%s\n' % (name, ip)).encode("ASCII"))
        f.close()
        os.chmod(tmpname, 384)  # 600 in octal, 'rw-------'
        os.rename(tmpname, CACHEFILE)
    finally:
        try:
@ -38,7 +51,8 @@ def write_host_cache():
 def read_host_cache():
    try:
        f = open(CACHEFILE)
-    except IOError, e:
+    except IOError:
        _, e = sys.exc_info()[:2]
        if e.errno == errno.ENOENT:
            return
        else:
@ -46,7 +60,7 @@ def read_host_cache():
    for line in f:
        words = line.strip().split(',')
        if len(words) == 2:
-            (name,ip) = words
+            (name, ip) = words
            name = re.sub(r'[^-\w]', '-', name).strip()
            ip = re.sub(r'[^0-9.]', '', ip).strip()
            if name and ip:
@ -56,8 +70,8 @@ def read_host_cache():
 def found_host(hostname, ip):
    hostname = re.sub(r'\..*', '', hostname)
    hostname = re.sub(r'[^-\w]', '_', hostname)
-    if (ip.startswith('127.') or ip.startswith('255.') 
+    if (ip.startswith('127.') or ip.startswith('255.') or
-        or hostname == 'localhost'):
+            hostname == 'localhost'):
        return
    oldip = hostnames.get(hostname)
    if oldip != ip:
@ -90,7 +104,7 @@ def _check_revdns(ip):
        debug3('<    %s\n' % r[0])
        check_host(r[0])
        found_host(r[0], ip)
-    except socket.herror, e:
+    except socket.herror:
        pass
@ -101,7 +115,7 @@ def _check_dns(hostname):
        debug3('<    %s\n' % ip)
        check_host(ip)
        found_host(hostname, ip)
-    except socket.gaierror, e:
+    except socket.gaierror:
        pass
@ -110,9 +124,10 @@ def _check_netstat():
    argv = ['netstat', '-n']
    try:
        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
-        content = p.stdout.read()
+        content = p.stdout.read().decode("ASCII")
        p.wait()
-    except OSError, e:
+    except OSError:
        _, e = sys.exc_info()[:2]
        log('%r failed: %r\n' % (argv, e))
        return
@ -132,7 +147,8 @@ def _check_smb(hostname):
        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
        lines = p.stdout.readlines()
        p.wait()
-    except OSError, e:
+    except OSError:
        _, e = sys.exc_info()[:2]
        log('%r failed: %r\n' % (argv, e))
        _smb_ok = False
        return
@ -183,13 +199,14 @@ def _check_nmb(hostname, is_workgroup, is_master):
    global _nmb_ok
    if not _nmb_ok:
        return
-    argv = ['nmblookup'] + ['-M']*is_master + ['--', hostname]
+    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
    debug2(' > n%d%d: %s\n' % (is_workgroup, is_master, hostname))
    try:
        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
        lines = p.stdout.readlines()
        rv = p.wait()
-    except OSError, e:
+    except OSError:
        _, e = sys.exc_info()[:2]
        log('%r failed: %r\n' % (argv, e))
        _nmb_ok = False
        return
@ -224,13 +241,13 @@ def check_workgroup(hostname):
 def _enqueue(op, *args):
-    t = (op,args)
+    t = (op, args)
-    if queue.get(t) == None:
+    if queue.get(t) is None:
        queue[t] = 0
 def _stdin_still_ok(timeout):
-    r,w,x = select.select([sys.stdin.fileno()], [], [], timeout)
+    r, w, x = select.select([sys.stdin.fileno()], [], [], timeout)
    if r:
        b = os.read(sys.stdin.fileno(), 4096)
        if not b:
@ -238,27 +255,31 @@ def _stdin_still_ok(timeout):
    return True
-def hw_main(seed_hosts):
+def hw_main(seed_hosts, auto_hosts):
    if helpers.verbose >= 2:
        helpers.logprefix = 'HH: '
    else:
        helpers.logprefix = 'hostwatch: '
-    read_host_cache()
+    debug1('Starting hostwatch with Python version %s\n'
           % platform.python_version())
    _enqueue(_check_etc_hosts)
    _enqueue(_check_netstat)
    check_host('localhost')
    check_host(socket.gethostname())
    check_workgroup('workgroup')
    check_workgroup('-')
    for h in seed_hosts:
        check_host(h)
    if auto_hosts:
        read_host_cache()
        _enqueue(_check_etc_hosts)
        _enqueue(_check_netstat)
        check_host('localhost')
        check_host(socket.gethostname())
        check_workgroup('workgroup')
        check_workgroup('-')
    while 1:
        now = time.time()
-        for t,last_polled in queue.items():
+        for t, last_polled in list(queue.items()):
-            (op,args) = t
+            (op, args) = t
            if not _stdin_still_ok(0):
                break
            maxtime = POLL_TIME
--- a/sshuttle/linux.py
+++ b/sshuttle/linux.py
@ -0,0 +1,71 @@
 import os
 import socket
 import subprocess as ssubprocess
 from sshuttle.helpers import log, debug1, Fatal, family_to_string
 def nonfatal(func, *args):
    try:
        func(*args)
    except Fatal as e:
        log('error: %s\n' % e)
 def ipt_chain_exists(family, table, name):
    if family == socket.AF_INET6:
        cmd = 'ip6tables'
    elif family == socket.AF_INET:
        cmd = 'iptables'
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
    argv = [cmd, '-t', table, '-nL']
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
    for line in p.stdout:
        if line.startswith(b'Chain %s ' % name.encode("ASCII")):
            return True
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
 def ipt(family, table, *args):
    if family == socket.AF_INET6:
        argv = ['ip6tables', '-t', table] + list(args)
    elif family == socket.AF_INET:
        argv = ['iptables', '-t', table] + list(args)
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
    debug1('>> %s\n' % ' '.join(argv))
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    rv = ssubprocess.call(argv, env=env)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
 _no_ttl_module = False
 def ipt_ttl(family, *args):
    global _no_ttl_module
    if not _no_ttl_module:
        # we avoid infinite loops by generating server-side connections
        # with ttl 42.  This makes the client side not recapture those
        # connections, in case client == server.
        try:
            argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '42']
            ipt(family, *argsplus)
        except Fatal:
            ipt(family, *args)
            # we only get here if the non-ttl attempt succeeds
            log('sshuttle: warning: your iptables is missing '
                'the ttl module.\n')
            _no_ttl_module = True
    else:
        ipt(family, *args)
--- a/sshuttle/methods/init.py
+++ b/sshuttle/methods/init.py
@ -0,0 +1,107 @@
 import os
 import importlib
 import socket
 import struct
 import errno
 from sshuttle.helpers import Fatal, debug3
 def original_dst(sock):
    try:
        SO_ORIGINAL_DST = 80
        SOCKADDR_MIN = 16
        sockaddr_in = sock.getsockopt(socket.SOL_IP,
                                      SO_ORIGINAL_DST, SOCKADDR_MIN)
        (proto, port, a, b, c, d) = struct.unpack('!HHBBBB', sockaddr_in[:8])
        # FIXME: decoding is IPv4 only.
        assert(socket.htons(proto) == socket.AF_INET)
        ip = '%d.%d.%d.%d' % (a, b, c, d)
        return (ip, port)
    except socket.error as e:
        if e.args[0] == errno.ENOPROTOOPT:
            return sock.getsockname()
        raise
 class Features(object):
    pass
 class BaseMethod(object):
    def __init__(self, name):
        self.firewall = None
        self.name = name
    def set_firewall(self, firewall):
        self.firewall = firewall
    def get_supported_features(self):
        result = Features()
        result.ipv6 = False
        result.udp = False
        result.dns = True
        return result
    def get_tcp_dstip(self, sock):
        return original_dst(sock)
    def recv_udp(self, udp_listener, bufsize):
        debug3('Accept UDP using recvfrom.\n')
        data, srcip = udp_listener.recvfrom(bufsize)
        return (srcip, None, data)
    def send_udp(self, sock, srcip, dstip, data):
        if srcip is not None:
            Fatal("Method %s send_udp does not support setting srcip to %r"
                  % (self.name, srcip))
        sock.sendto(data, dstip)
    def setup_tcp_listener(self, tcp_listener):
        pass
    def setup_udp_listener(self, udp_listener):
        pass
    def assert_features(self, features):
        avail = self.get_supported_features()
        for key in ["udp", "dns", "ipv6"]:
            if getattr(features, key) and not getattr(avail, key):
                raise Fatal(
                    "Feature %s not supported with method %s.\n" %
                    (key, self.name))
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
        raise NotImplementedError()
    def restore_firewall(self, port, family, udp):
        raise NotImplementedError()
    def firewall_command(self, line):
        return False
 def _program_exists(name):
    paths = (os.getenv('PATH') or os.defpath).split(os.pathsep)
    for p in paths:
        fn = '%s/%s' % (p, name)
        if os.path.exists(fn):
            return not os.path.isdir(fn) and os.access(fn, os.X_OK)
 def get_method(method_name):
    module = importlib.import_module("sshuttle.methods.%s" % method_name)
    return module.Method(method_name)
 def get_auto_method():
    if _program_exists('iptables'):
        method_name = "nat"
    elif _program_exists('pfctl'):
        method_name = "pf"
    elif _program_exists('ipfw'):
        method_name = "ipfw"
    else:
        raise Fatal(
            "can't find either iptables or pfctl; check your PATH")
    return get_method(method_name)
--- a/sshuttle/methods/ipfw.py
+++ b/sshuttle/methods/ipfw.py
@ -0,0 +1,268 @@
 import os
 import sys
 import struct
 import subprocess as ssubprocess
 from sshuttle.methods import BaseMethod
 from sshuttle.helpers import log, debug1, debug3, \
    Fatal, family_to_string
 recvmsg = None
 try:
    # try getting recvmsg from python
    import socket as pythonsocket
    getattr(pythonsocket.socket, "recvmsg")
    socket = pythonsocket
    recvmsg = "python"
 except AttributeError:
    # try getting recvmsg from socket_ext library
    try:
        import socket_ext
        getattr(socket_ext.socket, "recvmsg")
        socket = socket_ext
        recvmsg = "socket_ext"
    except ImportError:
        import socket
 IP_BINDANY = 24
 IP_RECVDSTADDR = 7
 SOL_IPV6 = 41
 IPV6_RECVDSTADDR = 74
 if recvmsg == "python":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP python using recvmsg.\n')
        data, ancdata, msg_flags, srcip = listener.recvmsg(4096, socket.CMSG_SPACE(4))
        dstip = None
        family = None
        for cmsg_level, cmsg_type, cmsg_data in ancdata:
            if cmsg_level == socket.SOL_IP and cmsg_type == IP_RECVDSTADDR:
                port = 53
                ip = socket.inet_ntop(socket.AF_INET, cmsg_data[0:4])
                dstip = (ip, port)
                break
        return (srcip, dstip, data)
 elif recvmsg == "socket_ext":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP using socket_ext recvmsg.\n')
        srcip, data, adata, flags = listener.recvmsg((bufsize,), socket.CMSG_SPACE(4))
        dstip = None
        family = None
        for a in adata:
            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_RECVDSTADDR:
                port = 53
                ip = socket.inet_ntop(socket.AF_INET, cmsg_data[0:4])
                dstip = (ip, port)
                break
        return (srcip, dstip, data[0])
 else:
    def recv_udp(listener, bufsize):
        debug3('Accept UDP using recvfrom.\n')
        data, srcip = listener.recvfrom(bufsize)
        return (srcip, None, data)
 def ipfw_rule_exists(n):
    argv = ['ipfw', 'list']
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
    found = False
    for line in p.stdout:
        if line.startswith(b'%05d ' % n):
            if not ('ipttl 42' in line or 'check-state' in line):
                log('non-sshuttle ipfw rule: %r\n' % line.strip())
                raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
                found = True
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
    return found
 _oldctls = {}
 def _fill_oldctls(prefix):
    argv = ['sysctl', prefix]
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
    for line in p.stdout:
        line = line.decode()
        assert(line[-1] == '\n')
        (k, v) = line[:-1].split(': ', 1)
        _oldctls[k] = v.strip()
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
    if not line:
        raise Fatal('%r returned no data' % (argv,))
 def _sysctl_set(name, val):
    argv = ['sysctl', '-w', '%s=%s' % (name, val)]
    debug1('>> %s\n' % ' '.join(argv))
    return ssubprocess.call(argv, stdout=open('/dev/null', 'w'))
 _changedctls = []
 def sysctl_set(name, val, permanent=False):
    PREFIX = 'net.inet.ip'
    assert(name.startswith(PREFIX + '.'))
    val = str(val)
    if not _oldctls:
        _fill_oldctls(PREFIX)
    if not (name in _oldctls):
        debug1('>> No such sysctl: %r\n' % name)
        return False
    oldval = _oldctls[name]
    if val != oldval:
        rv = _sysctl_set(name, val)
        if rv == 0 and permanent:
            debug1('>>   ...saving permanently in /etc/sysctl.conf\n')
            f = open('/etc/sysctl.conf', 'a')
            f.write('\n'
                    '# Added by sshuttle\n'
                    '%s=%s\n' % (name, val))
            f.close()
        else:
            _changedctls.append(name)
        return True
 def ipfw(*args):
    argv = ['ipfw', '-q'] + list(args)
    debug1('>> %s\n' % ' '.join(argv))
    rv = ssubprocess.call(argv)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
 def ipfw_noexit(*args):
    argv = ['ipfw', '-q'] + list(args)
    debug1('>> %s\n' % ' '.join(argv))
    ssubprocess.call(argv)
 class Method(BaseMethod):
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.ipv6 = False
        result.udp = False #NOTE: Almost there, kernel patch needed
        result.dns = True
        return result
    def get_tcp_dstip(self, sock):
        return sock.getsockname()
    def recv_udp(self, udp_listener, bufsize):
        srcip, dstip, data = recv_udp(udp_listener, bufsize)
        if not dstip:
            debug1(
                   "-- ignored UDP from %r: "
                   "couldn't determine destination IP address\n" % (srcip,))
            return None
        return srcip, dstip, data
    def send_udp(self, sock, srcip, dstip, data):
        if not srcip:
            debug1(
               "-- ignored UDP to %r: "
               "couldn't determine source IP address\n" % (dstip,))
            return
        #debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
        sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
        sender.bind(srcip)
        sender.sendto(data,dstip)
        sender.close()
    def setup_udp_listener(self, udp_listener):
        if udp_listener.v4 is not None:
            udp_listener.v4.setsockopt(socket.SOL_IP, IP_RECVDSTADDR, 1)
        #if udp_listener.v6 is not None:
        #    udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
        # IPv6 not supported
        if family not in [socket.AF_INET ]:
            raise Exception(
                'Address family "%s" unsupported by ipfw method_name'
                % family_to_string(family))
        #XXX: Any risk from this?
        ipfw_noexit('delete', '1')
        while _changedctls:
            name = _changedctls.pop()
            oldval = _oldctls[name]
            _sysctl_set(name, oldval)
        if subnets or dnsport:
            sysctl_set('net.inet.ip.fw.enable', 1)
        ipfw('add', '1', 'check-state', 'ip',
             'from', 'any', 'to', 'any')
        ipfw('add', '1', 'skipto', '2',
             'tcp',
             'from', 'any', 'to', 'table(125)')
        ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
             'tcp',
             'from', 'any', 'to', 'table(126)',
             'not', 'ipttl', '42', 'keep-state', 'setup')
        ipfw_noexit('table', '124', 'flush')
        dnscount = 0
        for f, ip in [i for i in nslist if i[0] == family]:
            ipfw('table', '124', 'add', '%s' % (ip))
            dnscount += 1
        if dnscount > 0:
            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
                 'udp',
                 'from', 'any', 'to', 'table(124)',
                 'not', 'ipttl', '42')
        """if udp:
            ipfw('add', '1', 'skipto', '2',
                 'udp',
                 'from', 'any', 'to', 'table(125)')
            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
                 'udp',
                 'from', 'any', 'to', 'table(126)',
                 'not', 'ipttl', '42')
        """
        ipfw('add', '1', 'allow', 
             'udp',
             'from', 'any', 'to', 'any',
             'ipttl', '42')
        if subnets:
            # create new subnet entries
            for f, swidth, sexclude, snet \
                in sorted(subnets, key=lambda s: s[1], reverse=True):
                if sexclude:
                    ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
            else:
                ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))
    def restore_firewall(self, port, family, udp):
        if family not in [socket.AF_INET]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
                % family_to_string(family))
        ipfw_noexit('delete', '1')
        ipfw_noexit('table', '124', 'flush')
        ipfw_noexit('table', '125', 'flush')
        ipfw_noexit('table', '126', 'flush')
--- a/sshuttle/methods/nat.py
+++ b/sshuttle/methods/nat.py
@ -0,0 +1,89 @@
 import socket
 from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string
 from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists, nonfatal
 from sshuttle.methods import BaseMethod
 class Method(BaseMethod):
