MacOS precompiled app package for sshuttle-0.61

Sshuttle VPN.app/Contents/Resources/main.py

@@ -78,6 +78,11 @@ class Runner:
             if pid == self.pid:
                 if os.WIFEXITED(code):
                     self.rv = os.WEXITSTATUS(code)
+                    if self.rv == 111:
+                        NSRunAlertPanel('Sshuttle',
+                            'Please restart your computer to finish '
+                            'installing Sshuttle.',
+                            'Restart Later', None, None)
                 else:
                     self.rv = -os.WSTOPSIG(code)
                 self.serverobj.setConnected_(False)
@@ -87,7 +92,10 @@ class Runner:
         return self.rv
 
     def wait(self):
-        return self._try_wait(0)
+        rv = None
+        while rv is None:
+            self.gotdata(None)
+            rv = self._try_wait(os.WNOHANG)
         
     def poll(self):
         return self._try_wait(os.WNOHANG)

Sshuttle VPN.app/Contents/Resources/models.py

@@ -3,6 +3,7 @@ import my
 
 
 configchange_callback = setconnect_callback = None
+objc_validator = objc.signature('@@:N^@o^@')
 
 
 def config_changed():
@@ -39,7 +40,7 @@ class SshuttleNet(NSObject):
     def setSubnet_(self, v):
         self._k_subnet = v
         config_changed()
-    @objc.accessor
+    @objc_validator
     def validateSubnet_error_(self, value, error):
         #print 'validateSubnet!'
         return True, _validate_ip(value), error
@@ -49,7 +50,7 @@ class SshuttleNet(NSObject):
     def setWidth_(self, v):
         self._k_width = v
         config_changed()
-    @objc.accessor
+    @objc_validator
     def validateWidth_error_(self, value, error):
         #print 'validateWidth!'
         return True, _validate_width(value), error
@@ -118,7 +119,7 @@ class SshuttleServer(NSObject):
         self._k_host = v
         self.setTitle_(None)
         config_changed()
-    @objc.accessor
+    @objc_validator
     def validateHost_error_(self, value, error):
         #print 'validatehost! %r %r %r' % (self, value, error)
         while value.startswith('-'):

Sshuttle VPN.app/Contents/Resources/sshuttle/client.py

@@ -102,7 +102,7 @@ class FirewallClient:
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.dnsport = dnsport
-        argvbase = ([sys.argv[0]] +
+        argvbase = ([sys.argv[1], sys.argv[0], sys.argv[1]] +
                     ['-v'] * (helpers.verbose or 0) +
                     ['--firewall', str(port), str(dnsport)])
         if ssyslog._p:
@@ -171,10 +171,71 @@ class FirewallClient:
     def done(self):
         self.pfile.close()
         rv = self.p.wait()
-        if rv:
+        if rv == EXITCODE_NEEDS_REBOOT:
+            raise FatalNeedsReboot()
+        elif rv:
             raise Fatal('cleanup: %r returned %d' % (self.argv, rv))
 