    # We name the chain based on the transproxy port number so that it's
    # possible to run multiple copies of sshuttle at the same time.  Of course,
    # the multiple copies shouldn't have overlapping subnets, or only the most-
    # recently-started one will win (because we use "-I OUTPUT 1" instead of
    # "-A OUTPUT").
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
        # only ipv4 supported with NAT
        if family != socket.AF_INET:
            raise Exception(
                'Address family "%s" unsupported by nat method_name'
                % family_to_string(family))
        if udp:
            raise Exception("UDP not supported by nat method_name")
        table = "nat"
        def _ipt(*args):
            return ipt(family, table, *args)
        def _ipt_ttl(*args):
            return ipt_ttl(family, table, *args)
        chain = 'sshuttle-%s' % port
        # basic cleanup/setup of chains
        self.restore_firewall(port, family, udp)
        _ipt('-N', chain)
        _ipt('-F', chain)
        _ipt('-I', 'OUTPUT', '1', '-j', chain)
        _ipt('-I', 'PREROUTING', '1', '-j', chain)
        # create new subnet entries.
        for f, swidth, sexclude, snet, fport, lport \
                in sorted(subnets, key=subnet_weight, reverse=True):
            tcp_ports = ('-p', 'tcp')
            if fport:
                tcp_ports = tcp_ports + ('--dport', '%d:%d' % (fport, lport))
            if sexclude:
                _ipt('-A', chain, '-j', 'RETURN',
                     '--dest', '%s/%s' % (snet, swidth),
                     *tcp_ports)
            else:
                _ipt_ttl('-A', chain, '-j', 'REDIRECT',
                         '--dest', '%s/%s' % (snet, swidth),
                         *(tcp_ports + ('--to-ports', str(port))))
        for f, ip in [i for i in nslist if i[0] == family]:
            _ipt_ttl('-A', chain, '-j', 'REDIRECT',
                     '--dest', '%s/32' % ip,
                     '-p', 'udp',
                     '--dport', '53',
                     '--to-ports', str(dnsport))
    def restore_firewall(self, port, family, udp):
        # only ipv4 supported with NAT
        if family != socket.AF_INET:
            raise Exception(
                'Address family "%s" unsupported by nat method_name'
                % family_to_string(family))
        if udp:
            raise Exception("UDP not supported by nat method_name")
        table = "nat"
        def _ipt(*args):
            return ipt(family, table, *args)
        def _ipt_ttl(*args):
            return ipt_ttl(family, table, *args)
        chain = 'sshuttle-%s' % port
        # basic cleanup/setup of chains
        if ipt_chain_exists(family, table, chain):
            nonfatal(_ipt, '-D', 'OUTPUT', '-j', chain)
            nonfatal(_ipt, '-D', 'PREROUTING', '-j', chain)
            nonfatal(_ipt, '-F', chain)
            _ipt('-X', chain)
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@ -0,0 +1,470 @@
 import os
 import sys
 import platform
 import re
 import socket
 import struct
 import subprocess as ssubprocess
 import shlex
 from fcntl import ioctl
 from ctypes import c_char, c_uint8, c_uint16, c_uint32, Union, Structure, \
    sizeof, addressof, memmove
 from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string
 from sshuttle.methods import BaseMethod
 _pf_context = {'started_by_sshuttle': False, 'Xtoken': []}
 _pf_fd = None
 class Generic(object):
    MAXPATHLEN = 1024
    PF_CHANGE_ADD_TAIL = 2
    PF_CHANGE_GET_TICKET = 6
    PF_PASS = 0
    PF_RDR = 8
    PF_OUT = 2
    ACTION_OFFSET = 0
    POOL_TICKET_OFFSET = 8
    ANCHOR_CALL_OFFSET = 1040
    class pf_addr(Structure):
        class _pfa(Union):
             _fields_ = [("v4", c_uint32),     # struct in_addr
                        ("v6", c_uint32 * 4),  # struct in6_addr
                        ("addr8", c_uint8 * 16),
                        ("addr16", c_uint16 * 8),
                        ("addr32", c_uint32 * 4)]
        _fields_ = [("pfa", _pfa)]
        _anonymous_ = ("pfa",)
    def __init__(self):
        self.status = b''
        self.pfioc_pooladdr = c_char * 1136
        self.DIOCNATLOOK = (
            (0x40000000 | 0x80000000) |
            ((sizeof(self.pfioc_natlook) & 0x1fff) << 16) |
            ((ord('D')) << 8) | (23))
        self.DIOCCHANGERULE = (
            (0x40000000 | 0x80000000) |
            ((sizeof(self.pfioc_rule) & 0x1fff) << 16) |
            ((ord('D')) << 8) | (26))
        self.DIOCBEGINADDRS = (
            (0x40000000 | 0x80000000) |
            ((sizeof(self.pfioc_pooladdr) & 0x1fff) << 16) |
            ((ord('D')) << 8) | (51))
    def enable(self):
        if b'INFO:\nStatus: Disabled' in self.status:
            pfctl('-e')
            _pf_context['started_by_sshuttle'] = True
    def disable(self, anchor):
        pfctl('-a %s -F all' % anchor)
        if _pf_context['started_by_sshuttle']:
            pfctl('-d')
            _pf_context['started_by_sshuttle'] = False
    def query_nat(self, family, proto, src_ip, src_port, dst_ip, dst_port):
        [proto, family, src_port, dst_port] = [
            int(v) for v in [proto, family, src_port, dst_port]]
        packed_src_ip = socket.inet_pton(family, src_ip)
        packed_dst_ip = socket.inet_pton(family, dst_ip)
        assert len(packed_src_ip) == len(packed_dst_ip)
        length = len(packed_src_ip)
        pnl = self.pfioc_natlook()
        pnl.proto = proto
        pnl.direction = self.PF_OUT
        pnl.af = family
        memmove(addressof(pnl.saddr), packed_src_ip, length)
        memmove(addressof(pnl.daddr), packed_dst_ip, length)
        self._add_natlook_ports(pnl, src_port, dst_port)
        ioctl(pf_get_dev(), self.DIOCNATLOOK,
              (c_char * sizeof(pnl)).from_address(addressof(pnl)))
        ip = socket.inet_ntop(
            pnl.af, (c_char * length).from_address(addressof(pnl.rdaddr)).raw)
        port = socket.ntohs(self._get_natlook_port(pnl.rdxport))
        return (ip, port)
    def _add_natlook_ports(self, pnl, src_port, dst_port):
        pnl.sxport = socket.htons(src_port)
        pnl.dxport = socket.htons(dst_port)
    def _get_natlook_port(self, xport):
        return xport
    def add_anchors(self, anchor, status=None):
        if status is None:
            status = pfctl('-s all')[0]
        self.status = status
        if ('\nanchor "%s"' % anchor).encode('ASCII') not in status:
            self._add_anchor_rule(self.PF_PASS, anchor.encode('ASCII'))
    def _add_anchor_rule(self, type, name, pr=None):
        if pr is None:
            pr = self.pfioc_rule()
        memmove(addressof(pr) + self.ANCHOR_CALL_OFFSET, name,
                min(self.MAXPATHLEN, len(name)))  # anchor_call = name
        memmove(addressof(pr) + self.RULE_ACTION_OFFSET,
                struct.pack('I', type), 4)  # rule.action = type
        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
            'I', self.PF_CHANGE_GET_TICKET), 4)  # action = PF_CHANGE_GET_TICKET
        ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
            'I', self.PF_CHANGE_ADD_TAIL), 4)  # action = PF_CHANGE_ADD_TAIL
        ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
    def _inet_version(self, family):
        return b'inet' if family == socket.AF_INET else b'inet6'
    def _lo_addr(self, family):
        return b'127.0.0.1' if family == socket.AF_INET else b'::1'
    def add_rules(self, anchor, rules):
        assert isinstance(rules, bytes)
        debug3("rules:\n" + rules.decode("ASCII"))
        pfctl('-a %s -f /dev/stdin' % anchor, rules)
    def has_skip_loopback(self):
        return b'skip' in pfctl('-s Interfaces -i lo -v')[0]
 class FreeBsd(Generic):
    RULE_ACTION_OFFSET = 2968
    def __new__(cls):
        class pfioc_natlook(Structure):
            pf_addr = Generic.pf_addr
            _fields_ = [("saddr", pf_addr),
                        ("daddr", pf_addr),
                        ("rsaddr", pf_addr),
                        ("rdaddr", pf_addr),
                        ("sxport", c_uint16),
                        ("dxport", c_uint16),
                        ("rsxport", c_uint16),
                        ("rdxport", c_uint16),
                        ("af", c_uint8),                      # sa_family_t
                        ("proto", c_uint8),
                        ("proto_variant", c_uint8),
                        ("direction", c_uint8)]
        freebsd = Generic.__new__(cls)
        freebsd.pfioc_rule = c_char * 3040
        freebsd.pfioc_natlook = pfioc_natlook
        return freebsd
    def __init__(self):
        super(FreeBsd, self).__init__()
    def add_anchors(self, anchor):
        status = pfctl('-s all')[0]
        if ('\nrdr-anchor "%s"' % anchor).encode('ASCII') not in status:
            self._add_anchor_rule(self.PF_RDR, anchor.encode('ASCII'))
        super(FreeBsd, self).add_anchors(anchor, status=status)
    def _add_anchor_rule(self, type, name):
        pr = self.pfioc_rule()
        ppa = self.pfioc_pooladdr()
        ioctl(pf_get_dev(), self.DIOCBEGINADDRS, ppa)
        # pool ticket
        memmove(addressof(pr) + self.POOL_TICKET_OFFSET, ppa[4:8], 4)
        super(FreeBsd, self)._add_anchor_rule(type, name, pr=pr)
    def add_rules(self, anchor, includes, port, dnsport, nslist, family):
        inet_version = self._inet_version(family)
        lo_addr = self._lo_addr(family)
        tables = []
        translating_rules = [
            b'rdr pass on lo0 %s proto tcp to %s '
            b'-> %s port %r' % (inet_version, subnet, lo_addr, port)
            for exclude, subnet in includes if not exclude
        ]
        filtering_rules = [
            b'pass out route-to lo0 %s proto tcp '
            b'to %s keep state' % (inet_version, subnet)
            if not exclude else
            b'pass out quick %s proto tcp to %s' % (inet_version, subnet)
            for exclude, subnet in includes
        ]
        if len(nslist) > 0:
            tables.append(
                b'table <dns_servers> {%s}' %
                b','.join([ns[1].encode("ASCII") for ns in nslist]))
            translating_rules.append(
                b'rdr pass on lo0 %s proto udp to <dns_servers> '
                b'port 53 -> %s port %r' % (inet_version, lo_addr, dnsport))
            filtering_rules.append(
                b'pass out route-to lo0 %s proto udp to '
                b'<dns_servers> port 53 keep state' % inet_version)
        rules = b'\n'.join(tables + translating_rules + filtering_rules) \
                + b'\n'
        super(FreeBsd, self).add_rules(anchor, rules)
 class OpenBsd(Generic):
    POOL_TICKET_OFFSET = 4
    RULE_ACTION_OFFSET = 3324
    ANCHOR_CALL_OFFSET = 1036
    def __init__(self):
        class pfioc_natlook(Structure):
            pf_addr = Generic.pf_addr
            _fields_ = [("saddr", pf_addr),
                        ("daddr", pf_addr),
                        ("rsaddr", pf_addr),
                        ("rdaddr", pf_addr),
                        ("rdomain", c_uint16),
                        ("rrdomain", c_uint16),
                        ("sxport", c_uint16),
                        ("dxport", c_uint16),
                        ("rsxport", c_uint16),
                        ("rdxport", c_uint16),
                        ("af", c_uint8),                      # sa_family_t
                        ("proto", c_uint8),
                        ("proto_variant", c_uint8),
                        ("direction", c_uint8)]
        self.pfioc_rule = c_char * 3400
        self.pfioc_natlook = pfioc_natlook
        super(OpenBsd, self).__init__()
    def add_anchors(self, anchor):
        # before adding anchors and rules we must override the skip lo
        # that comes by default in openbsd pf.conf so the rules we will add,
        # which rely on translating/filtering  packets on lo, can work
        if self.has_skip_loopback():
            pfctl('-f /dev/stdin', b'match on lo\n')
        super(OpenBsd, self).add_anchors(anchor)
    def add_rules(self, anchor, includes, port, dnsport, nslist, family):
        inet_version = self._inet_version(family)
        lo_addr = self._lo_addr(family)
        tables = []
        translating_rules = [
            b'pass in on lo0 %s proto tcp to %s '
            b'divert-to %s port %r' % (inet_version, subnet, lo_addr, port)
            for exclude, subnet in includes if not exclude
        ]
        filtering_rules = [
            b'pass out %s proto tcp to %s '
            b'route-to lo0 keep state' % (inet_version, subnet)
            if not exclude else
            b'pass out quick %s proto tcp to %s' % (inet_version, subnet)
            for exclude, subnet in includes
        ]
        if len(nslist) > 0:
            tables.append(
                b'table <dns_servers> {%s}' %
                b','.join([ns[1].encode("ASCII") for ns in nslist]))
            translating_rules.append(
                b'pass in on lo0 %s proto udp to <dns_servers> port 53 '
                b'rdr-to %s port %r' % (inet_version, lo_addr, dnsport))
            filtering_rules.append(
                b'pass out %s proto udp to <dns_servers> port 53 '
                b'route-to lo0 keep state' % inet_version)
        rules = b'\n'.join(tables + translating_rules + filtering_rules) \
                + b'\n'
        super(OpenBsd, self).add_rules(anchor, rules)
 class Darwin(FreeBsd):
    RULE_ACTION_OFFSET = 3068
    def __init__(self):
        class pf_state_xport(Union):
            _fields_ = [("port", c_uint16),
                        ("call_id", c_uint16),
                        ("spi", c_uint32)]
        class pfioc_natlook(Structure):
            pf_addr = Generic.pf_addr
            _fields_ = [("saddr", pf_addr),
                        ("daddr", pf_addr),
                        ("rsaddr", pf_addr),
                        ("rdaddr", pf_addr),
                        ("sxport", pf_state_xport),
                        ("dxport", pf_state_xport),
                        ("rsxport", pf_state_xport),
                        ("rdxport", pf_state_xport),
                        ("af", c_uint8),                      # sa_family_t
                        ("proto", c_uint8),
                        ("proto_variant", c_uint8),
                        ("direction", c_uint8)]
        self.pfioc_rule = c_char * 3104
        self.pfioc_natlook = pfioc_natlook
        super(Darwin, self).__init__()
    def enable(self):
        o = pfctl('-E')
        _pf_context['Xtoken'].append(re.search(b'Token : (.+)', o[1]).group(1))
    def disable(self, anchor):
        pfctl('-a %s -F all' % anchor)
        if _pf_context['Xtoken']:
            pfctl('-X %s' % _pf_context['Xtoken'].pop().decode("ASCII"))
    def add_anchors(self, anchor):
        # before adding anchors and rules we must override the skip lo
        # that in some cases ends up in the chain so the rules we will add,
        # which rely on translating/filtering  packets on lo, can work
        if self.has_skip_loopback():
            pfctl('-f /dev/stdin', b'pass on lo\n')
        super(Darwin, self).add_anchors(anchor)
    def _add_natlook_ports(self, pnl, src_port, dst_port):
        pnl.sxport.port = socket.htons(src_port)
        pnl.dxport.port = socket.htons(dst_port)
    def _get_natlook_port(self, xport):
        return xport.port
 class PfSense(FreeBsd):
    RULE_ACTION_OFFSET = 3040
    def __init__(self):
        self.pfioc_rule = c_char * 3112
        super(PfSense, self).__init__()
 if sys.platform == 'darwin':
    pf = Darwin()
 elif sys.platform.startswith('openbsd'):
    pf = OpenBsd()
 elif platform.version().endswith('pfSense'):
    pf = PfSense()
 else:
    pf = FreeBsd()
 def pfctl(args, stdin=None):
    argv = ['pfctl'] + shlex.split(args)
    debug1('>> %s\n' % ' '.join(argv))
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    p = ssubprocess.Popen(argv, stdin=ssubprocess.PIPE,
                          stdout=ssubprocess.PIPE,
                          stderr=ssubprocess.PIPE,
                          env=env)
    o = p.communicate(stdin)
    if p.returncode:
        raise Fatal('%r returned %d' % (argv, p.returncode))
    return o
 def pf_get_dev():
    global _pf_fd
    if _pf_fd is None:
        _pf_fd = os.open('/dev/pf', os.O_RDWR)
    return _pf_fd
 def pf_get_anchor(family, port):
    return 'sshuttle%s-%d' % ('' if family == socket.AF_INET else '6', port)
 class Method(BaseMethod):
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.ipv6 = True
        return result
    def get_tcp_dstip(self, sock):
        pfile = self.firewall.pfile
        peer = sock.getpeername()
        proxy = sock.getsockname()
        argv = (sock.family, socket.IPPROTO_TCP,
                peer[0].encode("ASCII"), peer[1],
                proxy[0].encode("ASCII"), proxy[1])
        out_line = b"QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % argv
        pfile.write(out_line)
        pfile.flush()
        in_line = pfile.readline()
        debug2(out_line.decode("ASCII") + ' > ' + in_line.decode("ASCII"))
        if in_line.startswith(b'QUERY_PF_NAT_SUCCESS '):
            (ip, port) = in_line[21:].split(b',')
            return (ip.decode("ASCII"), int(port))
        return sock.getsockname()
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
        tables = []
        translating_rules = []
        filtering_rules = []
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
                % family_to_string(family))
        if udp:
            raise Exception("UDP not supported by pf method_name")
        if len(subnets) > 0:
            includes = []
            # If a given subnet is both included and excluded, list the
            # exclusion first; the table will ignore the second, opposite
            # definition
            for f, swidth, sexclude, snet, fport, lport \
                    in sorted(subnets, key=subnet_weight, reverse=True):
                includes.append((sexclude, b"%s/%d%s" % (
                    snet.encode("ASCII"),
                    swidth,
                    b" port %d:%d" % (fport, lport) if fport else b"")))
        anchor = pf_get_anchor(family, port)
        pf.add_anchors(anchor)
        pf.add_rules(anchor, includes, port, dnsport, nslist, family)
        pf.enable()
    def restore_firewall(self, port, family, udp):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
                % family_to_string(family))
        if udp:
            raise Exception("UDP not supported by pf method_name")
        pf.disable(pf_get_anchor(family, port))
    def firewall_command(self, line):
        if line.startswith('QUERY_PF_NAT '):
            try:
                dst = pf.query_nat(*(line[13:].split(',')))
                sys.stdout.write('QUERY_PF_NAT_SUCCESS %s,%r\n' % dst)
            except IOError as e:
                sys.stdout.write('QUERY_PF_NAT_FAILURE %s\n' % e)
            sys.stdout.flush()
            return True
        else:
            return False
--- a/sshuttle/methods/tproxy.py
+++ b/sshuttle/methods/tproxy.py
@ -0,0 +1,285 @@
 import struct
 from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string
 from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists
 from sshuttle.methods import BaseMethod
 from sshuttle.helpers import debug1, debug3, Fatal
 recvmsg = None
 try:
    # try getting recvmsg from python
    import socket as pythonsocket
    getattr(pythonsocket.socket, "recvmsg")
    socket = pythonsocket
    recvmsg = "python"
 except AttributeError:
    # try getting recvmsg from socket_ext library
    try:
        import socket_ext
        getattr(socket_ext.socket, "recvmsg")
        socket = socket_ext
        recvmsg = "socket_ext"
    except ImportError:
        import socket
 IP_TRANSPARENT = 19
 IP_ORIGDSTADDR = 20
 IP_RECVORIGDSTADDR = IP_ORIGDSTADDR
 SOL_IPV6 = 41
 IPV6_ORIGDSTADDR = 74
 IPV6_RECVORIGDSTADDR = IPV6_ORIGDSTADDR
 if recvmsg == "python":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP python using recvmsg.\n')
        data, ancdata, msg_flags, srcip = listener.recvmsg(
            4096, socket.CMSG_SPACE(24))
        dstip = None
        family = None
        for cmsg_level, cmsg_type, cmsg_data in ancdata:
            if cmsg_level == socket.SOL_IP and cmsg_type == IP_ORIGDSTADDR:
                family, port = struct.unpack('=HH', cmsg_data[0:4])
                port = socket.htons(port)
                if family == socket.AF_INET:
                    start = 4
                    length = 4
                else:
                    raise Fatal("Unsupported socket type '%s'" % family)
                ip = socket.inet_ntop(family, cmsg_data[start:start + length])
                dstip = (ip, port)
                break
            elif cmsg_level == SOL_IPV6 and cmsg_type == IPV6_ORIGDSTADDR:
                family, port = struct.unpack('=HH', cmsg_data[0:4])
                port = socket.htons(port)
                if family == socket.AF_INET6:
                    start = 8
                    length = 16
                else:
                    raise Fatal("Unsupported socket type '%s'" % family)
                ip = socket.inet_ntop(family, cmsg_data[start:start + length])
                dstip = (ip, port)
                break
        return (srcip, dstip, data)
 elif recvmsg == "socket_ext":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP using socket_ext recvmsg.\n')
        srcip, data, adata, flags = listener.recvmsg(
            (bufsize,), socket.CMSG_SPACE(24))
        dstip = None
        family = None
        for a in adata:
            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_ORIGDSTADDR:
                family, port = struct.unpack('=HH', a.cmsg_data[0:4])
                port = socket.htons(port)
                if family == socket.AF_INET:
                    start = 4
                    length = 4
                else:
                    raise Fatal("Unsupported socket type '%s'" % family)
                ip = socket.inet_ntop(
                    family, a.cmsg_data[start:start + length])
                dstip = (ip, port)
                break
            elif a.cmsg_level == SOL_IPV6 and a.cmsg_type == IPV6_ORIGDSTADDR:
                family, port = struct.unpack('=HH', a.cmsg_data[0:4])
                port = socket.htons(port)
                if family == socket.AF_INET6:
                    start = 8
                    length = 16
                else:
                    raise Fatal("Unsupported socket type '%s'" % family)
                ip = socket.inet_ntop(
                    family, a.cmsg_data[start:start + length])
                dstip = (ip, port)
                break
        return (srcip, dstip, data[0])
 else:
    def recv_udp(listener, bufsize):
        debug3('Accept UDP using recvfrom.\n')
        data, srcip = listener.recvfrom(bufsize)
        return (srcip, None, data)
 class Method(BaseMethod):
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.ipv6 = True
        if recvmsg is None:
            result.udp = False
            result.dns = False
        else:
            result.udp = True
            result.dns = True
        return result
    def get_tcp_dstip(self, sock):
        return sock.getsockname()
    def recv_udp(self, udp_listener, bufsize):
        srcip, dstip, data = recv_udp(udp_listener, bufsize)
        if not dstip:
            debug1(
                "-- ignored UDP from %r: "
                "couldn't determine destination IP address\n" % (srcip,))
            return None
        return srcip, dstip, data
    def send_udp(self, sock, srcip, dstip, data):
        if not srcip:
            debug1(
                "-- ignored UDP to %r: "
                "couldn't determine source IP address\n" % (dstip,))
            return
        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        sender.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
        sender.bind(srcip)
        sender.sendto(data, dstip)
        sender.close()
    def setup_tcp_listener(self, tcp_listener):
        tcp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
    def setup_udp_listener(self, udp_listener):
        udp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
        if udp_listener.v4 is not None:
            udp_listener.v4.setsockopt(
                socket.SOL_IP, IP_RECVORIGDSTADDR, 1)
        if udp_listener.v6 is not None:
            udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
                % family_to_string(family))
        table = "mangle"
        def _ipt(*args):
            return ipt(family, table, *args)
        def _ipt_ttl(*args):
            return ipt_ttl(family, table, *args)
        def _ipt_proto_ports(proto, fport, lport):
            return proto + ('--dport', '%d:%d' % (fport, lport)) \
                    if fport else proto
        mark_chain = 'sshuttle-m-%s' % port
        tproxy_chain = 'sshuttle-t-%s' % port
        divert_chain = 'sshuttle-d-%s' % port
        # basic cleanup/setup of chains
        self.restore_firewall(port, family, udp)
        _ipt('-N', mark_chain)
        _ipt('-F', mark_chain)
        _ipt('-N', divert_chain)
        _ipt('-F', divert_chain)
        _ipt('-N', tproxy_chain)
        _ipt('-F', tproxy_chain)
        _ipt('-I', 'OUTPUT', '1', '-j', mark_chain)
        _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain)
        _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', '1')
        _ipt('-A', divert_chain, '-j', 'ACCEPT')
        _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
             '-m', 'tcp', '-p', 'tcp')
        if udp:
            _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
                 '-m', 'udp', '-p', 'udp')
        for f, ip in [i for i in nslist if i[0] == family]:
            _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                 '--dest', '%s/32' % ip,
                 '-m', 'udp', '-p', 'udp', '--dport', '53')
            _ipt('-A', tproxy_chain, '-j', 'TPROXY',
                 '--tproxy-mark', '0x1/0x1',
                 '--dest', '%s/32' % ip,
                 '-m', 'udp', '-p', 'udp', '--dport', '53',
                 '--on-port', str(dnsport))
        for f, swidth, sexclude, snet, fport, lport \
                in sorted(subnets, key=subnet_weight, reverse=True):
            tcp_ports = ('-p', 'tcp')
            tcp_ports = _ipt_proto_ports(tcp_ports, fport, lport)
            if sexclude:
                _ipt('-A', mark_chain, '-j', 'RETURN',
                     '--dest', '%s/%s' % (snet, swidth),
                     '-m', 'tcp',
                     *tcp_ports)
                _ipt('-A', tproxy_chain, '-j', 'RETURN',
                     '--dest', '%s/%s' % (snet, swidth),
                     '-m', 'tcp',
                     *tcp_ports)
            else:
                _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                     '--dest', '%s/%s' % (snet, swidth),
                     '-m', 'tcp',
                     *tcp_ports)
                _ipt('-A', tproxy_chain, '-j', 'TPROXY',
                     '--tproxy-mark', '0x1/0x1',
                     '--dest', '%s/%s' % (snet, swidth),
                     '-m', 'tcp',
                     *(tcp_ports + ('--on-port', str(port))))
            if udp:
                udp_ports = ('-p', 'udp')
                udp_ports = _ipt_proto_ports(udp_ports, fport, lport)
                if sexclude:
                    _ipt('-A', mark_chain, '-j', 'RETURN',
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp',
                         *udp_ports)
                    _ipt('-A', tproxy_chain, '-j', 'RETURN',
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp',
                         *udp_ports)
                else:
                    _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp', '-p', 'udp')
                    _ipt('-A', tproxy_chain, '-j', 'TPROXY',
                         '--tproxy-mark', '0x1/0x1',
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp',
                         *(udp_ports + ('--on-port', str(port))))
    def restore_firewall(self, port, family, udp):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
                % family_to_string(family))
        table = "mangle"
        def _ipt(*args):
            return ipt(family, table, *args)
        def _ipt_ttl(*args):
            return ipt_ttl(family, table, *args)
        mark_chain = 'sshuttle-m-%s' % port
        tproxy_chain = 'sshuttle-t-%s' % port
        divert_chain = 'sshuttle-d-%s' % port
        # basic cleanup/setup of chains
        if ipt_chain_exists(family, table, mark_chain):
            _ipt('-D', 'OUTPUT', '-j', mark_chain)
            _ipt('-F', mark_chain)
            _ipt('-X', mark_chain)
        if ipt_chain_exists(family, table, tproxy_chain):
            _ipt('-D', 'PREROUTING', '-j', tproxy_chain)
            _ipt('-F', tproxy_chain)
            _ipt('-X', tproxy_chain)
        if ipt_chain_exists(family, table, divert_chain):
            _ipt('-F', divert_chain)
            _ipt('-X', divert_chain)
--- a/sshuttle/options.py
+++ b/sshuttle/options.py
@ -0,0 +1,293 @@
 import re
 import socket
 from argparse import ArgumentParser, Action, ArgumentTypeError as Fatal
 from sshuttle import __version__
 # Subnet file, supporting empty lines and hash-started comment lines
 def parse_subnetport_file(s):
    try:
        handle = open(s, 'r')
    except OSError:
        raise Fatal('Unable to open subnet file: %s' % s)
    raw_config_lines = handle.readlines()
    subnets = []
    for line_no, line in enumerate(raw_config_lines):
        line = line.strip()
        if len(line) == 0:
            continue
        if line[0] == '#':
            continue
        subnets.append(parse_subnetport(line))
    return subnets
 # 1.2.3.4/5:678, 1.2.3.4:567, 1.2.3.4/16 or just 1.2.3.4
 # [1:2::3/64]:456, [1:2::3]:456, 1:2::3/64 or just 1:2::3
 # example.com:123 or just example.com
 def parse_subnetport(s):
    if s.count(':') > 1:
        rx = r'(?:\[?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
    else:
        rx = r'([\w\.]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
    m = re.match(rx, s)
    if not m:
        raise Fatal('%r is not a valid address/mask:port format' % s)
    addr, width, fport, lport = m.groups()
    try:
        addrinfo = socket.getaddrinfo(addr, 0, 0, socket.SOCK_STREAM)
    except socket.gaierror:
        raise Fatal('Unable to resolve address: %s' % addr)
    family, _, _, _, addr = min(addrinfo)
    max_width = 32 if family == socket.AF_INET else 128
    width = int(width or max_width)
    if not 0 <= width <= max_width:
        raise Fatal('width %d is not between 0 and %d' % (width, max_width))
    return (family, addr[0], width, int(fport or 0), int(lport or fport or 0))
 # 1.2.3.4:567 or just 1.2.3.4 or just 567
 # [1:2::3]:456 or [1:2::3] or just [::]:567
 # example.com:123 or just example.com
 def parse_ipport(s):
    s = str(s)
    if s.isdigit():
        rx = r'()(\d+)$'
    elif ']' in s:
        rx = r'(?:\[([^]]+)])(?::(\d+))?$'
    else:
        rx = r'([\w\.]+)(?::(\d+))?$'
    m = re.match(rx, s)
    if not m:
        raise Fatal('%r is not a valid IP:port format' % s)
    ip, port = m.groups()
    ip = ip or '0.0.0.0'
    port = int(port or 0)
    try:
        addrinfo = socket.getaddrinfo(ip, port, 0, socket.SOCK_STREAM)
    except socket.gaierror:
        raise Fatal('%r is not a valid IP:port format' % s)
    family, _, _, _, addr = min(addrinfo)
    return (family,) + addr[:2]
 def parse_list(list):
    return re.split(r'[\s,]+', list.strip()) if list else []
 class Concat(Action):
    def __init__(self, option_strings, dest, nargs=None, **kwargs):
        if nargs is not None:
            raise ValueError("nargs not supported")
        super(Concat, self).__init__(option_strings, dest, **kwargs)
    def __call__(self, parser, namespace, values, option_string=None):
        curr_value = getattr(namespace, self.dest, None) or []
        setattr(namespace, self.dest, curr_value + values)
 parser = ArgumentParser(
    prog="sshuttle",
    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>"
 )
 parser.add_argument(
    "subnets",
    metavar="IP/MASK[:PORT[-PORT]]...",
    nargs="*",
    type=parse_subnetport,
    help="""
    capture and forward traffic to these subnets (whitespace separated)
    """
 )
 parser.add_argument(
    "-l", "--listen",
    metavar="[IP:]PORT",
    help="""
    transproxy to this ip address and port number
    """
 )
 parser.add_argument(
    "-H", "--auto-hosts",
    action="store_true",
    help="""
    continuously scan for remote hostnames and update local /etc/hosts as they are found
    """
 )
 parser.add_argument(
    "-N", "--auto-nets",
    action="store_true",
    help="""
    automatically determine subnets to route
    """
 )
 parser.add_argument(
    "--dns",
    action="store_true",
    help="""
    capture local DNS requests and forward to the remote DNS server
    """
 )
 parser.add_argument(
    "--ns-hosts",
    metavar="IP[,IP]",
    default=[],
    type=parse_list,
    help="""
    capture and forward DNS requests made to the following servers
    """
 )
 parser.add_argument(
    "--method",
    choices=["auto", "nat", "tproxy", "pf", "ipfw"],
    metavar="TYPE",
    default="auto",
    help="""
    %(choices)s
    """
 )
 parser.add_argument(
    "--python",
    metavar="PATH",
    help="""
    path to python interpreter on the remote server
    """
 )
 parser.add_argument(
    "-r", "--remote",
    metavar="[USERNAME@]ADDR[:PORT]",
    help="""
    ssh hostname (and optional username) of remote %(prog)s server
    """
 )
 parser.add_argument(
    "-x", "--exclude",
    metavar="IP/MASK[:PORT[-PORT]]",
    action="append",
    default=[],
    type=parse_subnetport,
    help="""
    exclude this subnet (can be used more than once)
    """
 )
 parser.add_argument(
    "-X", "--exclude-from",
    metavar="PATH",
    action=Concat,
    dest="exclude",
    type=parse_subnetport_file,
    help="""
    exclude the subnets in a file (whitespace separated)
    """
 )
 parser.add_argument(
    "-v", "--verbose",
    action="count",
    default=0,
    help="""
    increase debug message verbosity
    """
 )
 parser.add_argument(
    "-V", "--version",
    action="version",
    version=__version__,
    help="""
    print the %(prog)s version number and exit
    """
 )
 parser.add_argument(
    "-e", "--ssh-cmd",
    metavar="CMD",
    default="ssh",
    help="""
    the command to use to connect to the remote [%(default)s]
    """
 )
 parser.add_argument(
    "--seed-hosts",
    metavar="HOSTNAME[,HOSTNAME]",
    default=[],
    help="""
    comma-separated list of hostnames for initial scan (may be used with or without --auto-hosts)
    """
 )
 parser.add_argument(
    "--no-latency-control",
    action="store_false",
    dest="latency_control",
    help="""
    sacrifice latency to improve bandwidth benchmarks
    """
 )
 parser.add_argument(
    "--wrap",
    metavar="NUM",
    type=int,
    help="""
    restart counting channel numbers after this number (for testing)
    """
 )
 parser.add_argument(
    "--disable-ipv6",
    action="store_true",
    help="""
    disable IPv6 support
    """
 )
 parser.add_argument(
    "-D", "--daemon",
    action="store_true",
    help="""
    run in the background as a daemon
    """
 )
 parser.add_argument(
    "-s", "--subnets",
    metavar="PATH",
    action=Concat,
    dest="subnets_file",
    default=[],
    type=parse_subnetport_file,
    help="""
    file where the subnets are stored, instead of on the command line
    """
 )
 parser.add_argument(
    "--syslog",
    action="store_true",
    help="""
    send log messages to syslog (default if you use --daemon)
    """
 )
 parser.add_argument(
    "--pidfile",
    metavar="PATH",
    default="./sshuttle.pid",
    help="""
    pidfile name (only if using --daemon) [%(default)s]
    """
 )
 parser.add_argument(
    "--firewall",
    action="store_true",
    help="""
    (internal use only)
    """
 )
 parser.add_argument(
    "--hostwatch",
    action="store_true",
    help="""
    (internal use only)
    """
 )
--- a/sshuttle/sdnotify.py
+++ b/sshuttle/sdnotify.py
@ -0,0 +1,40 @@
 import socket
 import os
 from sshuttle.helpers import debug1
 def _notify(message):
    addr = os.environ.get("NOTIFY_SOCKET", None)
    if not addr or len(addr) == 1 or addr[0] not in ('/', '@'):
        return False
    addr = '\0' + addr[1:] if addr[0] == '@' else addr
    try:
        sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
    except (OSError, IOError) as e:
        debug1("Error creating socket to notify systemd: %s\n" % e)
        return False
    if not message: 
        return False
    assert isinstance(message, bytes)
    try:
        return (sock.sendto(message, addr) > 0)
    except (OSError, IOError) as e:
        debug1("Error notifying systemd: %s\n" % e)
        return False
 def send(*messages):
    return _notify(b'\n'.join(messages))
 def ready():
    return b"READY=1"
 def stop():
    return b"STOPPING=1"
 def status(message):
    return b"STATUS=%s" % message.encode('utf8')
--- a/sshuttle/server.py
+++ b/sshuttle/server.py
@ -0,0 +1,398 @@
 import re
 import struct
 import socket
 import traceback
 import time
 import sys
 import os
 import platform
 import sshuttle.ssnet as ssnet
 import sshuttle.helpers as helpers
 import sshuttle.hostwatch as hostwatch
 import subprocess as ssubprocess
 from sshuttle.ssnet import Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal, \
    resolvconf_random_nameserver
 try:
    from shutil import which
 except ImportError:
    from distutils.spawn import find_executable as which
 def _ipmatch(ipstr):
    # FIXME: IPv4 only
    if ipstr == 'default':
        ipstr = '0.0.0.0/0'
    m = re.match('^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
    if m:
        g = m.groups()
        ips = g[0]
        width = int(g[4] or 32)
        if g[1] is None:
            ips += '.0.0.0'
            width = min(width, 8)
        elif g[2] is None:
            ips += '.0.0'
            width = min(width, 16)
        elif g[3] is None:
            ips += '.0'
            width = min(width, 24)
        ips = ips
        return (struct.unpack('!I', socket.inet_aton(ips))[0], width)
 def _ipstr(ip, width):
    # FIXME: IPv4 only
    if width >= 32:
        return ip
    else:
        return "%s/%d" % (ip, width)
 def _maskbits(netmask):
    # FIXME: IPv4 only
    if not netmask:
        return 32
    for i in range(32):
        if netmask[0] & _shl(1, i):
            return 32 - i
    return 0
 def _shl(n, bits):
    return n * int(2 ** bits)
 def _route_netstat(line):
    cols = line.split(None)
    if len(cols) < 3:
        return None, None
    ipw = _ipmatch(cols[0])
    maskw = _ipmatch(cols[2])  # linux only
    mask = _maskbits(maskw)   # returns 32 if maskw is null
    return ipw, mask
 def _route_iproute(line):
    ipm = line.split(None, 1)[0]
    if '/' not in ipm:
        return None, None
    ip, mask = ipm.split('/')
    ipw = _ipmatch(ip)
    return ipw, int(mask)
 def _list_routes(argv, extract_route):
    # FIXME: IPv4 only
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
    routes = []
    for line in p.stdout:
        if not line.strip():
            continue
        ipw, mask = extract_route(line.decode("ASCII"))
        if not ipw:
            continue
        width = min(ipw[1], mask)
        ip = ipw[0] & _shl(_shl(1, width) - 1, 32 - width)
        routes.append(
            (socket.AF_INET, socket.inet_ntoa(struct.pack('!I', ip)), width))
    rv = p.wait()
    if rv != 0:
        log('WARNING: %r returned %d\n' % (argv, rv))
        log('WARNING: That prevents --auto-nets from working.\n')
    return routes
 def list_routes():
    if which('ip'):
        routes = _list_routes(['ip', 'route'], _route_iproute)
    elif which('netstat'):
        routes = _list_routes(['netstat', '-rn'], _route_netstat)
    else:
        log('WARNING: Neither ip nor netstat were found on the server.\n')
        routes = []
    for (family, ip, width) in routes:
        if not ip.startswith('0.') and not ip.startswith('127.'):
            yield (family, ip, width)
 def _exc_dump():
    exc_info = sys.exc_info()
    return ''.join(traceback.format_exception(*exc_info))
 def start_hostwatch(seed_hosts, auto_hosts):
    s1, s2 = socket.socketpair()
    pid = os.fork()
    if not pid:
        # child
        rv = 99
        try:
            try:
                s2.close()
                os.dup2(s1.fileno(), 1)
                os.dup2(s1.fileno(), 0)
                s1.close()
                rv = hostwatch.hw_main(seed_hosts, auto_hosts) or 0
            except Exception:
                log('%s\n' % _exc_dump())
                rv = 98
        finally:
            os._exit(rv)
    s1.close()
    return pid, s2
 class Hostwatch:
    def __init__(self):
        self.pid = 0
        self.sock = None
 class DnsProxy(Handler):
    def __init__(self, mux, chan, request):
        Handler.__init__(self, [])
        self.timeout = time.time() + 30
        self.mux = mux
        self.chan = chan
        self.tries = 0
        self.request = request
        self.peers = {}
        self.try_send()
    def try_send(self):
        if self.tries >= 3:
            return
        self.tries += 1
        family, peer = resolvconf_random_nameserver()
        sock = socket.socket(family, socket.SOCK_DGRAM)
        sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
        sock.connect((peer, 53))
        self.peers[sock] = peer
        debug2('DNS: sending to %r (try %d)\n' % (peer, self.tries))
        try:
            sock.send(self.request)
            self.socks.append(sock)
        except socket.error:
            _, e = sys.exc_info()[:2]
            if e.args[0] in ssnet.NET_ERRS:
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
                debug2('DNS send to %r: %s\n' % (peer, e))
                self.try_send()
                return
            else:
                log('DNS send to %r: %s\n' % (peer, e))
                return
    def callback(self, sock):
        peer = self.peers[sock]
        try:
            data = sock.recv(4096)
        except socket.error:
            _, e = sys.exc_info()[:2]
            self.socks.remove(sock)
            del self.peers[sock]
            if e.args[0] in ssnet.NET_ERRS:
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
                debug2('DNS recv from %r: %s\n' % (peer, e))
                self.try_send()
                return
            else:
                log('DNS recv from %r: %s\n' % (peer, e))
                return
        debug2('DNS response: %d bytes\n' % len(data))
        self.mux.send(self.chan, ssnet.CMD_DNS_RESPONSE, data)
        self.ok = False
 class UdpProxy(Handler):
    def __init__(self, mux, chan, family):
        sock = socket.socket(family, socket.SOCK_DGRAM)
        Handler.__init__(self, [sock])
        self.timeout = time.time() + 30
        self.mux = mux
        self.chan = chan
        self.sock = sock
        if family == socket.AF_INET:
            self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
    def send(self, dstip, data):
        debug2('UDP: sending to %r port %d\n' % dstip)
        try:
            self.sock.sendto(data, dstip)
        except socket.error:
            _, e = sys.exc_info()[:2]
            log('UDP send to %r port %d: %s\n' % (dstip[0], dstip[1], e))
            return
    def callback(self, sock):
        try:
            data, peer = sock.recvfrom(4096)
        except socket.error:
            _, e = sys.exc_info()[:2]
            log('UDP recv from %r port %d: %s\n' % (peer[0], peer[1], e))
            return
        debug2('UDP response: %d bytes\n' % len(data))
        hdr = b("%s,%r," % (peer[0], peer[1]))
        self.mux.send(self.chan, ssnet.CMD_UDP_DATA, hdr + data)
 def main(latency_control, auto_hosts):
    debug1('Starting server with Python version %s\n'
           % platform.python_version())
    if helpers.verbose >= 1:
        helpers.logprefix = ' s: '
    else:
        helpers.logprefix = 'server: '
    debug1('latency control setting = %r\n' % latency_control)
    routes = list(list_routes())
    debug1('available routes:\n')
    for r in routes:
        debug1('  %d/%s/%d\n' % r)
    # synchronization header
    sys.stdout.write('\0\0SSHUTTLE0001')
    sys.stdout.flush()
    handlers = []
    mux = Mux(socket.fromfd(sys.stdin.fileno(),
                            socket.AF_INET, socket.SOCK_STREAM),
              socket.fromfd(sys.stdout.fileno(),
                            socket.AF_INET, socket.SOCK_STREAM))
    handlers.append(mux)
    routepkt = ''
    for r in routes:
        routepkt += '%d,%s,%d\n' % r
    mux.send(0, ssnet.CMD_ROUTES, b(routepkt))
    hw = Hostwatch()
    hw.leftover = b('')
    def hostwatch_ready(sock):
        assert(hw.pid)
        content = hw.sock.recv(4096)
        if content:
            lines = (hw.leftover + content).split(b('\n'))
            if lines[-1]:
                # no terminating newline: entry isn't complete yet!
                hw.leftover = lines.pop()
                lines.append(b(''))
            else:
                hw.leftover = b('')
            mux.send(0, ssnet.CMD_HOST_LIST, b('\n').join(lines))
        else:
            raise Fatal('hostwatch process died')
    def got_host_req(data):
        if not hw.pid:
            (hw.pid, hw.sock) = start_hostwatch(
                    data.strip().split(), auto_hosts)
            handlers.append(Handler(socks=[hw.sock],
                                    callback=hostwatch_ready))
    mux.got_host_req = got_host_req
    def new_channel(channel, data):
        (family, dstip, dstport) = data.decode("ASCII").split(',', 2)
        family = int(family)
        # AF_INET is the same constant on Linux and BSD but AF_INET6
        # is different. As the client and server can be running on
        # different platforms we can not just set the socket family
        # to what comes in the wire.
        if family != socket.AF_INET:
            family = socket.AF_INET6
        dstport = int(dstport)
        outwrap = ssnet.connect_dst(family, dstip, dstport)
        handlers.append(Proxy(MuxWrapper(mux, channel), outwrap))
    mux.new_channel = new_channel
    dnshandlers = {}
    def dns_req(channel, data):
        debug2('Incoming DNS request channel=%d.\n' % channel)
        h = DnsProxy(mux, channel, data)
        handlers.append(h)
        dnshandlers[channel] = h
    mux.got_dns_req = dns_req
    udphandlers = {}
    def udp_req(channel, cmd, data):
        debug2('Incoming UDP request channel=%d, cmd=%d\n' % (channel, cmd))
        if cmd == ssnet.CMD_UDP_DATA:
            (dstip, dstport, data) = data.split(b(','), 2)
            dstport = int(dstport)
            debug2('is incoming UDP data. %r %d.\n' % (dstip, dstport))
            h = udphandlers[channel]
            h.send((dstip, dstport), data)
        elif cmd == ssnet.CMD_UDP_CLOSE:
            debug2('is incoming UDP close\n')
            h = udphandlers[channel]
            h.ok = False
            del mux.channels[channel]
    def udp_open(channel, data):
        debug2('Incoming UDP open.\n')
        family = int(data)
        mux.channels[channel] = lambda cmd, data: udp_req(channel, cmd, data)
        if channel in udphandlers:
            raise Fatal('UDP connection channel %d already open' % channel)
        else:
            h = UdpProxy(mux, channel, family)
            handlers.append(h)
            udphandlers[channel] = h
    mux.got_udp_open = udp_open
    while mux.ok:
        if hw.pid:
            assert(hw.pid > 0)
            (rpid, rv) = os.waitpid(hw.pid, os.WNOHANG)
            if rpid:
                raise Fatal(
                    'hostwatch exited unexpectedly: code 0x%04x\n' % rv)
        ssnet.runonce(handlers, mux)
        if latency_control:
            mux.check_fullness()
        if dnshandlers:
            now = time.time()
            remove = []
            for channel, h in dnshandlers.items():
                if h.timeout < now or not h.ok:
                    debug3('expiring dnsreqs channel=%d\n' % channel)
                    remove.append(channel)
                    h.ok = False
            for channel in remove:
                del dnshandlers[channel]
        if udphandlers:
            remove = []
            for channel, h in udphandlers.items():
                if not h.ok:
                    debug3('expiring UDP channel=%d\n' % channel)
                    remove.append(channel)
                    h.ok = False
            for channel in remove:
                del udphandlers[channel]
--- a/sshuttle/ssh.py
+++ b/sshuttle/ssh.py
@ -0,0 +1,139 @@
 import sys
 import os
 import re
 import socket
 import zlib
 import imp
 import subprocess as ssubprocess
 import shlex
 import sshuttle.helpers as helpers
 from sshuttle.helpers import debug2
 try:
    # Python >= 3.5
    from shlex import quote
 except ImportError:
    # Python 2.x
    from pipes import quote
 def readfile(name):
    tokens = name.split(".")
    f = None
    token = tokens[0]
    token_name = [token]
    token_str = ".".join(token_name)
    try:
        f, pathname, description = imp.find_module(token_str)
        for token in tokens[1:]:
            module = imp.load_module(token_str, f, pathname, description)
            if f is not None:
                f.close()
            token_name.append(token)
            token_str = ".".join(token_name)
            f, pathname, description = imp.find_module(
                token, module.__path__)
        if f is not None:
            contents = f.read()
        else:
            contents = ""
    finally:
        if f is not None:
            f.close()
    return contents.encode("UTF8")
 def empackage(z, name, data=None):
    if not data:
        data = readfile(name)
    content = z.compress(data)
    content += z.flush(zlib.Z_SYNC_FLUSH)
    return b'%s\n%d\n%s' % (name.encode("ASCII"), len(content), content)
 def connect(ssh_cmd, rhostport, python, stderr, options):
    portl = []
    if re.sub(r'.*@', '', rhostport or '').count(':') > 1:
        if rhostport.count(']') or rhostport.count('['):
            result = rhostport.split(']')
            rhost = result[0].strip('[')
            if len(result) > 1:
                result[1] = result[1].strip(':')
                if result[1] is not '':
                    portl = ['-p', str(int(result[1]))]
        # can't disambiguate IPv6 colons and a port number. pass the hostname
        # through.
        else:
            rhost = rhostport
    else:  # IPv4
        l = (rhostport or '').rsplit(':', 1)
        rhost = l[0]
        if len(l) > 1:
            portl = ['-p', str(int(l[1]))]
    if rhost == '-':
        rhost = None
    z = zlib.compressobj(1)
    content = readfile('sshuttle.assembler')
    optdata = ''.join("%s=%r\n" % (k, v) for (k, v) in list(options.items()))
    optdata = optdata.encode("UTF8")
    content2 = (empackage(z, 'sshuttle') +
                empackage(z, 'sshuttle.cmdline_options', optdata) +
                empackage(z, 'sshuttle.helpers') +
                empackage(z, 'sshuttle.ssnet') +
                empackage(z, 'sshuttle.hostwatch') +
                empackage(z, 'sshuttle.server') +
                b"\n")
    pyscript = r"""
                import sys, os;
                verbosity=%d;
                sys.stdin = os.fdopen(0, "rb");
                exec(compile(sys.stdin.read(%d), "assembler.py", "exec"))
                """ % (helpers.verbose or 0, len(content))
    pyscript = re.sub(r'\s+', ' ', pyscript.strip())
    if not rhost:
        # ignore the --python argument when running locally; we already know
        # which python version works.
        argv = [sys.executable, '-c', pyscript]
    else:
        if ssh_cmd:
            sshl = shlex.split(ssh_cmd)
        else:
            sshl = ['ssh']
        if python:
            pycmd = "'%s' -c '%s'" % (python, pyscript)
        else:
            pycmd = ("P=python3.5; $P -V 2>/dev/null || P=python; "
                     "exec \"$P\" -c %s") % quote(pyscript)
            pycmd = ("exec /bin/sh -c %s" % quote(pycmd))
        argv = (sshl +
                portl +
                [rhost, '--', pycmd])
    (s1, s2) = socket.socketpair()
    def setup():
        # runs in the child process
        s2.close()
    s1a, s1b = os.dup(s1.fileno()), os.dup(s1.fileno())
    s1.close()
    debug2('executing: %r\n' % argv)
    p = ssubprocess.Popen(argv, stdin=s1a, stdout=s1b, preexec_fn=setup,
                          close_fds=True, stderr=stderr)
    os.close(s1a)
    os.close(s1b)
    s2.sendall(content)
    s2.sendall(content2)
    return p, s2
--- a/sshuttle/ssnet.py
+++ b/sshuttle/ssnet.py
@ -1,6 +1,12 @@
-import struct, socket, errno, select
+import sys
-if not globals().get('skip_imports'):
+import struct
-    from helpers import *
+import socket
 import errno
 import select
 import os
 from sshuttle.helpers import b, binary_type, log, debug1, debug2, debug3, Fatal
 MAX_CHANNEL = 65535
 # these don't exist in the socket module in python 2.3!
 SHUT_RD = 0
@ -14,35 +20,46 @@ HDR_LEN = 8
 CMD_EXIT = 0x4200
 CMD_PING = 0x4201
 CMD_PONG = 0x4202
-CMD_CONNECT = 0x4203
+CMD_TCP_CONNECT = 0x4203
-CMD_STOP_SENDING = 0x4204
+CMD_TCP_STOP_SENDING = 0x4204
-CMD_EOF = 0x4205
+CMD_TCP_EOF = 0x4205
-CMD_DATA = 0x4206
+CMD_TCP_DATA = 0x4206
 CMD_ROUTES = 0x4207
 CMD_HOST_REQ = 0x4208
 CMD_HOST_LIST = 0x4209
 CMD_DNS_REQ = 0x420a
 CMD_DNS_RESPONSE = 0x420b
 CMD_UDP_OPEN = 0x420c
 CMD_UDP_DATA = 0x420d
 CMD_UDP_CLOSE = 0x420e
 cmd_to_name = {
    CMD_EXIT: 'EXIT',
    CMD_PING: 'PING',
    CMD_PONG: 'PONG',
-    CMD_CONNECT: 'CONNECT',
+    CMD_TCP_CONNECT: 'TCP_CONNECT',
-    CMD_STOP_SENDING: 'STOP_SENDING',
+    CMD_TCP_STOP_SENDING: 'TCP_STOP_SENDING',
-    CMD_EOF: 'EOF',
+    CMD_TCP_EOF: 'TCP_EOF',
-    CMD_DATA: 'DATA',
+    CMD_TCP_DATA: 'TCP_DATA',
    CMD_ROUTES: 'ROUTES',
    CMD_HOST_REQ: 'HOST_REQ',
    CMD_HOST_LIST: 'HOST_LIST',
    CMD_DNS_REQ: 'DNS_REQ',
    CMD_DNS_RESPONSE: 'DNS_RESPONSE',
    CMD_UDP_OPEN: 'UDP_OPEN',
    CMD_UDP_DATA: 'UDP_DATA',
    CMD_UDP_CLOSE: 'UDP_CLOSE',
 }
 NET_ERRS = [errno.ECONNREFUSED, errno.ETIMEDOUT,
            errno.EHOSTUNREACH, errno.ENETUNREACH,
            errno.EHOSTDOWN, errno.ENETDOWN,
            errno.ENETUNREACH]
 def _add(l, elem):
-    if not elem in l:
+    if elem not in l:
        l.append(elem)
@ -60,7 +77,8 @@ def _fds(l):
 def _nb_clean(func, *args):
    try:
        return func(*args)
-    except OSError, e:
+    except OSError:
        _, e = sys.exc_info()[:2]
        if e.errno not in (errno.EWOULDBLOCK, errno.EAGAIN):
            raise
        else:
@ -73,18 +91,22 @@ def _try_peername(sock):
        pn = sock.getpeername()
        if pn:
            return '%s:%s' % (pn[0], pn[1])
-    except socket.error, e:
+    except socket.error:
        _, e = sys.exc_info()[:2]
        if e.args[0] not in (errno.ENOTCONN, errno.ENOTSOCK):
            raise
    return 'unknown'
 _swcount = 0
 class SockWrapper:
    def __init__(self, rsock, wsock, connect_to=None, peername=None):
        global _swcount
        _swcount += 1
-        debug3('creating new SockWrapper (%d now exist\n)' % _swcount)
+        debug3('creating new SockWrapper (%d now exist)\n' % _swcount)
        self.exc = None
        self.rsock = rsock
        self.wsock = wsock
@ -99,7 +121,7 @@ class SockWrapper:
        _swcount -= 1
        debug1('%r: deleting (%d remain)\n' % (self, _swcount))
        if self.exc:
-            debug1('%r: error was: %r\n' % (self, self.exc))
+            debug1('%r: error was: %s\n' % (self, self.exc))
    def __repr__(self):
        if self.rsock == self.wsock:
@ -126,16 +148,36 @@ class SockWrapper:
            self.rsock.connect(self.connect_to)
            # connected successfully (Linux)
            self.connect_to = None
-        except socket.error, e:
+        except socket.error:
-            debug3('%r: connect result: %r\n' % (self, e))
+            _, e = sys.exc_info()[:2]
            debug3('%r: connect result: %s\n' % (self, e))
            if e.args[0] == errno.EINVAL:
                # this is what happens when you call connect() on a socket
                # that is now connected but returned EINPROGRESS last time,
                # on BSD, on python pre-2.5.1.  We need to use getsockopt()
                # to get the "real" error.  Later pythons do this
                # automatically, so this code won't run.
                realerr = self.rsock.getsockopt(socket.SOL_SOCKET,
                                                socket.SO_ERROR)
                e = socket.error(realerr, os.strerror(realerr))
                debug3('%r: fixed connect result: %s\n' % (self, e))
            if e.args[0] in [errno.EINPROGRESS, errno.EALREADY]:
                pass  # not connected yet
            elif e.args[0] == 0:
                # connected successfully (weird Linux bug?)
                # Sometimes Linux seems to return EINVAL when it isn't
                # invalid.  This *may* be caused by a race condition
                # between connect() and getsockopt(SO_ERROR) (ie. it
                # finishes connecting in between the two, so there is no
                # longer an error).  However, I'm not sure of that.
                #
                # I did get at least one report that the problem went away
                # when we added this, however.
                self.connect_to = None
            elif e.args[0] == errno.EISCONN:
                # connected successfully (BSD)
                self.connect_to = None
-            elif e.args[0] in [errno.ECONNREFUSED, errno.ETIMEDOUT,
+            elif e.args[0] in NET_ERRS + [errno.EACCES, errno.EPERM]:
                               errno.EHOSTUNREACH, errno.ENETUNREACH,
                               errno.EACCES, errno.EPERM]:
                # a "normal" kind of error
                self.connect_to = None
                self.seterr(e)
@ -146,7 +188,7 @@ class SockWrapper:
        if not self.shut_read:
            debug2('%r: done reading\n' % self)
            self.shut_read = True
-            #self.rsock.shutdown(SHUT_RD)  # doesn't do anything anyway
+            # self.rsock.shutdown(SHUT_RD)  # doesn't do anything anyway
    def nowrite(self):
        if not self.shut_write:
@ -154,7 +196,8 @@ class SockWrapper:
            self.shut_write = True
            try:
                self.wsock.shutdown(SHUT_WR)
-            except socket.error, e:
+            except socket.error:
                _, e = sys.exc_info()[:2]
                self.seterr('nowrite: %s' % e)
    def too_full(self):
@ -166,7 +209,8 @@ class SockWrapper:
        self.wsock.setblocking(False)
        try:
            return _nb_clean(os.write, self.wsock.fileno(), buf)
-        except OSError, e:
+        except OSError:
            _, e = sys.exc_info()[:2]
            if e.errno == errno.EPIPE:
                debug1('%r: uwrite: got EPIPE\n' % self)
                self.nowrite()
@ -188,9 +232,10 @@ class SockWrapper:
        self.rsock.setblocking(False)
        try:
            return _nb_clean(os.read, self.rsock.fileno(), 65536)
-        except OSError, e:
+        except OSError:
            _, e = sys.exc_info()[:2]
            self.seterr('uread: %s' % e)
-            return '' # unexpected error... we'll call it EOF
+            return b('')  # unexpected error... we'll call it EOF
    def fill(self):
        if self.buf:
@ -198,7 +243,7 @@ class SockWrapper:
        rb = self.uread()
        if rb:
            self.buf.append(rb)
-        if rb == '':  # empty string means EOF; None means temporarily empty
+        if rb == b(''):  # empty string means EOF; None means temporarily empty
            self.noread()
    def copy_to(self, outwrap):
@ -212,7 +257,8 @@ class SockWrapper:
 class Handler:
-    def __init__(self, socks = None, callback = None):
+
    def __init__(self, socks=None, callback=None):
        self.ok = True
        self.socks = socks or []
        if callback:
@ -222,9 +268,9 @@ class Handler:
        for i in self.socks:
            _add(r, i)
-    def callback(self):
+    def callback(self, sock):
        log('--no callback defined-- %r\n' % self)
-        (r,w,x) = select.select(self.socks, [], [], 0)
+        (r, w, x) = select.select(self.socks, [], [], 0)
        for s in r:
            v = s.recv(4096)
            if not v:
@ -234,6 +280,7 @@ class Handler:
 class Proxy(Handler):
    def __init__(self, wrap1, wrap2):
        Handler.__init__(self, [wrap1.rsock, wrap1.wsock,
                                wrap2.rsock, wrap2.wsock])
@ -241,8 +288,10 @@ class Proxy(Handler):
        self.wrap2 = wrap2
    def pre_select(self, r, w, x):
-        if self.wrap1.shut_write: self.wrap2.noread()
+        if self.wrap1.shut_write:
-        if self.wrap2.shut_write: self.wrap1.noread()
+            self.wrap2.noread()
        if self.wrap2.shut_write:
            self.wrap1.noread()
        if self.wrap1.connect_to:
            _add(w, self.wrap1.rsock)
@ -260,7 +309,7 @@ class Proxy(Handler):
        elif not self.wrap2.shut_read:
            _add(r, self.wrap2.rsock)
-    def callback(self):
+    def callback(self, sock):
        self.wrap1.try_connect()
        self.wrap2.try_connect()
        self.wrap1.fill()
@ -274,67 +323,70 @@ class Proxy(Handler):
            self.wrap2.buf = []
            self.wrap2.noread()
        if (self.wrap1.shut_read and self.wrap2.shut_read and
-            not self.wrap1.buf and not self.wrap2.buf):
+                not self.wrap1.buf and not self.wrap2.buf):
            self.ok = False
            self.wrap1.nowrite()
            self.wrap2.nowrite()
 class Mux(Handler):
    def __init__(self, rsock, wsock):
        Handler.__init__(self, [rsock, wsock])
        self.rsock = rsock
        self.wsock = wsock
        self.new_channel = self.got_dns_req = self.got_routes = None
        self.got_udp_open = self.got_udp_data = self.got_udp_close = None
        self.got_host_req = self.got_host_list = None
        self.channels = {}
        self.chani = 0
        self.want = 0
-        self.inbuf = ''
+        self.inbuf = b('')
        self.outbuf = []
        self.fullness = 0
        self.too_full = False
-        self.send(0, CMD_PING, 'chicken')
+        self.send(0, CMD_PING, b('chicken'))
    def next_channel(self):
        # channel 0 is special, so we never allocate it
-        for timeout in xrange(1024):
+        for timeout in range(1024):
            self.chani += 1
-            if self.chani > 65535:
+            if self.chani > MAX_CHANNEL:
                self.chani = 1
            if not self.channels.get(self.chani):
                return self.chani
    def amount_queued(self):
        total = 0
-        for b in self.outbuf:
+        for byte in self.outbuf:
-            total += len(b)
+            total += len(byte)
        return total
    def check_fullness(self):
        if self.fullness > 32768:
            if not self.too_full:
-                self.send(0, CMD_PING, 'rttest')
+                self.send(0, CMD_PING, b('rttest'))
            self.too_full = True
-        #ob = []
+        # ob = []
-        #for b in self.outbuf:
+        # for b in self.outbuf:
        #    (s1,s2,c) = struct.unpack('!ccH', b[:4])
        #    ob.append(c)
-        #log('outbuf: %d %r\n' % (self.amount_queued(), ob))
+        # log('outbuf: %d %r\n' % (self.amount_queued(), ob))
    def send(self, channel, cmd, data):
-        data = str(data)
+        assert isinstance(data, binary_type)
-        assert(len(data) <= 65535)
+        assert len(data) <= 65535
-        p = struct.pack('!ccHHH', 'S', 'S', channel, cmd, len(data)) + data
+        p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) \
            + data
        self.outbuf.append(p)
        debug2(' > channel=%d cmd=%s len=%d (fullness=%d)\n'
-               % (channel, cmd_to_name.get(cmd,hex(cmd)),
+               % (channel, cmd_to_name.get(cmd, hex(cmd)),
                  len(data), self.fullness))
        self.fullness += len(data)
    def got_packet(self, channel, cmd, data):
        debug2('<  channel=%d cmd=%s len=%d\n'
-               % (channel, cmd_to_name.get(cmd,hex(cmd)), len(data)))
+               % (channel, cmd_to_name.get(cmd, hex(cmd)), len(data)))
        if cmd == CMD_PING:
            self.send(0, CMD_PONG, data)
        elif cmd == CMD_PONG:
@ -343,7 +395,7 @@ class Mux(Handler):
            self.fullness = 0
        elif cmd == CMD_EXIT:
            self.ok = False
-        elif cmd == CMD_CONNECT:
+        elif cmd == CMD_TCP_CONNECT:
            assert(not self.channels.get(channel))
            if self.new_channel:
                self.new_channel(channel, data)
@ -351,6 +403,10 @@ class Mux(Handler):
            assert(not self.channels.get(channel))
            if self.got_dns_req:
                self.got_dns_req(channel, data)
        elif cmd == CMD_UDP_OPEN:
            assert(not self.channels.get(channel))
            if self.got_udp_open:
                self.got_udp_open(channel, data)
        elif cmd == CMD_ROUTES:
            if self.got_routes:
                self.got_routes(data)
@ -370,7 +426,7 @@ class Mux(Handler):
            callback = self.channels.get(channel)
            if not callback:
                log('warning: closed channel %d got cmd=%s len=%d\n'
-                       % (channel, cmd_to_name.get(cmd,hex(cmd)), len(data)))
+                    % (channel, cmd_to_name.get(cmd, hex(cmd)), len(data)))
            else:
                callback(cmd, data)
@ -387,25 +443,26 @@ class Mux(Handler):
    def fill(self):
        self.rsock.setblocking(False)
        try:
-            b = _nb_clean(os.read, self.rsock.fileno(), 32768)
+            read = _nb_clean(os.read, self.rsock.fileno(), 32768)
-        except OSError, e:
+        except OSError:
            _, e = sys.exc_info()[:2]
            raise Fatal('other end: %r' % e)
-        #log('<<< %r\n' % b)
+        # log('<<< %r\n' % b)
-        if b == '': # EOF
+        if read == b(''):  # EOF
            self.ok = False
-        if b:
+        if read:
-            self.inbuf += b
+            self.inbuf += read
    def handle(self):
        self.fill()
-        #log('inbuf is: (%d,%d) %r\n'
+        # log('inbuf is: (%d,%d) %r\n'
        #     % (self.want, len(self.inbuf), self.inbuf))
        while 1:
            if len(self.inbuf) >= (self.want or HDR_LEN):
-                (s1,s2,channel,cmd,datalen) = \
+                (s1, s2, channel, cmd, datalen) = \
                    struct.unpack('!ccHHH', self.inbuf[:HDR_LEN])
-                assert(s1 == 'S')
+                assert(s1 == b('S'))
-                assert(s2 == 'S')
+                assert(s2 == b('S'))
                self.want = datalen + HDR_LEN
            if self.want and len(self.inbuf) >= self.want:
                data = self.inbuf[HDR_LEN:self.want]
@ -420,8 +477,8 @@ class Mux(Handler):
        if self.outbuf:
            _add(w, self.wsock)
-    def callback(self):
+    def callback(self, sock):
-        (r,w,x) = select.select([self.rsock], [self.wsock], [], 0)
+        (r, w, x) = select.select([self.rsock], [self.wsock], [], 0)
        if self.rsock in r:
            self.handle()
        if self.outbuf and self.wsock in w:
@ -429,6 +486,7 @@ class Mux(Handler):
 class MuxWrapper(SockWrapper):
    def __init__(self, mux, channel):
        SockWrapper.__init__(self, mux.rsock, mux.wsock)
        self.mux = mux
@ -442,22 +500,33 @@ class MuxWrapper(SockWrapper):
        SockWrapper.__del__(self)
    def __repr__(self):
-        return 'SW%r:Mux#%d' % (self.peername,self.channel)
+        return 'SW%r:Mux#%d' % (self.peername, self.channel)
    def noread(self):
        if not self.shut_read:
            self.mux.send(self.channel, CMD_TCP_STOP_SENDING, b(''))
            self.setnoread()
    def setnoread(self):
        if not self.shut_read:
            debug2('%r: done reading\n' % self)
            self.shut_read = True
            self.mux.send(self.channel, CMD_STOP_SENDING, '')
            self.maybe_close()
    def nowrite(self):
        if not self.shut_write:
            self.mux.send(self.channel, CMD_TCP_EOF, b(''))
            self.setnowrite()
    def setnowrite(self):
        if not self.shut_write:
            debug2('%r: done writing\n' % self)
            self.shut_write = True
            self.mux.send(self.channel, CMD_EOF, '')
            self.maybe_close()
    def maybe_close(self):
        if self.shut_read and self.shut_write:
            debug2('%r: closing connection\n' % self)
            # remove the mux's reference to us.  The python garbage collector
            # will then be able to reap our object.
            self.mux.channels[self.channel] = None
@ -470,59 +539,61 @@ class MuxWrapper(SockWrapper):
            return 0  # too much already enqueued
        if len(buf) > 2048:
            buf = buf[:2048]
-        self.mux.send(self.channel, CMD_DATA, buf)
+        self.mux.send(self.channel, CMD_TCP_DATA, buf)
        return len(buf)
    def uread(self):
        if self.shut_read:
-            return '' # EOF
+            return b('')  # EOF
        else:
            return None  # no data available right now
    def got_packet(self, cmd, data):
-        if cmd == CMD_EOF:
+        if cmd == CMD_TCP_EOF:
-            self.noread()
+            # Remote side already knows the status - set flag but don't notify
-        elif cmd == CMD_STOP_SENDING:
+            self.setnoread()
-            self.nowrite()
+        elif cmd == CMD_TCP_STOP_SENDING:
-        elif cmd == CMD_DATA:
+            # Remote side already knows the status - set flag but don't notify
            self.setnowrite()
        elif cmd == CMD_TCP_DATA:
            self.buf.append(data)
        else:
            raise Exception('unknown command %d (%d bytes)'
                            % (cmd, len(data)))
-def connect_dst(ip, port):
+def connect_dst(family, ip, port):
    debug2('Connecting to %s:%d\n' % (ip, port))
-    outsock = socket.socket()
+    outsock = socket.socket(family)
    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
    return SockWrapper(outsock, outsock,
-                       connect_to = (ip,port),
+                       connect_to=(ip, port),
-                       peername = '%s:%d' % (ip,port))
+                       peername='%s:%d' % (ip, port))
 def runonce(handlers, mux):
    r = []
    w = []
    x = []
-    to_remove = filter(lambda s: not s.ok, handlers)
+    to_remove = [s for s in handlers if not s.ok]
    for h in to_remove:
        handlers.remove(h)
    for s in handlers:
-        s.pre_select(r,w,x)
+        s.pre_select(r, w, x)
    debug2('Waiting: %d r=%r w=%r x=%r (fullness=%d/%d)\n'
-            % (len(handlers), _fds(r), _fds(w), _fds(x),
+           % (len(handlers), _fds(r), _fds(w), _fds(x),
               mux.fullness, mux.too_full))
-    (r,w,x) = select.select(r,w,x)
+    (r, w, x) = select.select(r, w, x)
    debug2('  Ready: %d r=%r w=%r x=%r\n'
-        % (len(handlers), _fds(r), _fds(w), _fds(x)))
+           % (len(handlers), _fds(r), _fds(w), _fds(x)))
-    ready = r+w+x
+    ready = r + w + x
    did = {}
    for h in handlers:
        for s in h.socks:
            if s in ready:
-                h.callback()
+                h.callback(s)
                did[s] = 1
    for s in ready:
-        if not s in did:
+        if s not in did:
            raise Fatal('socket %r was not used by any handler' % s)
--- a/sshuttle/ssyslog.py
+++ b/sshuttle/ssyslog.py
@ -1,8 +1,11 @@
-import sys, os
+import sys
-from compat import ssubprocess
+import os
 import subprocess as ssubprocess
 _p = None
 def start_syslog():
    global _p
    _p = ssubprocess.Popen(['logger',
--- a/sshuttle/stresstest.py
+++ b/sshuttle/stresstest.py
@ -0,0 +1,89 @@
 #!/usr/bin/env python
 import socket
 import select
 import struct
 import time
 listener = socket.socket()
 listener.bind(('127.0.0.1', 0))
 listener.listen(500)
 servers = []
 clients = []
 remain = {}
 NUMCLIENTS = 50
 count = 0
 while 1:
    if len(clients) < NUMCLIENTS:
        c = socket.socket()
        c.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        c.bind(('0.0.0.0', 0))
        c.connect(listener.getsockname())
        count += 1
        if count >= 16384:
            count = 1
        print('cli CREATING %d' % count)
        b = struct.pack('I', count) + 'x' * count
        remain[c] = count
        print('cli  >> %r' % len(b))
        c.send(b)
        c.shutdown(socket.SHUT_WR)
        clients.append(c)
        r = [listener]
        time.sleep(0.1)
    else:
        r = [listener] + servers + clients
    print('select(%d)' % len(r))
    r, w, x = select.select(r, [], [], 5)
    assert(r)
    for i in r:
        if i == listener:
            s, addr = listener.accept()
            servers.append(s)
        elif i in servers:
            b = i.recv(4096)
            print('srv <<  %r' % len(b))
            if i not in remain:
                assert(len(b) >= 4)
                want = struct.unpack('I', b[:4])[0]
                b = b[4:]
                # i.send('y'*want)
            else:
                want = remain[i]
            if want < len(b):
                print('weird wanted %d bytes, got %d: %r' % (want, len(b), b))
                assert(want >= len(b))
            want -= len(b)
            remain[i] = want
            if not b:  # EOF
                if want:
                    print('weird: eof but wanted %d more' % want)
                    assert(want == 0)
                i.close()
                servers.remove(i)
                del remain[i]
            else:
                print('srv  >> %r' % len(b))
                i.send('y' * len(b))
                if not want:
                    i.shutdown(socket.SHUT_WR)
        elif i in clients:
            b = i.recv(4096)
            print('cli <<  %r' % len(b))
            want = remain[i]
            if want < len(b):
                print('weird wanted %d bytes, got %d: %r' % (want, len(b), b))
                assert(want >= len(b))
            want -= len(b)
            remain[i] = want
            if not b:  # EOF
                if want:
                    print('weird: eof but wanted %d more' % want)
                    assert(want == 0)
                i.close()
                clients.remove(i)
                del remain[i]
 listener.accept()
--- a/sshuttle/tests/client/test_firewall.py
+++ b/sshuttle/tests/client/test_firewall.py
@ -0,0 +1,134 @@
 from mock import Mock, patch, call
 import io
 import socket
 import sshuttle.firewall
 def setup_daemon():
    stdin = io.StringIO(u"""ROUTES
 2,24,0,1.2.3.0,8000,9000
 2,32,1,1.2.3.66,8080,8080
 10,64,0,2404:6800:4004:80c::,0,0
 10,128,1,2404:6800:4004:80c::101f,80,80
 NSLIST
 2,1.2.3.33
 10,2404:6800:4004:80c::33
 PORTS 1024,1025,1026,1027
 GO 1
 HOST 1.2.3.3,existing
 """)
    stdout = Mock()
    return stdin, stdout
 def test_rewrite_etc_hosts(tmpdir):
    orig_hosts = tmpdir.join("hosts.orig")
    orig_hosts.write("1.2.3.3 existing\n")
    new_hosts = tmpdir.join("hosts")
    orig_hosts.copy(new_hosts)
    hostmap = {
        'myhost': '1.2.3.4',
        'myotherhost': '1.2.3.5',
    }
    with patch('sshuttle.firewall.HOSTSFILE', new=str(new_hosts)):
        sshuttle.firewall.rewrite_etc_hosts(hostmap, 10)
    with new_hosts.open() as f:
        line = f.readline()
        s = line.split()
        assert s == ['1.2.3.3', 'existing']
        line = f.readline()
        s = line.split()
        assert s == ['1.2.3.4', 'myhost',
                     '#', 'sshuttle-firewall-10', 'AUTOCREATED']
        line = f.readline()
        s = line.split()
        assert s == ['1.2.3.5', 'myotherhost',
                     '#', 'sshuttle-firewall-10', 'AUTOCREATED']
        line = f.readline()
        assert line == ""
    with patch('sshuttle.firewall.HOSTSFILE', new=str(new_hosts)):
        sshuttle.firewall.restore_etc_hosts(10)
    assert orig_hosts.computehash() == new_hosts.computehash()
 def test_subnet_weight():
    subnets = [
        (socket.AF_INET, 16, 0, '192.168.0.0', 0, 0),
        (socket.AF_INET, 24, 0, '192.168.69.0', 0, 0),
        (socket.AF_INET, 32, 0, '192.168.69.70', 0, 0),
        (socket.AF_INET, 32, 1, '192.168.69.70', 0, 0),
        (socket.AF_INET, 32, 1, '192.168.69.70', 80, 80),
        (socket.AF_INET, 0, 1, '0.0.0.0', 0, 0),
        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
        (socket.AF_INET, 0, 1, '0.0.0.0', 400, 450)
    ]
    subnets_sorted = [
        (socket.AF_INET, 32, 1, '192.168.69.70', 80, 80),
        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
        (socket.AF_INET, 0, 1, '0.0.0.0', 400, 450),
        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
        (socket.AF_INET, 32, 1, '192.168.69.70', 0, 0),
        (socket.AF_INET, 32, 0, '192.168.69.70', 0, 0),
        (socket.AF_INET, 24, 0, '192.168.69.0', 0, 0),
        (socket.AF_INET, 16, 0, '192.168.0.0', 0, 0),
        (socket.AF_INET, 0, 1, '0.0.0.0', 0, 0)
    ]
    assert subnets_sorted == \
            sorted(subnets, key=sshuttle.firewall.subnet_weight, reverse=True)
@patch('sshuttle.firewall.rewrite_etc_hosts')
@patch('sshuttle.firewall.setup_daemon')
@patch('sshuttle.firewall.get_method')
 def test_main(mock_get_method, mock_setup_daemon, mock_rewrite_etc_hosts):
    stdin, stdout = setup_daemon()
    mock_setup_daemon.return_value = stdin, stdout
    mock_get_method("not_auto").name = "test"
    mock_get_method.reset_mock()
    sshuttle.firewall.main("not_auto", False)
    assert mock_rewrite_etc_hosts.mock_calls == [
        call({'1.2.3.3': 'existing'}, 1024),
        call({}, 1024),
    ]
    assert stdout.mock_calls == [
        call.write('READY test\n'),
        call.flush(),
        call.write('STARTED\n'),
        call.flush()