 
+def onaccept(listener, mux, handlers):
+    global _extra_fd
+    try:
+        sock,srcip = listener.accept()
+    except socket.error, e:
+        if e.args[0] in [errno.EMFILE, errno.ENFILE]:
+            debug1('Rejected incoming connection: too many open files!\n')
+            # free up an fd so we can eat the connection
+            os.close(_extra_fd)
+            try:
+                sock,srcip = listener.accept()
+                sock.close()
+            finally:
+                _extra_fd = os.open('/dev/null', os.O_RDONLY)
+            return
+        else:
+            raise
+    dstip = original_dst(sock)
+    debug1('Accept: %s:%r -> %s:%r.\n' % (srcip[0],srcip[1],
+                                          dstip[0],dstip[1]))
+    if dstip[1] == listener.getsockname()[1] and islocal(dstip[0]):
+        debug1("-- ignored: that's my address!\n")
+        sock.close()
+        return
+    chan = mux.next_channel()
+    if not chan:
+        log('warning: too many open channels.  Discarded connection.\n')
+        sock.close()
+        return
+    mux.send(chan, ssnet.CMD_CONNECT, '%s,%s' % dstip)
+    outwrap = MuxWrapper(mux, chan)
+    handlers.append(Proxy(SockWrapper(sock, sock), outwrap))
+
+
+dnsreqs = {}
+def dns_done(chan, data):
+    peer,sock,timeout = dnsreqs.get(chan) or (None,None,None)
+    debug3('dns_done: channel=%r peer=%r\n' % (chan, peer))
+    if peer:
+        del dnsreqs[chan]
+        debug3('doing sendto %r\n' % (peer,))
+        sock.sendto(data, peer)
+
+
+def ondns(listener, mux, handlers):
+    pkt,peer = listener.recvfrom(4096)
+    now = time.time()
+    if pkt:
+        debug1('DNS request from %r: %d bytes\n' % (peer, len(pkt)))
+        chan = mux.next_channel()
+        dnsreqs[chan] = peer,listener,now+30
+        mux.send(chan, ssnet.CMD_DNS_REQ, pkt)
+        mux.channels[chan] = lambda cmd,data: dns_done(chan,data)
+    for chan,(peer,sock,timeout) in dnsreqs.items():
+        if timeout < now:
+            del dnsreqs[chan]
+    debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
+
+
 def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
           dnslistener, seed_hosts, auto_nets,
           syslog, daemon):
@@ -198,7 +259,14 @@ def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
     handlers.append(mux)
 
     expected = 'SSHUTTLE0001'
+    
     try:
+        v = 'x'
+        while v and v != '\0':
+            v = serversock.recv(1)
+        v = 'x'
+        while v and v != '\0':
+            v = serversock.recv(1)
         initstring = serversock.recv(len(expected))
     except socket.error, e:
         if e.args[0] == errno.ECONNRESET:
@@ -248,63 +316,10 @@ def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
                 fw.sethostip(name, ip)
     mux.got_host_list = onhostlist
 
-    def onaccept():
-        global _extra_fd
-        try:
-            sock,srcip = listener.accept()
-        except socket.error, e:
-            if e.args[0] in [errno.EMFILE, errno.ENFILE]:
-                debug1('Rejected incoming connection: too many open files!\n')
-                # free up an fd so we can eat the connection
-                os.close(_extra_fd)
-                try:
-                    sock,srcip = listener.accept()
-                    sock.close()
-                finally:
-                    _extra_fd = os.open('/dev/null', os.O_RDONLY)
-                return
-            else:
-                raise
-        dstip = original_dst(sock)
-        debug1('Accept: %s:%r -> %s:%r.\n' % (srcip[0],srcip[1],
-                                              dstip[0],dstip[1]))
-        if dstip[1] == listener.getsockname()[1] and islocal(dstip[0]):
-            debug1("-- ignored: that's my address!\n")
-            sock.close()
-            return
-        chan = mux.next_channel()
-        if not chan:
-            log('warning: too many open channels.  Discarded connection.\n')
-            sock.close()
-            return
-        mux.send(chan, ssnet.CMD_CONNECT, '%s,%s' % dstip)
-        outwrap = MuxWrapper(mux, chan)
-        handlers.append(Proxy(SockWrapper(sock, sock), outwrap))
-    handlers.append(Handler([listener], onaccept))
+    handlers.append(Handler([listener], lambda: onaccept(listener, mux, handlers)))
 