    ]
    assert mock_setup_daemon.mock_calls == [call()]
    assert mock_get_method.mock_calls == [
        call('not_auto'),
        call().setup_firewall(
            1024, 1026,
            [(10, u'2404:6800:4004:80c::33')],
            10,
            [(10, 64, False, u'2404:6800:4004:80c::', 0, 0),
                (10, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
            True),
        call().setup_firewall(
            1025, 1027,
            [(2, u'1.2.3.33')],
            2,
            [(2, 24, False, u'1.2.3.0', 8000, 9000),
                (2, 32, True, u'1.2.3.66', 8080, 8080)],
            True),
        call().restore_firewall(1024, 10, True),
        call().restore_firewall(1025, 2, True),
    ]
--- a/sshuttle/tests/client/test_helpers.py
+++ b/sshuttle/tests/client/test_helpers.py
@ -0,0 +1,191 @@
 from mock import patch, call
 import sys
 import io
 import socket
 import sshuttle.helpers
@patch('sshuttle.helpers.logprefix', new='prefix: ')
@patch('sshuttle.helpers.sys.stdout')
@patch('sshuttle.helpers.sys.stderr')
 def test_log(mock_stderr, mock_stdout):
    sshuttle.helpers.log("message")
    sshuttle.helpers.log("abc")
    sshuttle.helpers.log("message 1\n")
    sshuttle.helpers.log("message 2\nline2\nline3\n")
    sshuttle.helpers.log("message 3\nline2\nline3")
    assert mock_stdout.mock_calls == [
        call.flush(),
        call.flush(),
        call.flush(),
        call.flush(),
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
        call.write('prefix: message'),
        call.flush(),
        call.write('prefix: abc'),
        call.flush(),
        call.write('prefix: message 1\n'),
        call.flush(),
        call.write('prefix: message 2\n'),
        call.write('---> line2\n'),
        call.write('---> line3\n'),
        call.flush(),
        call.write('prefix: message 3\n'),
        call.write('---> line2\n'),
        call.write('---> line3\n'),
        call.flush(),
    ]
@patch('sshuttle.helpers.logprefix', new='prefix: ')
@patch('sshuttle.helpers.verbose', new=1)
@patch('sshuttle.helpers.sys.stdout')
@patch('sshuttle.helpers.sys.stderr')
 def test_debug1(mock_stderr, mock_stdout):
    sshuttle.helpers.debug1("message")
    assert mock_stdout.mock_calls == [
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
        call.write('prefix: message'),
        call.flush(),
    ]
@patch('sshuttle.helpers.logprefix', new='prefix: ')
@patch('sshuttle.helpers.verbose', new=0)
@patch('sshuttle.helpers.sys.stdout')
@patch('sshuttle.helpers.sys.stderr')
 def test_debug1_nop(mock_stderr, mock_stdout):
    sshuttle.helpers.debug1("message")
    assert mock_stdout.mock_calls == []
    assert mock_stderr.mock_calls == []
@patch('sshuttle.helpers.logprefix', new='prefix: ')
@patch('sshuttle.helpers.verbose', new=2)
@patch('sshuttle.helpers.sys.stdout')
@patch('sshuttle.helpers.sys.stderr')
 def test_debug2(mock_stderr, mock_stdout):
    sshuttle.helpers.debug2("message")
    assert mock_stdout.mock_calls == [
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
        call.write('prefix: message'),
        call.flush(),
    ]
@patch('sshuttle.helpers.logprefix', new='prefix: ')
@patch('sshuttle.helpers.verbose', new=1)
@patch('sshuttle.helpers.sys.stdout')
@patch('sshuttle.helpers.sys.stderr')
 def test_debug2_nop(mock_stderr, mock_stdout):
    sshuttle.helpers.debug2("message")
    assert mock_stdout.mock_calls == []
    assert mock_stderr.mock_calls == []
@patch('sshuttle.helpers.logprefix', new='prefix: ')
@patch('sshuttle.helpers.verbose', new=3)
@patch('sshuttle.helpers.sys.stdout')
@patch('sshuttle.helpers.sys.stderr')
 def test_debug3(mock_stderr, mock_stdout):
    sshuttle.helpers.debug3("message")
    assert mock_stdout.mock_calls == [
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
        call.write('prefix: message'),
        call.flush(),
    ]
@patch('sshuttle.helpers.logprefix', new='prefix: ')
@patch('sshuttle.helpers.verbose', new=2)
@patch('sshuttle.helpers.sys.stdout')
@patch('sshuttle.helpers.sys.stderr')
 def test_debug3_nop(mock_stderr, mock_stdout):
    sshuttle.helpers.debug3("message")
    assert mock_stdout.mock_calls == []
    assert mock_stderr.mock_calls == []
@patch('sshuttle.helpers.open', create=True)
 def test_resolvconf_nameservers(mock_open):
    mock_open.return_value = io.StringIO(u"""
 # Generated by NetworkManager
 search pri
 nameserver 192.168.1.1
 nameserver 192.168.2.1
 nameserver 192.168.3.1
 nameserver 192.168.4.1
 nameserver 2404:6800:4004:80c::1
 nameserver 2404:6800:4004:80c::2
 nameserver 2404:6800:4004:80c::3
 nameserver 2404:6800:4004:80c::4
 """)
    ns = sshuttle.helpers.resolvconf_nameservers()
    assert ns == [
        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
    ]
@patch('sshuttle.helpers.open', create=True)
 def test_resolvconf_random_nameserver(mock_open):
    mock_open.return_value = io.StringIO(u"""
 # Generated by NetworkManager
 search pri
 nameserver 192.168.1.1
 nameserver 192.168.2.1
 nameserver 192.168.3.1
 nameserver 192.168.4.1
 nameserver 2404:6800:4004:80c::1
 nameserver 2404:6800:4004:80c::2
 nameserver 2404:6800:4004:80c::3
 nameserver 2404:6800:4004:80c::4
 """)
    ns = sshuttle.helpers.resolvconf_random_nameserver()
    assert ns in [
        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
    ]
 def test_islocal():
    assert sshuttle.helpers.islocal("127.0.0.1", socket.AF_INET)
    assert not sshuttle.helpers.islocal("192.0.2.1", socket.AF_INET)
    assert sshuttle.helpers.islocal("::1", socket.AF_INET6)
    assert not sshuttle.helpers.islocal("2001:db8::1", socket.AF_INET6)
 def test_family_ip_tuple():
    assert sshuttle.helpers.family_ip_tuple("127.0.0.1") \
        == (socket.AF_INET, "127.0.0.1")
    assert sshuttle.helpers.family_ip_tuple("192.168.2.6") \
        == (socket.AF_INET, "192.168.2.6")
    assert sshuttle.helpers.family_ip_tuple("::1") \
        == (socket.AF_INET6, "::1")
    assert sshuttle.helpers.family_ip_tuple("2404:6800:4004:80c::1") \
        == (socket.AF_INET6, "2404:6800:4004:80c::1")
 def test_family_to_string():
    assert sshuttle.helpers.family_to_string(socket.AF_INET) == "AF_INET"
    assert sshuttle.helpers.family_to_string(socket.AF_INET6) == "AF_INET6"
    if sys.version_info < (3, 0):
        expected = "1"
        assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == "1"
    else:
        expected = 'AddressFamily.AF_UNIX'
    assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == expected
--- a/sshuttle/tests/client/test_methods_nat.py
+++ b/sshuttle/tests/client/test_methods_nat.py
@ -0,0 +1,158 @@
 import pytest
 from mock import Mock, patch, call
 import socket
 import struct
 from sshuttle.helpers import Fatal
 from sshuttle.methods import get_method
 def test_get_supported_features():
    method = get_method('nat')
    features = method.get_supported_features()
    assert not features.ipv6
    assert not features.udp
    assert features.dns
 def test_get_tcp_dstip():
    sock = Mock()
    sock.getsockopt.return_value = struct.pack(
        '!HHBBBB', socket.ntohs(socket.AF_INET), 1024, 127, 0, 0, 1)
    method = get_method('nat')
    assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
    assert sock.mock_calls == [call.getsockopt(0, 80, 16)]
 def test_recv_udp():
    sock = Mock()
    sock.recvfrom.return_value = "11111", "127.0.0.1"
    method = get_method('nat')
    result = method.recv_udp(sock, 1024)
    assert sock.mock_calls == [call.recvfrom(1024)]
    assert result == ("127.0.0.1", None, "11111")
 def test_send_udp():
    sock = Mock()
    method = get_method('nat')
    method.send_udp(sock, None, "127.0.0.1", "22222")
    assert sock.mock_calls == [call.sendto("22222", "127.0.0.1")]
 def test_setup_tcp_listener():
    listener = Mock()
    method = get_method('nat')
    method.setup_tcp_listener(listener)
    assert listener.mock_calls == []
 def test_setup_udp_listener():
    listener = Mock()
    method = get_method('nat')
    method.setup_udp_listener(listener)
    assert listener.mock_calls == []
 def test_assert_features():
    method = get_method('nat')
    features = method.get_supported_features()
    method.assert_features(features)
    features.udp = True
    with pytest.raises(Fatal):
        method.assert_features(features)
    features.ipv6 = True
    with pytest.raises(Fatal):
        method.assert_features(features)
 def test_firewall_command():
    method = get_method('nat')
    assert not method.firewall_command("somthing")
@patch('sshuttle.methods.nat.ipt')
@patch('sshuttle.methods.nat.ipt_ttl')
@patch('sshuttle.methods.nat.ipt_chain_exists')
 def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    mock_ipt_chain_exists.return_value = True
    method = get_method('nat')
    assert method.name == 'nat'
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1024, 1026,
            [(10, u'2404:6800:4004:80c::33')],
            10,
            [(10, 64, False, u'2404:6800:4004:80c::', 0, 0),
                (10, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
            True)
    assert str(excinfo.value) \
        == 'Address family "AF_INET6" unsupported by nat method_name'
    assert mock_ipt_chain_exists.mock_calls == []
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == []
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
            [(2, u'1.2.3.33')],
            2,
            [(2, 24, False, u'1.2.3.0', 8000, 9000),
                (2, 32, True, u'1.2.3.66', 8080, 8080)],
            True)
    assert str(excinfo.value) == 'UDP not supported by nat method_name'
    assert mock_ipt_chain_exists.mock_calls == []
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == []
    method.setup_firewall(
        1025, 1027,
        [(2, u'1.2.3.33')],
        2,
        [(2, 24, False, u'1.2.3.0', 8000, 9000),
            (2, 32, True, u'1.2.3.66', 8080, 8080)],
        False)
    assert mock_ipt_chain_exists.mock_calls == [
        call(2, 'nat', 'sshuttle-1025')
    ]
    assert mock_ipt_ttl.mock_calls == [
        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
            '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
             '--to-ports', '1025'),
        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
             '--dest', u'1.2.3.33/32', '-p', 'udp',
             '--dport', '53', '--to-ports', '1027')
    ]
    assert mock_ipt.mock_calls == [
        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
        call(2, 'nat', '-F', 'sshuttle-1025'),
        call(2, 'nat', '-X', 'sshuttle-1025'),
        call(2, 'nat', '-N', 'sshuttle-1025'),
        call(2, 'nat', '-F', 'sshuttle-1025'),
        call(2, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
        call(2, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
            '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
    method.restore_firewall(1025, 2, False)
    assert mock_ipt_chain_exists.mock_calls == [
        call(2, 'nat', 'sshuttle-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
        call(2, 'nat', '-F', 'sshuttle-1025'),
        call(2, 'nat', '-X', 'sshuttle-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
--- a/sshuttle/tests/client/test_methods_pf.py
+++ b/sshuttle/tests/client/test_methods_pf.py
@ -0,0 +1,468 @@
 import pytest
 from mock import Mock, patch, call, ANY
 import socket
 from sshuttle.methods import get_method
 from sshuttle.helpers import Fatal
 from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd
 def test_get_supported_features():
    method = get_method('pf')
    features = method.get_supported_features()
    assert features.ipv6
    assert not features.udp
    assert features.dns
@patch('sshuttle.helpers.verbose', new=3)
 def test_get_tcp_dstip():
    sock = Mock()
    sock.getpeername.return_value = ("127.0.0.1", 1024)
    sock.getsockname.return_value = ("127.0.0.2", 1025)
    sock.family = socket.AF_INET
    firewall = Mock()
    firewall.pfile.readline.return_value = \
        b"QUERY_PF_NAT_SUCCESS 127.0.0.3,1026\n"
    method = get_method('pf')
    method.set_firewall(firewall)
    assert method.get_tcp_dstip(sock) == ('127.0.0.3', 1026)
    assert sock.mock_calls == [
        call.getpeername(),
        call.getsockname(),
    ]
    assert firewall.mock_calls == [
        call.pfile.write(b'QUERY_PF_NAT 2,6,127.0.0.1,1024,127.0.0.2,1025\n'),
        call.pfile.flush(),
        call.pfile.readline()
    ]
 def test_recv_udp():
    sock = Mock()
    sock.recvfrom.return_value = "11111", "127.0.0.1"
    method = get_method('pf')
    result = method.recv_udp(sock, 1024)
    assert sock.mock_calls == [call.recvfrom(1024)]
    assert result == ("127.0.0.1", None, "11111")
 def test_send_udp():
    sock = Mock()
    method = get_method('pf')
    method.send_udp(sock, None, "127.0.0.1", "22222")
    assert sock.mock_calls == [call.sendto("22222", "127.0.0.1")]
 def test_setup_tcp_listener():
    listener = Mock()
    method = get_method('pf')
    method.setup_tcp_listener(listener)
    assert listener.mock_calls == []
 def test_setup_udp_listener():
    listener = Mock()
    method = get_method('pf')
    method.setup_udp_listener(listener)
    assert listener.mock_calls == []
 def test_assert_features():
    method = get_method('pf')
    features = method.get_supported_features()
    method.assert_features(features)
    features.udp = True
    with pytest.raises(Fatal):
        method.assert_features(features)
    features.ipv6 = True
    with pytest.raises(Fatal):
        method.assert_features(features)
@patch('sshuttle.methods.pf.pf', Darwin())
@patch('sshuttle.methods.pf.sys.stdout')
@patch('sshuttle.methods.pf.ioctl')
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
    assert not method.firewall_command("somthing")
    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        socket.AF_INET, socket.IPPROTO_TCP,
        "127.0.0.1", 1025, "127.0.0.2", 1024)
    assert method.firewall_command(command)
    assert mock_pf_get_dev.mock_calls == [call()]
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xc0544417, ANY),
    ]
    assert mock_stdout.mock_calls == [
        call.write('QUERY_PF_NAT_SUCCESS 0.0.0.0,0\n'),
        call.flush(),
    ]
@patch('sshuttle.methods.pf.pf', FreeBsd())
@patch('sshuttle.methods.pf.sys.stdout')
@patch('sshuttle.methods.pf.ioctl')
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
    assert not method.firewall_command("somthing")
    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        socket.AF_INET, socket.IPPROTO_TCP,
        "127.0.0.1", 1025, "127.0.0.2", 1024)
    assert method.firewall_command(command)
    assert mock_pf_get_dev.mock_calls == [call()]
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xc04c4417, ANY),
    ]
    assert mock_stdout.mock_calls == [
        call.write('QUERY_PF_NAT_SUCCESS 0.0.0.0,0\n'),
        call.flush(),
    ]
@patch('sshuttle.methods.pf.pf', OpenBsd())
@patch('sshuttle.methods.pf.sys.stdout')
@patch('sshuttle.methods.pf.ioctl')
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
    assert not method.firewall_command("somthing")
    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        socket.AF_INET, socket.IPPROTO_TCP,
        "127.0.0.1", 1025, "127.0.0.2", 1024)
    assert method.firewall_command(command)
    assert mock_pf_get_dev.mock_calls == [call()]
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xc0504417, ANY),
    ]
    assert mock_stdout.mock_calls == [
        call.write('QUERY_PF_NAT_SUCCESS 0.0.0.0,0\n'),
        call.flush(),
    ]
 def pfctl(args, stdin=None):
    if args == '-s Interfaces -i lo -v':
        return (b'lo0 (skip)',)
    if args == '-s all':
        return (b'INFO:\nStatus: Disabled\nanother mary had a little lamb\n',
                b'little lamb\n')
    if args == '-E':
        return (b'\n', b'Token : abcdefg\n')
    return None
@patch('sshuttle.helpers.verbose', new=3)
@patch('sshuttle.methods.pf.pf', Darwin())
@patch('sshuttle.methods.pf.pfctl')
@patch('sshuttle.methods.pf.ioctl')
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    mock_pfctl.side_effect = pfctl
    method = get_method('pf')
    assert method.name == 'pf'
    # IPV6
    method.setup_firewall(
        1024, 1026,
        [(10, u'2404:6800:4004:80c::33')],
        10,
        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
    ]
    assert mock_pfctl.mock_calls == [
        call('-s Interfaces -i lo -v'),
        call('-f /dev/stdin', b'pass on lo\n'),
        call('-s all'),
        call('-a sshuttle6-1024 -f /dev/stdin',
             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
             b'rdr pass on lo0 inet6 proto tcp to '
             b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n'
             b'rdr pass on lo0 inet6 proto udp '
             b'to <dns_servers> port 53 -> ::1 port 1026\n'
             b'pass out quick inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out route-to lo0 inet6 proto tcp to '
             b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
             b'pass out route-to lo0 inet6 proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-E'),
    ]
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
            [(2, u'1.2.3.33')],
            2,
            [(2, 24, False, u'1.2.3.0', 0, 0),
                (2, 32, True, u'1.2.3.66', 80, 80)],
            True)
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == []
    method.setup_firewall(
        1025, 1027,
        [(2, u'1.2.3.33')],
        2,
        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
        False)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
    ]
    assert mock_pfctl.mock_calls == [
        call('-s Interfaces -i lo -v'),
        call('-f /dev/stdin', b'pass on lo\n'),
        call('-s all'),
        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <dns_servers> {1.2.3.33}\n'
             b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 '
             b'-> 127.0.0.1 port 1025\n'
             b'rdr pass on lo0 inet proto udp '
             b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
             b'pass out route-to lo0 inet proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-E'),
    ]
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
    method.restore_firewall(1025, 2, False)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
        call('-a sshuttle-1025 -F all'),
        call("-X abcdefg"),
    ]
    mock_pf_get_dev.reset_mock()
    mock_pfctl.reset_mock()
    mock_ioctl.reset_mock()
@patch('sshuttle.helpers.verbose', new=3)
@patch('sshuttle.methods.pf.pf', FreeBsd())
@patch('sshuttle.methods.pf.pfctl')
@patch('sshuttle.methods.pf.ioctl')
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    mock_pfctl.side_effect = pfctl
    method = get_method('pf')
    assert method.name == 'pf'
    method.setup_firewall(
        1024, 1026,
        [(10, u'2404:6800:4004:80c::33')],
        10,
        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False)
    assert mock_pfctl.mock_calls == [
        call('-s all'),
        call('-a sshuttle6-1024 -f /dev/stdin',
             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
             b'rdr pass on lo0 inet6 proto tcp to 2404:6800:4004:80c::/64 '
             b'port 8000:9000 -> ::1 port 1024\n'
             b'rdr pass on lo0 inet6 proto udp '
             b'to <dns_servers> port 53 -> ::1 port 1026\n'
             b'pass out quick inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out route-to lo0 inet6 proto tcp to '
             b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
             b'pass out route-to lo0 inet6 proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-e'),
    ]
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
            [(2, u'1.2.3.33')],
            2,
            [(2, 24, False, u'1.2.3.0', 0, 0),
                (2, 32, True, u'1.2.3.66', 80, 80)],
            True)
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == []
    method.setup_firewall(
        1025, 1027,
        [(2, u'1.2.3.33')],
        2,
        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
        False)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCBE0441A, ANY),
        call(mock_pf_get_dev(), 0xCBE0441A, ANY),
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCBE0441A, ANY),
        call(mock_pf_get_dev(), 0xCBE0441A, ANY),
    ]
    assert mock_pfctl.mock_calls == [
        call('-s all'),
        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <dns_servers> {1.2.3.33}\n'
             b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 -> '
             b'127.0.0.1 port 1025\n'
             b'rdr pass on lo0 inet proto udp '
             b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
             b'pass out route-to lo0 inet proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-e'),
    ]
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
    method.restore_firewall(1025, 2, False)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