-    dnsreqs = {}
-    def dns_done(chan, data):
-        peer,timeout = dnsreqs.get(chan) or (None,None)
-        debug3('dns_done: channel=%r peer=%r\n' % (chan, peer))
-        if peer:
-            del dnsreqs[chan]
-            debug3('doing sendto %r\n' % (peer,))
-            dnslistener.sendto(data, peer)
-    def ondns():
-        pkt,peer = dnslistener.recvfrom(4096)
-        now = time.time()
-        if pkt:
-            debug1('DNS request from %r: %d bytes\n' % (peer, len(pkt)))
-            chan = mux.next_channel()
-            dnsreqs[chan] = peer,now+30
-            mux.send(chan, ssnet.CMD_DNS_REQ, pkt)
-            mux.channels[chan] = lambda cmd,data: dns_done(chan,data)
-        for chan,(peer,timeout) in dnsreqs.items():
-            if timeout < now:
-                del dnsreqs[chan]
-        debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
     if dnslistener:
-        handlers.append(Handler([dnslistener], ondns))
+        handlers.append(Handler([dnslistener], lambda: ondns(dnslistener, mux, handlers)))
 
     if seed_hosts != None:
         debug1('seed_hosts: %r\n' % seed_hosts)

Sshuttle VPN.app/Contents/Resources/sshuttle/firewall.py

@@ -1,4 +1,4 @@
-import re, errno, socket, select, struct
+import re, errno, socket, select, signal, struct
 import compat.ssubprocess as ssubprocess
 import helpers, ssyslog
 from helpers import *
@@ -6,6 +6,27 @@ from helpers import *
 # python doesn't have a definition for this
 IPPROTO_DIVERT = 254
 
+# return values from sysctl_set
+SUCCESS = 0
+SAME = 1
+FAILED = -1
+NONEXIST = -2
+
+
+def nonfatal(func, *args):
+    try:
+        func(*args)
+    except Fatal, e:
+        log('error: %s\n' % e)
+
+
+def _call(argv):
+    debug1('>> %s\n' % ' '.join(argv))
+    rv = ssubprocess.call(argv)
+    if rv:
+        raise Fatal('%r returned %d' % (argv, rv))
+    return rv
+
 
 def ipt_chain_exists(name):
     argv = ['iptables', '-t', 'nat', '-nL']
@@ -20,10 +41,7 @@ def ipt_chain_exists(name):
 
 def ipt(*args):
     argv = ['iptables', '-t', 'nat'] + list(args)
-    debug1('>> %s\n' % ' '.join(argv))
-    rv = ssubprocess.call(argv)
-    if rv:
-        raise Fatal('%r returned %d' % (argv, rv))
+    _call(argv)
 
 
 _no_ttl_module = False
@@ -57,9 +75,9 @@ def do_iptables(port, dnsport, subnets):
 
     # basic cleanup/setup of chains
     if ipt_chain_exists(chain):
-        ipt('-D', 'OUTPUT', '-j', chain)
-        ipt('-D', 'PREROUTING', '-j', chain)
-        ipt('-F', chain)
+        nonfatal(ipt, '-D', 'OUTPUT', '-j', chain)
+        nonfatal(ipt, '-D', 'PREROUTING', '-j', chain)
+        nonfatal(ipt, '-F', chain)
         ipt('-X', chain)
 
     if subnets or dnsport:
@@ -128,6 +146,42 @@ def _fill_oldctls(prefix):
         raise Fatal('%r returned no data' % (argv,))
 