        call('-a sshuttle-1025 -F all'),
        call("-d"),
    ]
    mock_pf_get_dev.reset_mock()
    mock_pfctl.reset_mock()
    mock_ioctl.reset_mock()
@patch('sshuttle.helpers.verbose', new=3)
@patch('sshuttle.methods.pf.pf', OpenBsd())
@patch('sshuttle.methods.pf.pfctl')
@patch('sshuttle.methods.pf.ioctl')
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    mock_pfctl.side_effect = pfctl
    method = get_method('pf')
    assert method.name == 'pf'
    method.setup_firewall(
        1024, 1026,
        [(10, u'2404:6800:4004:80c::33')],
        10,
        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xcd48441a, ANY),
        call(mock_pf_get_dev(), 0xcd48441a, ANY),
    ]
    assert mock_pfctl.mock_calls == [
        call('-s Interfaces -i lo -v'),
        call('-f /dev/stdin', b'match on lo\n'),
        call('-s all'),
        call('-a sshuttle6-1024 -f /dev/stdin',
             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
             b'pass in on lo0 inet6 proto tcp to 2404:6800:4004:80c::/64 '
             b'port 8000:9000 divert-to ::1 port 1024\n'
             b'pass in on lo0 inet6 proto udp '
             b'to <dns_servers> port 53 rdr-to ::1 port 1026\n'
             b'pass out quick inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out inet6 proto tcp to 2404:6800:4004:80c::/64 '
             b'port 8000:9000 route-to lo0 keep state\n'
             b'pass out inet6 proto udp to '
             b'<dns_servers> port 53 route-to lo0 keep state\n'),
        call('-e'),
    ]
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
            [(2, u'1.2.3.33')],
            2,
            [(2, 24, False, u'1.2.3.0', 0, 0),
                (2, 32, True, u'1.2.3.66', 80, 80)],
            True)
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == []
    method.setup_firewall(
        1025, 1027,
        [(2, u'1.2.3.33')],
        2,
        [(2, 24, False, u'1.2.3.0', 0, 0),
            (2, 32, True, u'1.2.3.66', 80, 80)],
        False)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xcd48441a, ANY),
        call(mock_pf_get_dev(), 0xcd48441a, ANY),
    ]
    assert mock_pfctl.mock_calls == [
        call('-s Interfaces -i lo -v'),
        call('-f /dev/stdin', b'match on lo\n'),
        call('-s all'),
        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <dns_servers> {1.2.3.33}\n'
             b'pass in on lo0 inet proto tcp to 1.2.3.0/24 divert-to '
             b'127.0.0.1 port 1025\n'
             b'pass in on lo0 inet proto udp to '
             b'<dns_servers> port 53 rdr-to 127.0.0.1 port 1027\n'
             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out inet proto tcp to 1.2.3.0/24 route-to lo0 keep state\n'
             b'pass out inet proto udp to '
             b'<dns_servers> port 53 route-to lo0 keep state\n'),
        call('-e'),
    ]
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
    method.restore_firewall(1025, 2, False)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
        call('-a sshuttle-1025 -F all'),
        call("-d"),
    ]
    mock_pf_get_dev.reset_mock()
    mock_pfctl.reset_mock()
    mock_ioctl.reset_mock()
--- a/sshuttle/tests/client/test_methods_tproxy.py
+++ b/sshuttle/tests/client/test_methods_tproxy.py
@ -0,0 +1,289 @@
 from mock import Mock, patch, call
 from sshuttle.methods import get_method
@patch("sshuttle.methods.tproxy.recvmsg")
 def test_get_supported_features_recvmsg(mock_recvmsg):
    method = get_method('tproxy')
    features = method.get_supported_features()
    assert features.ipv6
    assert features.udp
    assert features.dns
@patch("sshuttle.methods.tproxy.recvmsg", None)
 def test_get_supported_features_norecvmsg():
    method = get_method('tproxy')
    features = method.get_supported_features()
    assert features.ipv6
    assert not features.udp
    assert not features.dns
 def test_get_tcp_dstip():
    sock = Mock()
    sock.getsockname.return_value = ('127.0.0.1', 1024)
    method = get_method('tproxy')
    assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
    assert sock.mock_calls == [call.getsockname()]
@patch("sshuttle.methods.tproxy.recv_udp")
 def test_recv_udp(mock_recv_udp):
    mock_recv_udp.return_value = ("127.0.0.1", "127.0.0.2", "11111")
    sock = Mock()
    method = get_method('tproxy')
    result = method.recv_udp(sock, 1024)
    assert sock.mock_calls == []
    assert mock_recv_udp.mock_calls == [call(sock, 1024)]
    assert result == ("127.0.0.1", "127.0.0.2", "11111")
@patch("sshuttle.methods.socket.socket")
 def test_send_udp(mock_socket):
    sock = Mock()
    method = get_method('tproxy')
    method.send_udp(sock, "127.0.0.2", "127.0.0.1", "2222222")
    assert sock.mock_calls == []
    assert mock_socket.mock_calls == [
        call(sock.family, 2),
        call().setsockopt(1, 2, 1),
        call().setsockopt(0, 19, 1),
        call().bind('127.0.0.2'),
        call().sendto("2222222", '127.0.0.1'),
        call().close()
    ]
 def test_setup_tcp_listener():
    listener = Mock()
    method = get_method('tproxy')
    method.setup_tcp_listener(listener)
    assert listener.mock_calls == [
        call.setsockopt(0, 19, 1)
    ]
 def test_setup_udp_listener():
    listener = Mock()
    method = get_method('tproxy')
    method.setup_udp_listener(listener)
    assert listener.mock_calls == [
        call.setsockopt(0, 19, 1),
        call.v4.setsockopt(0, 20, 1),
        call.v6.setsockopt(41, 74, 1)
    ]
 def test_assert_features():
    method = get_method('tproxy')
    features = method.get_supported_features()
    method.assert_features(features)
 def test_firewall_command():
    method = get_method('tproxy')
    assert not method.firewall_command("somthing")
@patch('sshuttle.methods.tproxy.ipt')
@patch('sshuttle.methods.tproxy.ipt_ttl')
@patch('sshuttle.methods.tproxy.ipt_chain_exists')
 def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    mock_ipt_chain_exists.return_value = True
    method = get_method('tproxy')
    assert method.name == 'tproxy'
    # IPV6
    method.setup_firewall(
        1024, 1026,
        [(10, u'2404:6800:4004:80c::33')],
        10,
        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        True)
    assert mock_ipt_chain_exists.mock_calls == [
        call(10, 'mangle', 'sshuttle-m-1024'),
        call(10, 'mangle', 'sshuttle-t-1024'),
        call(10, 'mangle', 'sshuttle-d-1024')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
        call(10, 'mangle', '-X', 'sshuttle-m-1024'),
        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
        call(10, 'mangle', '-X', 'sshuttle-t-1024'),
        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
        call(10, 'mangle', '-X', 'sshuttle-d-1024'),
        call(10, 'mangle', '-N', 'sshuttle-m-1024'),
        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
        call(10, 'mangle', '-N', 'sshuttle-d-1024'),
        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
        call(10, 'mangle', '-N', 'sshuttle-t-1024'),
        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
        call(10, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
        call(10, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1024'),
        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
             '--set-mark', '1'),
        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1',
             '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000'),
        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000',
             '--on-port', '1024'),
        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'udp', '-p', 'udp'),
        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000',
             '--on-port', '1024')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
    method.restore_firewall(1025, 10, True)
    assert mock_ipt_chain_exists.mock_calls == [
        call(10, 'mangle', 'sshuttle-m-1025'),
        call(10, 'mangle', 'sshuttle-t-1025'),
        call(10, 'mangle', 'sshuttle-d-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(10, 'mangle', '-F', 'sshuttle-m-1025'),
        call(10, 'mangle', '-X', 'sshuttle-m-1025'),
        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
        call(10, 'mangle', '-F', 'sshuttle-t-1025'),
        call(10, 'mangle', '-X', 'sshuttle-t-1025'),
        call(10, 'mangle', '-F', 'sshuttle-d-1025'),
        call(10, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
    # IPV4
    method.setup_firewall(
        1025, 1027,
        [(2, u'1.2.3.33')],
        2,
        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
        True)
    assert mock_ipt_chain_exists.mock_calls == [
        call(2, 'mangle', 'sshuttle-m-1025'),
        call(2, 'mangle', 'sshuttle-t-1025'),
        call(2, 'mangle', 'sshuttle-d-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
        call(2, 'mangle', '-X', 'sshuttle-d-1025'),
        call(2, 'mangle', '-N', 'sshuttle-m-1025'),
        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
        call(2, 'mangle', '-N', 'sshuttle-d-1025'),
        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
        call(2, 'mangle', '-N', 'sshuttle-t-1025'),
        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
        call(2, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
        call(2, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1025'),
        call(2, 'mangle', '-A', 'sshuttle-d-1025',
             '-j', 'MARK', '--set-mark', '1'),
        call(2, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp', 
             '--dport', '80:80'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
             '--dport', '80:80'),
        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
             '--dport', '80:80'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
             '--dport', '80:80'),
        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp', '--on-port', '1025')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
    method.restore_firewall(1025, 2, True)
    assert mock_ipt_chain_exists.mock_calls == [
        call(2, 'mangle', 'sshuttle-m-1025'),
        call(2, 'mangle', 'sshuttle-t-1025'),
        call(2, 'mangle', 'sshuttle-d-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
        call(2, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
--- a/sshuttle/tests/client/test_options.py
+++ b/sshuttle/tests/client/test_options.py
@ -0,0 +1,101 @@
 import socket
 import pytest
 import sshuttle.options
 from argparse import ArgumentTypeError as Fatal
 _ip4_reprs = {
        '0.0.0.0': '0.0.0.0',
        '255.255.255.255': '255.255.255.255',
        '10.0': '10.0.0.0',
        '184.172.10.74': '184.172.10.74',
        '3098282570': '184.172.10.74',
        '0xb8.0xac.0x0a.0x4a': '184.172.10.74',
        '0270.0254.0012.0112': '184.172.10.74',
        'localhost': '127.0.0.1'
 }
 _ip4_swidths = (1, 8, 22, 27, 32)
 _ip6_reprs = {
        '::': '::',
        '::1': '::1',
        'fc00::': 'fc00::',
        '2a01:7e00:e000:188::1': '2a01:7e00:e000:188::1'
 }
 _ip6_swidths = (48, 64, 96, 115, 128)
 def test_parse_subnetport_ip4():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr) \
                == (socket.AF_INET, ip, 32, 0, 0)
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('10.256.0.0')
    assert str(excinfo.value) == 'Unable to resolve address: 10.256.0.0'
 def test_parse_subnetport_ip4_with_mask():
    for ip_repr, ip in _ip4_reprs.items():
        for swidth in _ip4_swidths:
            assert sshuttle.options.parse_subnetport(
                    '/'.join((ip_repr, str(swidth)))
                    ) == (socket.AF_INET, ip, swidth, 0, 0)
    assert sshuttle.options.parse_subnetport('0/0') \
            == (socket.AF_INET, '0.0.0.0', 0, 0, 0)
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('10.0.0.0/33')
    assert str(excinfo.value) == 'width 33 is not between 0 and 32'
 def test_parse_subnetport_ip4_with_port():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80'))) \
                == (socket.AF_INET, ip, 32, 80, 80)
        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80-90'))) \
                == (socket.AF_INET, ip, 32, 80, 90)
 def test_parse_subnetport_ip4_with_mask_and_port():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr + '/32:80') \
                == (socket.AF_INET, ip, 32, 80, 80)
        assert sshuttle.options.parse_subnetport(ip_repr + '/16:80-90') \
                == (socket.AF_INET, ip, 16, 80, 90)
 def test_parse_subnetport_ip6():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr) \
                == (socket.AF_INET6, ip, 128, 0, 0)
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('2001::1::3f')
    assert str(excinfo.value) == 'Unable to resolve address: 2001::1::3f'
 def test_parse_subnetport_ip6_with_mask():
    for ip_repr, ip in _ip6_reprs.items():
        for swidth in _ip4_swidths + _ip6_swidths:
            assert sshuttle.options.parse_subnetport(
                    '/'.join((ip_repr, str(swidth)))
                    ) == (socket.AF_INET6, ip, swidth, 0, 0)
    assert sshuttle.options.parse_subnetport('::/0') \
            == (socket.AF_INET6, '::', 0, 0, 0)
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('fc00::/129')
    assert str(excinfo.value) == 'width 129 is not between 0 and 128'
 def test_parse_subnetport_ip6_with_port():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80') \
                == (socket.AF_INET6, ip, 128, 80, 80)
        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80-90') \
                == (socket.AF_INET6, ip, 128, 80, 90)
 def test_parse_subnetport_ip6_with_mask_and_port():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/128]:80') \
                == (socket.AF_INET6, ip, 128, 80, 80)
        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90') \
                == (socket.AF_INET6, ip, 16, 80, 90)
--- a/sshuttle/tests/client/test_sdnotify.py
+++ b/sshuttle/tests/client/test_sdnotify.py
@ -0,0 +1,66 @@
 from mock import Mock, patch, call
 import sys
 import io
 import socket
 import sshuttle.sdnotify
@patch('sshuttle.sdnotify.os.environ.get')
 def test_notify_invalid_socket_path(mock_get):
    mock_get.return_value = 'invalid_path'
    assert not sshuttle.sdnotify.send(sshuttle.sdnotify.ready())
@patch('sshuttle.sdnotify.os.environ.get')
 def test_notify_socket_not_there(mock_get):
    mock_get.return_value = '/run/valid_nonexistent_path'
    assert not sshuttle.sdnotify.send(sshuttle.sdnotify.ready())
@patch('sshuttle.sdnotify.os.environ.get')
 def test_notify_no_message(mock_get):
    mock_get.return_value = '/run/valid_path'
    assert not sshuttle.sdnotify.send()
@patch('sshuttle.sdnotify.socket.socket')
@patch('sshuttle.sdnotify.os.environ.get')
 def test_notify_socket_error(mock_get, mock_socket):
    mock_get.return_value = '/run/valid_path'
    mock_socket.side_effect = socket.error('test error')
    assert not sshuttle.sdnotify.send(sshuttle.sdnotify.ready())
@patch('sshuttle.sdnotify.socket.socket')
@patch('sshuttle.sdnotify.os.environ.get')
 def test_notify_sendto_error(mock_get, mock_socket):
    message = sshuttle.sdnotify.ready()
    socket_path = '/run/valid_path'
    sock = Mock()
    sock.sendto.side_effect = socket.error('test error')
    mock_get.return_value = '/run/valid_path'
    mock_socket.return_value = sock
    assert not sshuttle.sdnotify.send(message)
    assert sock.sendto.mock_calls == [
        call(message, socket_path),
    ]
@patch('sshuttle.sdnotify.socket.socket')
@patch('sshuttle.sdnotify.os.environ.get')
 def test_notify(mock_get, mock_socket):
    messages = [sshuttle.sdnotify.ready(), sshuttle.sdnotify.status('Running')]
    socket_path = '/run/valid_path'
    sock = Mock()
    sock.sendto.return_value = 1
    mock_get.return_value = '/run/valid_path'
    mock_socket.return_value = sock
    assert sshuttle.sdnotify.send(*messages)
    assert sock.sendto.mock_calls == [
        call(b'\n'.join(messages), socket_path),
    ]
--- a/sshuttle/tests/server/test_server.py
+++ b/sshuttle/tests/server/test_server.py
@ -0,0 +1,59 @@
 import os
 import io
 import socket
 import sshuttle.server
 from mock import patch, Mock, call
 def test__ipmatch():
    assert sshuttle.server._ipmatch("1.2.3.4") is not None
    assert sshuttle.server._ipmatch("::1") is None   # ipv6 not supported
    assert sshuttle.server._ipmatch("42 Example Street, Melbourne") is None
 def test__ipstr():
    assert sshuttle.server._ipstr("1.2.3.4", 24) == "1.2.3.4/24"
    assert sshuttle.server._ipstr("1.2.3.4", 32) == "1.2.3.4"
 def test__maskbits():
    netmask = sshuttle.server._ipmatch("255.255.255.0")
    sshuttle.server._maskbits(netmask)
@patch('sshuttle.server.which', side_effect=lambda x: x == 'netstat')
@patch('sshuttle.server.ssubprocess.Popen')
 def test_listroutes_netstat(mock_popen, mock_which):
    mock_pobj = Mock()
    mock_pobj.stdout = io.BytesIO(b"""
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
 0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0
 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0
 """)
    mock_pobj.wait.return_value = 0
    mock_popen.return_value = mock_pobj
    routes = sshuttle.server.list_routes()
    assert list(routes) == [
        (socket.AF_INET, '192.168.1.0', 24)
    ]
@patch('sshuttle.server.which', side_effect=lambda x: x == 'ip')
@patch('sshuttle.server.ssubprocess.Popen')
 def test_listroutes_iproute(mock_popen, mock_which):
    mock_pobj = Mock()
    mock_pobj.stdout = io.BytesIO(b"""
 default via 192.168.1.1 dev wlan0  proto static 
 192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.1
 """)
    mock_pobj.wait.return_value = 0
    mock_popen.return_value = mock_pobj
    routes = sshuttle.server.list_routes()
    assert list(routes) == [
        (socket.AF_INET, '192.168.1.0', 24)
    ]
--- a/tox.ini
+++ b/tox.ini
@ -0,0 +1,20 @@
 [tox]
 downloadcache = {toxworkdir}/cache/
 envlist =
    py26,
    py27,
    py34,
    py35,
 [testenv]
 basepython =
    py26: python2.6
    py27: python2.7
    py34: python3.4
    py35: python3.5
 commands =
    py.test
 deps =
    pytest
    mock
    setuptools>=17.1
--- a/ui-macos/.gitignore
+++ b/ui-macos/.gitignore
@ -1,8 +0,0 @@
 *.pyc
 *~
 /*.nib
 /debug.app
 /sources.list
 /Sshuttle VPN.app
 /*.tar.gz
 /*.zip
--- a/ui-macos/Info.plist
+++ b/ui-macos/Info.plist
@ -1,40 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>English</string>
 	<key>CFBundleDisplayName</key>
 	<string>Sshuttle VPN</string>
 	<key>CFBundleExecutable</key>
 	<string>Sshuttle</string>
 	<key>CFBundleIconFile</key>
 	<string>app.icns</string>
 	<key>CFBundleIdentifier</key>
 	<string>ca.apenwarr.Sshuttle</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>Sshuttle VPN</string>
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
 	<string>0.0.0</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
 	<string>0.0.0</string>
 	<key>LSUIElement</key>
 	<string>1</string>
 	<key>LSHasLocalizedDisplayName</key>
 	<false/>
 	<key>NSAppleScriptEnabled</key>
 	<false/>
 	<key>NSHumanReadableCopyright</key>
 	<string>GNU LGPL Version 2</string>
 	<key>NSMainNibFile</key>
 	<string>MainMenu</string>
 	<key>NSPrincipalClass</key>
 	<string>NSApplication</string>
 </dict>
 </plist>
--- a/ui-macos/MainMenu.xib
+++ b/ui-macos/MainMenu.xib
--- a/ui-macos/UserDefaults.plist
+++ b/ui-macos/UserDefaults.plist
@ -1,10 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>startAtLogin</key>
 	<false/>
 	<key>autoReconnect</key>
 	<true/>
 </dict>
 </plist>
--- a/ui-macos/all.do
+++ b/ui-macos/all.do
@ -1 +0,0 @@
 redo-ifchange debug.app dist
--- a/ui-macos/app.icns
+++ b/ui-macos/app.icns
--- a/ui-macos/askpass.py
+++ b/ui-macos/askpass.py
@ -1,28 +0,0 @@
 import sys, os, re, subprocess
 def askpass(prompt):
    prompt = prompt.replace('"', "'")
    if 'yes/no' in prompt:
        return "yes"
    script="""
        tell application "Finder"
            activate
            display dialog "%s" \
              with title "Sshuttle SSH Connection" \
              default answer "" \
              with icon caution \
              with hidden answer
        end tell
    """ % prompt
    p = subprocess.Popen(['osascript', '-e', script], stdout=subprocess.PIPE)
    out = p.stdout.read()
    rv = p.wait()
    if rv:
        return None
    g = re.match("text returned:(.*), button returned:.*", out)
    if not g:
        return None
    return g.group(1)
--- a/ui-macos/bits/.gitignore
+++ b/ui-macos/bits/.gitignore
@ -1 +0,0 @@
 /runpython
--- a/ui-macos/bits/PkgInfo
+++ b/ui-macos/bits/PkgInfo
@ -1 +0,0 @@
 APPL????
--- a/ui-macos/bits/runpython.c
+++ b/ui-macos/bits/runpython.c
@ -1,23 +0,0 @@
 /*
 * This rather pointless program acts like the python interpreter, except
 * it's intended to sit inside a MacOS .app package, so that its argv[0]
 * will point inside the package.
 *
 * NSApplicationMain() looks for Info.plist using the path in argv[0], which
 * goes wrong if your interpreter is /usr/bin/python.