 
+KERNEL_FLAGS_PATH = '/Library/Preferences/SystemConfiguration/com.apple.Boot'
+KERNEL_FLAGS_NAME = 'Kernel Flags'
+def _defaults_read_kernel_flags():
+    argv = ['defaults', 'read', KERNEL_FLAGS_PATH, KERNEL_FLAGS_NAME]
+    debug1('>> %s\n' % ' '.join(argv))
+    p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
+    flagstr = p.stdout.read().strip()
+    rv = p.wait()
+    if rv:
+        raise Fatal('%r returned %d' % (argv, rv))
+    flags = flagstr and flagstr.split(' ') or []
+    return flags
+
+
+def _defaults_write_kernel_flags(flags):
+    flagstr = ' '.join(flags)
+    argv = ['defaults', 'write', KERNEL_FLAGS_PATH, KERNEL_FLAGS_NAME,
+            flagstr]
+    _call(argv)
+    argv = ['plutil', '-convert', 'xml1', KERNEL_FLAGS_PATH + '.plist']
+    _call(argv)
+    
+
+
+def defaults_write_kernel_flag(name, val):
+    flags = _defaults_read_kernel_flags()
+    found = 0
+    for i in range(len(flags)):
+        if flags[i].startswith('%s=' % name):
+            found += 1
+            flags[i] = '%s=%s' % (name, val)
+    if not found:
+        flags.insert(0, '%s=%s' % (name, val))
+    _defaults_write_kernel_flags(flags)
+
+
 def _sysctl_set(name, val):
     argv = ['sysctl', '-w', '%s=%s' % (name, val)]
     debug1('>> %s\n' % ' '.join(argv))
@@ -143,19 +197,24 @@ def sysctl_set(name, val, permanent=False):
         _fill_oldctls(PREFIX)
     if not (name in _oldctls):
         debug1('>> No such sysctl: %r\n' % name)
-        return
+        return NONEXIST
     oldval = _oldctls[name]
-    if val != oldval:
-        rv = _sysctl_set(name, val)
-        if rv==0 and permanent:
-            debug1('>>   ...saving permanently in /etc/sysctl.conf\n')
-            f = open('/etc/sysctl.conf', 'a')
-            f.write('\n'
-                    '# Added by sshuttle\n'
-                    '%s=%s\n' % (name, val))
-            f.close()
-        else:
-            _changedctls.append(name)
+    if val == oldval:
+        return SAME
+
+    rv = _sysctl_set(name, val)
+    if rv != 0:
+        return FAILED
+    if permanent:
+        debug1('>>   ...saving permanently in /etc/sysctl.conf\n')
+        f = open('/etc/sysctl.conf', 'a')
+        f.write('\n'
+                '# Added by sshuttle\n'
+                '%s=%s\n' % (name, val))
+        f.close()
+    else:
+        _changedctls.append(name)
+    return SUCCESS
 
 
 def _udp_unpack(p):
@@ -193,10 +252,7 @@ def _handle_diversion(divertsock, dnsport):
 
 def ipfw(*args):
     argv = ['ipfw', '-q'] + list(args)
-    debug1('>> %s\n' % ' '.join(argv))
-    rv = ssubprocess.call(argv)
-    if rv:
-        raise Fatal('%r returned %d' % (argv, rv))
+    _call(argv)
 
 
 def do_ipfw(port, dnsport, subnets):
@@ -214,7 +270,39 @@ def do_ipfw(port, dnsport, subnets):
 
     if subnets or dnsport:
         sysctl_set('net.inet.ip.fw.enable', 1)
-        sysctl_set('net.inet.ip.scopedroute', 0, permanent=True)
+
+        # This seems to be needed on MacOS 10.6 and 10.7.  For more
+        # information, see:
+        #   http://groups.google.com/group/sshuttle/browse_thread/thread/bc32562e17987b25/6d3aa2bb30a1edab
+        # and
+        #   http://serverfault.com/questions/138622/transparent-proxying-leaves-sockets-with-syn-rcvd-in-macos-x-10-6-snow-leopard
+        changeflag = sysctl_set('net.inet.ip.scopedroute', 0, permanent=True)
+        if changeflag == SUCCESS:
+            log("\n"
+                "        WARNING: ONE-TIME NETWORK DISRUPTION:\n"
+                "        =====================================\n"
+                "sshuttle has changed a MacOS kernel setting to work around\n"
+                "a bug in MacOS 10.6.  This will cause your network to drop\n"
+                "within 5-10 minutes unless you restart your network\n"
+                "interface (change wireless networks or unplug/plug the\n"
+                "ethernet port) NOW, then restart sshuttle.  The fix is\n"
+                "permanent; you only have to do this once.\n\n")
+            sys.exit(1)
+        elif changeflag == FAILED:
+            # On MacOS 10.7, the scopedroute sysctl became read-only, so
+            # we have to fix it using a kernel boot parameter instead,
+            # which requires rebooting.  For more, see:
+            #   http://groups.google.com/group/sshuttle/browse_thread/thread/a42505ca33e1de80/e5e8f3e5a92d25f7
+            log('Updating kernel boot flags.\n')
+            defaults_write_kernel_flag('net.inet.ip.scopedroute', 0)
+            log("\n"
+                "        YOU MUST REBOOT TO USE SSHUTTLE\n"
+                "        ===============================\n"
+                "sshuttle has changed a MacOS kernel boot-time setting\n"
+                "to work around a bug in MacOS 10.7 Lion.  You will need\n"
+                "to reboot before it takes effect.  You only have to\n"
+                "do this once.\n\n")
+            sys.exit(EXITCODE_NEEDS_REBOOT)
 