 */
 #include <Python.h>
 #include <string.h>
 #include <unistd.h>
 int main(int argc, char **argv)
 {
    char *path = strdup(argv[0]), *cptr;
    char *args[] = {argv[0], "../Resources/main.py", NULL};
    cptr = strrchr(path, '/');
    if (cptr)
 	*cptr = 0;
    chdir(path);
    free(path);
    return Py_Main(2, args);
 }
--- a/ui-macos/bits/runpython.do
+++ b/ui-macos/bits/runpython.do
@ -1,5 +0,0 @@
 exec >&2
 redo-ifchange runpython.c
 gcc -Wall -o $3 runpython.c \
 	-I/usr/include/python2.5 \
 	-lpython2.5
--- a/ui-macos/chicken-tiny-bw.png
+++ b/ui-macos/chicken-tiny-bw.png
--- a/ui-macos/chicken-tiny-err.png
+++ b/ui-macos/chicken-tiny-err.png
--- a/ui-macos/chicken-tiny.png
+++ b/ui-macos/chicken-tiny.png
--- a/ui-macos/clean.do
+++ b/ui-macos/clean.do
@ -1,4 +0,0 @@
 exec >&2
 find -name '*~' | xargs rm -f
 rm -rf *.app *.zip *.tar.gz
 rm -f bits/runpython *.nib sources.list
--- a/ui-macos/debug.app.do
+++ b/ui-macos/debug.app.do
@ -1,15 +0,0 @@
 redo-ifchange bits/runpython MainMenu.nib
 rm -rf debug.app
 mkdir debug.app debug.app/Contents
 cd debug.app/Contents
 ln -s ../.. Resources
 ln -s ../.. English.lproj
 ln -s ../../Info.plist .
 ln -s ../../app.icns .
 mkdir MacOS
 cd MacOS
 ln -s ../../../bits/runpython Sshuttle
 cd ../../..
 redo-ifchange $(find debug.app -type f)
--- a/ui-macos/default.app.do
+++ b/ui-macos/default.app.do
@ -1,28 +0,0 @@
 TOP=$PWD
 redo-ifchange sources.list
 redo-ifchange Info.plist bits/runpython \
 	$(while read name newname; do echo "$name"; done <sources.list)
 rm -rf "$1.app"
 mkdir "$1.app" "$1.app/Contents"
 cd "$1.app/Contents"
 cp "$TOP/Info.plist" .
 mkdir MacOS
 cp "$TOP/bits/runpython" MacOS/Sshuttle
 mkdir Resources
 cd "$TOP"
 while read name newname; do
 	[ -z "$name" ] && continue
 	: "${newname:=$name}"
 	outname=$1.app/Contents/Resources/$newname
 	outdir=$(dirname "$outname")
 	[ -d "$outdir" ] || mkdir "$outdir"
 	cp "${name-$newname}" "$outname"
 done <sources.list
 cd "$1.app"
 redo-ifchange $(find . -type f)
--- a/ui-macos/default.app.tar.gz.do
+++ b/ui-macos/default.app.tar.gz.do
@ -1,5 +0,0 @@
 exec >&2
 IFS="
 "
 redo-ifchange $1.app
 tar -czf $3 $1.app/
--- a/ui-macos/default.app.zip.do
+++ b/ui-macos/default.app.zip.do
@ -1,5 +0,0 @@
 exec >&2
 IFS="
 "
 redo-ifchange $1.app
 zip -q -r $3 $1.app/
--- a/ui-macos/default.nib.do
+++ b/ui-macos/default.nib.do
@ -1,2 +0,0 @@
 redo-ifchange $1.xib
 ibtool --compile $3 $1.xib
--- a/ui-macos/dist.do
+++ b/ui-macos/dist.do
@ -1 +0,0 @@
 redo-ifchange "Sshuttle VPN.app.zip" "Sshuttle VPN.app.tar.gz"
--- a/ui-macos/git-export.do
+++ b/ui-macos/git-export.do
@ -1,19 +0,0 @@
 # update a local branch with pregenerated output files, so people can download
 # the completed tarballs from github.  Since we don't have any real binaries,
 # our final distribution package contains mostly blobs from the source code,
 # so this doesn't cost us much extra space in the repo.
 BRANCH=dist/macos
 redo-ifchange 'Sshuttle VPN.app'
 git update-ref refs/heads/$BRANCH origin/$BRANCH '' 2>/dev/null || true
 export GIT_INDEX_FILE=$PWD/gitindex.tmp
 rm -f "$GIT_INDEX_FILE"
 git add -f 'Sshuttle VPN.app'
 MSG="MacOS precompiled app package for $(git describe)"
 TREE=$(git write-tree --prefix=ui-macos)
 git show-ref refs/heads/$BRANCH >/dev/null && PARENT="-p refs/heads/$BRANCH"
 COMMITID=$(echo "$MSG" | git commit-tree $TREE $PARENT)
 git update-ref refs/heads/$BRANCH $COMMITID
 rm -f "$GIT_INDEX_FILE"
--- a/ui-macos/main.py
+++ b/ui-macos/main.py
@ -1,352 +0,0 @@
 import sys, os, pty
 from AppKit import *
 import my, models, askpass
 def sshuttle_args(host, auto_nets, auto_hosts, nets, debug):
    argv = [my.bundle_path('sshuttle/sshuttle', ''), '-r', host]
    assert(argv[0])
    if debug:
        argv.append('-v')
    if auto_nets:
        argv.append('--auto-nets')
    if auto_hosts:
        argv.append('--auto-hosts')
    argv += nets
    return argv
 class _Callback(NSObject):
    def initWithFunc_(self, func):
        self = super(_Callback, self).init()
        self.func = func
        return self
    def func_(self, obj):
        return self.func(obj)
 class Callback:
    def __init__(self, func):
        self.obj = _Callback.alloc().initWithFunc_(func)
        self.sel = self.obj.func_
 class Runner:
    def __init__(self, argv, logfunc, promptfunc, serverobj):
        print 'in __init__'
        self.id = argv
        self.rv = None
        self.pid = None
        self.fd = None
        self.logfunc = logfunc
        self.promptfunc = promptfunc
        self.serverobj = serverobj
        self.buf = ''
        self.logfunc('\nConnecting to %s.\n' % self.serverobj.host())
        print 'will run: %r' % argv
        self.serverobj.setConnected_(False)
        pid,fd = pty.fork()
        if pid == 0:
            # child
            try:
                os.execvp(argv[0], argv)
            except Exception, e:
                sys.stderr.write('failed to start: %r\n' % e)
                raise
            finally:
                os._exit(42)
        # parent
        self.pid = pid
        self.file = NSFileHandle.alloc()\
               .initWithFileDescriptor_closeOnDealloc_(fd, True)
        self.cb = Callback(self.gotdata)
        NSNotificationCenter.defaultCenter()\
            .addObserver_selector_name_object_(self.cb.obj, self.cb.sel,
                        NSFileHandleDataAvailableNotification, self.file)
        self.file.waitForDataInBackgroundAndNotify()
    def __del__(self):
        self.wait()
    def _try_wait(self, options):
        if self.rv == None and self.pid > 0:
            pid,code = os.waitpid(self.pid, options)
            if pid == self.pid:
                if os.WIFEXITED(code):
                    self.rv = os.WEXITSTATUS(code)
                else:
                    self.rv = -os.WSTOPSIG(code)
                self.serverobj.setConnected_(False)
                self.serverobj.setError_('VPN process died')
                self.logfunc('Disconnected.\n')
        print 'wait_result: %r' % self.rv
        return self.rv
    def wait(self):
        return self._try_wait(0)
    def poll(self):
        return self._try_wait(os.WNOHANG)
    def kill(self):
        assert(self.pid > 0)
        print 'killing: pid=%r rv=%r' % (self.pid, self.rv)
        if self.rv == None:
            self.logfunc('Disconnecting from %s.\n' % self.serverobj.host())
            os.kill(self.pid, 15)
            self.wait()
    def gotdata(self, notification):
        print 'gotdata!'
        d = str(self.file.availableData())
        if d:
            self.logfunc(d)
            self.buf = self.buf + d
            if 'Connected.\r\n' in self.buf:
                self.serverobj.setConnected_(True)
            self.buf = self.buf[-4096:]
            if self.buf.strip().endswith(':'):
                lastline = self.buf.rstrip().split('\n')[-1]
                resp = self.promptfunc(lastline)
                add = ' (response)\n'
                self.buf += add
                self.logfunc(add)
                self.file.writeData_(my.Data(resp + '\n'))
            self.file.waitForDataInBackgroundAndNotify()
        self.poll()
        #print 'gotdata done!'
 class SshuttleApp(NSObject):
    def initialize(self):
        d = my.PList('UserDefaults') 
        my.Defaults().registerDefaults_(d)
 class SshuttleController(NSObject):
    # Interface builder outlets
    startAtLoginField = objc.IBOutlet()
    autoReconnectField = objc.IBOutlet()
    debugField = objc.IBOutlet()
    routingField = objc.IBOutlet()
    prefsWindow = objc.IBOutlet()
    serversController = objc.IBOutlet()
    logField = objc.IBOutlet()
    servers = []
    conns = {}
    def _connect(self, server):
        host = server.host()
        print 'connecting %r' % host
        self.fill_menu()
        def logfunc(msg):
            print 'log! (%d bytes)' % len(msg)
            self.logField.textStorage()\
                .appendAttributedString_(NSAttributedString.alloc()\
                                         .initWithString_(msg))
            self.logField.didChangeText()
        def promptfunc(prompt):
            print 'prompt! %r' % prompt
            return askpass.askpass(prompt)
        nets_mode = server.autoNets()
        if nets_mode == models.NET_MANUAL:
            manual_nets = ["%s/%d" % (i.subnet(), i.width())
                           for i in server.nets()]
        elif nets_mode == models.NET_ALL:
            manual_nets = ['0/0']
        else:
            manual_nets = []
        conn = Runner(sshuttle_args(host,
                                    auto_nets = nets_mode == models.NET_AUTO,
                                    auto_hosts = server.autoHosts(),
                                    nets = manual_nets,
                                    debug = self.debugField.state()),
                      logfunc=logfunc, promptfunc=promptfunc,
                      serverobj=server)
        self.conns[host] = conn
    def _disconnect(self, server):
        host = server.host()
        print 'disconnecting %r' % host
        conn = self.conns.get(host)
        if conn:
            conn.kill()
        self.fill_menu()
        self.logField.textStorage().setAttributedString_(
                        NSAttributedString.alloc().initWithString_(''))
    @objc.IBAction
    def cmd_connect(self, sender):
        server = sender.representedObject()
        server.setWantConnect_(True)
    @objc.IBAction
    def cmd_disconnect(self, sender):
        server = sender.representedObject()
        server.setWantConnect_(False)
    @objc.IBAction
    def cmd_show(self, sender):
        self.prefsWindow.makeKeyAndOrderFront_(self)
        NSApp.activateIgnoringOtherApps_(True)
    @objc.IBAction
    def cmd_quit(self, sender):
        NSApp.performSelector_withObject_afterDelay_(NSApp.terminate_,
                                                     None, 0.0)
    def fill_menu(self):
        menu = self.menu
        menu.removeAllItems()
        def additem(name, func, obj):
            it = menu.addItemWithTitle_action_keyEquivalent_(name, None, "")
            it.setRepresentedObject_(obj)
            it.setTarget_(self)
            it.setAction_(func)
        def addnote(name):
            additem(name, None, None)
        any_inprogress = None
        any_conn = None
        any_err = None
        if len(self.servers):
            for i in self.servers:
                host = i.host()
                want = i.wantConnect()
                connected = i.connected()
                numnets = len(list(i.nets()))
                if not host:
                    additem('Connect Untitled', None, i)
                elif i.autoNets() == models.NET_MANUAL and not numnets:
                    additem('Connect %s (no routes)' % host, None, i)
                elif want:
                    any_conn = i
                    additem('Disconnect %s' % host, self.cmd_disconnect, i)
                else:
                    additem('Connect %s' % host, self.cmd_connect, i)
                if not want:
                    msg = 'Off'
                elif i.error():
                    msg = 'ERROR - try reconnecting'
                    any_err = i
                elif connected:
                    msg = 'Connected'
                else:
                    msg = 'Connecting...'
                    any_inprogress = i
                addnote('   State: %s' % msg)
                if i.autoNets() == 0:
                    addnote('   Routes: All')
                elif i.autoNets() == 2:
                    addnote('   Routes: Auto')
                else:
                    addnote('   Routes: Custom')
        else:
            addnote('No servers defined yet')
        menu.addItem_(NSMenuItem.separatorItem())
        additem('Preferences...', self.cmd_show, None)
        additem('Quit Sshuttle VPN', self.cmd_quit, None)
        if any_err:
            self.statusitem.setImage_(self.img_err)
            self.statusitem.setTitle_('Error!')
        elif any_conn:
            self.statusitem.setImage_(self.img_running)
            if any_inprogress:
                self.statusitem.setTitle_('Connecting...')
            else:
                self.statusitem.setTitle_('')
        else:
            self.statusitem.setImage_(self.img_idle)
            self.statusitem.setTitle_('')
    def load_servers(self):
        l = my.Defaults().arrayForKey_('servers') or []
        sl = []
        for s in l:
            host = s.get('host', None)
            if not host: continue
            nets = s.get('nets', [])
            nl = []
            for n in nets:
                subnet = n[0]
                width = n[1]
                net = models.SshuttleNet.alloc().init()
                net.setSubnet_(subnet)
                net.setWidth_(width)
                nl.append(net)
            autoNets = s.get('autoNets', 1)
            autoHosts = s.get('autoHosts', 1)
            srv = models.SshuttleServer.alloc().init()
            srv.setHost_(host)
            srv.setAutoNets_(autoNets)
            srv.setAutoHosts_(autoHosts)
            srv.setNets_(nl)
            sl.append(srv)
        self.serversController.addObjects_(sl)
        self.serversController.setSelectionIndex_(0)
    def save_servers(self):
        l = []
        for s in self.servers:
            host = s.host()
            if not host: continue
            nets = []
            for n in s.nets():
                subnet = n.subnet()
                if not subnet: continue
                nets.append((subnet, n.width()))
            d = dict(host=s.host(),
                     nets=nets,
                     autoNets=s.autoNets(),
                     autoHosts=s.autoHosts())
            l.append(d)
        my.Defaults().setObject_forKey_(l, 'servers')
        self.fill_menu()
    def awakeFromNib(self):
        self.routingField.removeAllItems()
        tf = self.routingField.addItemWithTitle_
        tf('Send all traffic through this server')
        tf('Determine automatically')
        tf('Custom...')
        # Hmm, even when I mark this as !enabled in the .nib, it still comes
        # through as enabled.  So let's just disable it here (since we don't
        # support this feature yet).
        self.startAtLoginField.setEnabled_(False)
        self.startAtLoginField.setState_(False)
        self.autoReconnectField.setEnabled_(False)
        self.autoReconnectField.setState_(False)
        self.load_servers()
        # Initialize our menu item
        self.menu = NSMenu.alloc().initWithTitle_('Sshuttle')
        bar = NSStatusBar.systemStatusBar()
        statusitem = bar.statusItemWithLength_(NSVariableStatusItemLength)
        self.statusitem = statusitem
        self.img_idle = my.Image('chicken-tiny-bw', 'png')
        self.img_running = my.Image('chicken-tiny', 'png')
        self.img_err = my.Image('chicken-tiny-err', 'png')
        statusitem.setImage_(self.img_idle)
        statusitem.setHighlightMode_(True)
        statusitem.setMenu_(self.menu)
        self.fill_menu()
        models.configchange_callback = my.DelayedCallback(self.save_servers)
        def sc(server):
            if server.wantConnect():
                self._connect(server)
            else:
                self._disconnect(server)
        models.setconnect_callback = sc
 # Note: NSApplicationMain calls sys.exit(), so this never returns.
 NSApplicationMain(sys.argv)
--- a/ui-macos/models.py
+++ b/ui-macos/models.py
@ -1,131 +0,0 @@
 from AppKit import *
 import my
 configchange_callback = setconnect_callback = None
 def config_changed():
    if configchange_callback:
        configchange_callback()
 def _validate_ip(v):
    parts = v.split('.')[:4]
    if len(parts) < 4:
        parts += ['0'] * (4 - len(parts))
    for i in range(4):
        n = my.atoi(parts[i])
        if n < 0:
            n = 0
        elif n > 255:
            n = 255
        parts[i] = str(n)
    return '.'.join(parts)
 def _validate_width(v):
    n = my.atoi(v)
    if n < 0:
        n = 0
    elif n > 32:
        n = 32
    return n
 class SshuttleNet(NSObject):
    def subnet(self):
        return getattr(self, '_k_subnet', None)
    def setSubnet_(self, v):
        self._k_subnet = v
        config_changed()
    @objc.accessor
    def validateSubnet_error_(self, value, error):
        #print 'validateSubnet!'
        return True, _validate_ip(value), error
    def width(self):
        return getattr(self, '_k_width', 24)
    def setWidth_(self, v):
        self._k_width = v
        config_changed()
    @objc.accessor
    def validateWidth_error_(self, value, error):
        #print 'validateWidth!'
        return True, _validate_width(value), error
 NET_ALL = 0
 NET_AUTO = 1
 NET_MANUAL = 2
 class SshuttleServer(NSObject):
    def init(self):
        self = super(SshuttleServer, self).init()
        config_changed()
        return self
    def wantConnect(self):
        return getattr(self, '_k_wantconnect', False)
    def setWantConnect_(self, v):
        self._k_wantconnect = v
        self.setError_(None)
        config_changed()
        if setconnect_callback: setconnect_callback(self)
    def connected(self):
        return getattr(self, '_k_connected', False)
    def setConnected_(self, v):
        print 'setConnected of %r to %r' % (self, v)
        self._k_connected = v
        if v: self.setError_(None)  # connected ok, so no error
        config_changed()
    def error(self):
        return getattr(self, '_k_error', None)
    def setError_(self, v):
        self._k_error = v
        config_changed()
    def isValid(self):
        if not self.host():
            return False
        if self.autoNets() == NET_MANUAL and not len(list(self.nets())):
            return False
        return True
    def host(self):
        return getattr(self, '_k_host', None)
    def setHost_(self, v):
        self._k_host = v
        config_changed()
    @objc.accessor
    def validateHost_error_(self, value, error):
        #print 'validatehost! %r %r %r' % (self, value, error)
        while value.startswith('-'):
            value = value[1:]
        return True, value, error
    def nets(self):
        return getattr(self, '_k_nets', [])
    def setNets_(self, v):
        self._k_nets = v
        config_changed()
    def netsHidden(self):
        #print 'checking netsHidden'
        return self.autoNets() != NET_MANUAL
    def setNetsHidden_(self, v):
        config_changed()
        #print 'setting netsHidden to %r' % v
    def autoNets(self):
        return getattr(self, '_k_autoNets', NET_AUTO)
    def setAutoNets_(self, v):
        self._k_autoNets = v
        self.setNetsHidden_(-1)
        config_changed()
    def autoHosts(self):
        return getattr(self, '_k_autoHosts', True)
    def setAutoHosts_(self, v):
        self._k_autoHosts = v
        config_changed()
--- a/ui-macos/my.py
+++ b/ui-macos/my.py
@ -1,62 +0,0 @@
 import sys, os
 from AppKit import *
 import PyObjCTools.AppHelper
 def bundle_path(name, typ):
    if typ:
        return NSBundle.mainBundle().pathForResource_ofType_(name, typ)
    else:
        return os.path.join(NSBundle.mainBundle().resourcePath(), name)
 # Load an NSData using a python string
 def Data(s):
    return NSData.alloc().initWithBytes_length_(s, len(s))
 # Load a property list from a file in the application bundle.
 def PList(name):
    path = bundle_path(name, 'plist')
    return NSDictionary.dictionaryWithContentsOfFile_(path)
 # Load an NSImage from a file in the application bundle.
 def Image(name, ext):
    bytes = open(bundle_path(name, ext)).read()
    img = NSImage.alloc().initWithData_(Data(bytes))
    return img
 # Return the NSUserDefaults shared object.
 def Defaults():
    return NSUserDefaults.standardUserDefaults()
 # Usage:
 #   f = DelayedCallback(func, args...)
 # later:
 #   f()
 #
 # When you call f(), it will schedule a call to func() next time the
 # ObjC event loop iterates.  Multiple calls to f() in a single iteration
 # will only result in one call to func().
 #
 def DelayedCallback(func, *args, **kwargs):
    flag = [0]
    def _go():
        if flag[0]:
            print 'running %r (flag=%r)' % (func, flag)
            flag[0] = 0
            func(*args, **kwargs)
    def call():
        flag[0] += 1
        PyObjCTools.AppHelper.callAfter(_go)
    return call
 def atoi(s):
    try:
        return int(s)
    except ValueError:
        return 0
--- a/ui-macos/run.do
+++ b/ui-macos/run.do
@ -1,3 +0,0 @@
 redo-ifchange debug.app
 exec >&2
 ./debug.app/Contents/MacOS/run
--- a/ui-macos/sources.list.do
+++ b/ui-macos/sources.list.do
@ -1,14 +0,0 @@
 redo-always
 exec >$3
 cat <<-EOF
 	app.icns
 	MainMenu.nib English.lproj/MainMenu.nib
 	UserDefaults.plist
 	chicken-tiny.png
 	chicken-tiny-bw.png
 	chicken-tiny-err.png
 EOF
 for d in *.py sshuttle/*.py sshuttle/sshuttle sshuttle/compat/*.py; do
 	echo $d
 done
 redo-stamp <$3
--- a/ui-macos/sshuttle
+++ b/ui-macos/sshuttle
@ -1 +0,0 @@
 ..
		`@ -1,2 +0,0 @@`
			`redo-ifchange $1.xib`
			`ibtool --compile $3 $1.xib`
		`@ -1 +0,0 @@`
			`redo-ifchange "Sshuttle VPN.app.zip" "Sshuttle VPN.app.tar.gz"`