         ipfw('add', sport, 'check-state', 'ip',
              'from', 'any', 'to', 'any')
@@ -224,11 +312,11 @@ def do_ipfw(port, dnsport, subnets):
         for swidth,sexclude,snet in sorted(subnets, reverse=True):
             if sexclude:
                 ipfw('add', sport, 'skipto', xsport,
-                     'log', 'tcp',
+                     'tcp',
                      'from', 'any', 'to', '%s/%s' % (snet,swidth))
             else:
                 ipfw('add', sport, 'fwd', '127.0.0.1,%d' % port,
-                     'log', 'tcp',
+                     'tcp',
                      'from', 'any', 'to', '%s/%s' % (snet,swidth),
                      'not', 'ipttl', '42', 'keep-state', 'setup')
 
@@ -270,12 +358,12 @@ def do_ipfw(port, dnsport, subnets):
         for ip in nslist:
             # relabel and then catch outgoing DNS requests
             ipfw('add', sport, 'divert', sport,
-                 'log', 'udp',
+                 'udp',
                  'from', 'any', 'to', '%s/32' % ip, '53',
                  'not', 'ipttl', '42')
         # relabel DNS responses
         ipfw('add', sport, 'divert', sport,
-             'log', 'udp',
+             'udp',
              'from', 'any', str(dnsport), 'to', 'any',
              'not', 'ipttl', '42')
 
@@ -379,6 +467,13 @@ def main(port, dnsport, syslog):
     sys.stdout.write('READY\n')
     sys.stdout.flush()
 
+    # don't disappear if our controlling terminal or stdout/stderr
+    # disappears; we still have to clean up.
+    signal.signal(signal.SIGHUP, signal.SIG_IGN)
+    signal.signal(signal.SIGPIPE, signal.SIG_IGN)
+    signal.signal(signal.SIGTERM, signal.SIG_IGN)
+    signal.signal(signal.SIGINT, signal.SIG_IGN)
+
     # ctrl-c shouldn't be passed along to me.  When the main sshuttle dies,
     # I'll die automatically.
     os.setsid()

Sshuttle VPN.app/Contents/Resources/sshuttle/helpers.py

@@ -1,4 +1,4 @@
-import sys, os, socket
+import sys, os, socket, errno
 
 logprefix = ''
 verbose = 0
@@ -30,6 +30,11 @@ class Fatal(Exception):
     pass
 
 
+EXITCODE_NEEDS_REBOOT = 111
+class FatalNeedsReboot(Fatal):
+    pass
+
+
 def list_contains_any(l, sub):
     for i in sub:
         if i in l:

Sshuttle VPN.app/Contents/Resources/sshuttle/hostwatch.py

@@ -13,7 +13,11 @@ _nmb_ok = True
 _smb_ok = True
 hostnames = {}
 queue = {}
-null = open('/dev/null', 'rb+')
+try:
+    null = open('/dev/null', 'wb')
+except IOError, e:
+    log('warning: %s\n' % e)
+    null = os.popen("sh -c 'while read x; do :; done'", 'wb', 4096)
 
 
 def _is_ip(s):

Sshuttle VPN.app/Contents/Resources/sshuttle/main.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python
 import sys, os, re
 import helpers, options, client, server, firewall, hostwatch
 import compat.ssubprocess as ssubprocess
@@ -55,15 +54,17 @@ l,listen=  transproxy to this ip address and port number [127.0.0.1:0]
 H,auto-hosts scan for remote hostnames and update local /etc/hosts
 N,auto-nets  automatically determine subnets to route
 dns        capture local DNS requests and forward to the remote DNS server
-python=    path to python interpreter on the remote server [python]
+python=    path to python interpreter on the remote server
 r,remote=  ssh hostname (and optional username) of remote sshuttle server
 x,exclude= exclude this subnet (can be used more than once)
+exclude-from=  exclude the subnets in a file (whitespace separated)
 v,verbose  increase debug message verbosity
 e,ssh-cmd= the command to use to connect to the remote [ssh]
 seed-hosts= with -H, use these hostnames for initial scan (comma-separated)
 no-latency-control  sacrifice latency to improve bandwidth benchmarks
 wrap=      restart counting channel numbers after this number (for testing)
 D,daemon   run in the background as a daemon
+V,version  print sshuttle's version number
 syslog     send log messages to syslog (default if you use --daemon)
 pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
 server     (internal use only)
@@ -71,8 +72,12 @@ firewall   (internal use only)
 hostwatch  (internal use only)
 """
 o = options.Options(optspec)
-(opt, flags, extra) = o.parse(sys.argv[1:])
+(opt, flags, extra) = o.parse(sys.argv[2:])
 
+if opt.version:
+    import version
+    print version.TAG
+    sys.exit(0)
 if opt.daemon:
     opt.syslog = 1
 if opt.wrap:
@@ -100,6 +105,8 @@ try:
         for k,v in flags:
             if k in ('-x','--exclude'):
                 excludes.append(v)
+            if k in ('-X', '--exclude-from'):
+                excludes += open(v).read().split()
         remotename = opt.remote
         if remotename == '' or remotename == '-':
             remotename = None
@@ -122,6 +129,9 @@ try:
                              parse_subnets(includes),
                              parse_subnets(excludes),
                              opt.syslog, opt.daemon, opt.pidfile))
+except FatalNeedsReboot, e:
+    log('You must reboot before using sshuttle.\n')
+    sys.exit(EXITCODE_NEEDS_REBOOT)
 except Fatal, e:
     log('fatal: %s\n' % e)
     sys.exit(99)

Sshuttle VPN.app/Contents/Resources/sshuttle/server.py

@@ -43,7 +43,12 @@ def _maskbits(netmask):
     
     
 def _shl(n, bits):
-    return n * int(2**bits)
+    # we use our own implementation of left-shift because
+    # results may be different between older and newer versions
+    # of python for numbers like 1<<32.  We use long() because
+    # int(2**32) doesn't work in older python, which has limited
+    # int sizes.
+    return n * long(2**bits)
 
 
 def _list_routes():
@@ -68,9 +73,11 @@ def _list_routes():
 
 
 def list_routes():
+    l = []
     for (ip,width) in _list_routes():
         if not ip.startswith('0.') and not ip.startswith('127.'):
-            yield (ip,width)
+            l.append((ip,width))
+    return l
 
 
 def _exc_dump():
@@ -110,16 +117,51 @@ class DnsProxy(Handler):
     def __init__(self, mux, chan, request):
         sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
         Handler.__init__(self, [sock])
-        self.sock = sock
         self.timeout = time.time()+30
         self.mux = mux
         self.chan = chan
+        self.tries = 0
+        self.peer = None
+        self.request = request
+        self.sock = sock
         self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
-        self.sock.connect((resolvconf_random_nameserver(), 53))
-        self.sock.send(request)
+        self.try_send()
+
+    def try_send(self):
+        if self.tries >= 3:
+            return
+        self.tries += 1
+        self.peer = resolvconf_random_nameserver()
+        self.sock.connect((self.peer, 53))
+        debug2('DNS: sending to %r\n' % self.peer)
+        try:
+            self.sock.send(self.request)
+        except socket.error, e:
+            if e.args[0] in ssnet.NET_ERRS:
+                # might have been spurious; try again.
+                # Note: these errors sometimes are reported by recv(),
+                # and sometimes by send().  We have to catch both.
+                debug2('DNS send to %r: %s\n' % (self.peer, e))
+                self.try_send()
+                return
+            else:
+                log('DNS send to %r: %s\n' % (self.peer, e))
+                return
 
     def callback(self):
-        data = self.sock.recv(4096)
+        try:
+            data = self.sock.recv(4096)
+        except socket.error, e:
+            if e.args[0] in ssnet.NET_ERRS:
+                # might have been spurious; try again.
+                # Note: these errors sometimes are reported by recv(),
+                # and sometimes by send().  We have to catch both.
+                debug2('DNS recv from %r: %s\n' % (self.peer, e))
+                self.try_send()
+                return
+            else:
+                log('DNS recv from %r: %s\n' % (self.peer, e))
+                return
         debug2('DNS response: %d bytes\n' % len(data))
         self.mux.send(self.chan, ssnet.CMD_DNS_RESPONSE, data)
         self.ok = False
@@ -138,7 +180,7 @@ def main():
         debug1('  %s/%d\n' % r)
         
     # synchronization header
-    sys.stdout.write('SSHUTTLE0001')
+    sys.stdout.write('\0\0SSHUTTLE0001')
     sys.stdout.flush()
 
     handlers = []

Sshuttle VPN.app/Contents/Resources/sshuttle/ssh.py

@@ -73,16 +73,23 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
 
         
     if not rhost:
-        argv = [python, '-c', pyscript]
+        # ignore the --python argument when running locally; we already know
+        # which python version works.
+        argv = [sys.argv[1], '-c', pyscript]
     else:
         if ssh_cmd:
             sshl = ssh_cmd.split(' ')
         else:
             sshl = ['ssh']
+        if python:
+            pycmd = "'%s' -c '%s'" % (python, pyscript)
+        else:
+            pycmd = ("P=python2; $P -V 2>/dev/null || P=python; "
+                     "exec \"$P\" -c '%s'") % pyscript
         argv = (sshl + 
                 portl + 
                 ipv6flag + 
-                [rhost, '--', "'%s' -c '%s'" % (python, pyscript)])
+                [rhost, '--', pycmd])
     (s1,s2) = socket.socketpair()
     def setup():
         # runs in the child process

Sshuttle VPN.app/Contents/Resources/sshuttle/sshuttle

@@ -1,131 +1,12 @@
-#!/usr/bin/env python
-import sys, os, re
-import helpers, options, client, server, firewall, hostwatch
-import compat.ssubprocess as ssubprocess
-from helpers import *
-
-
-# list of:
-# 1.2.3.4/5 or just 1.2.3.4
-def parse_subnets(subnets_str):
-    subnets = []
-    for s in subnets_str:
-        m = re.match(r'(\d+)(?:\.(\d+)\.(\d+)\.(\d+))?(?:/(\d+))?$', s)
-        if not m:
-            raise Fatal('%r is not a valid IP subnet format' % s)
-        (a,b,c,d,width) = m.groups()
-        (a,b,c,d) = (int(a or 0), int(b or 0), int(c or 0), int(d or 0))
-        if width == None:
-            width = 32
-        else:
-            width = int(width)
-        if a > 255 or b > 255 or c > 255 or d > 255:
-            raise Fatal('%d.%d.%d.%d has numbers > 255' % (a,b,c,d))
-        if width > 32:
-            raise Fatal('*/%d is greater than the maximum of 32' % width)
-        subnets.append(('%d.%d.%d.%d' % (a,b,c,d), width))
-    return subnets
-
-
-# 1.2.3.4:567 or just 1.2.3.4 or just 567
-def parse_ipport(s):
-    s = str(s)
-    m = re.match(r'(?:(\d+)\.(\d+)\.(\d+)\.(\d+))?(?::)?(?:(\d+))?$', s)
-    if not m:
-        raise Fatal('%r is not a valid IP:port format' % s)
-    (a,b,c,d,port) = m.groups()
-    (a,b,c,d,port) = (int(a or 0), int(b or 0), int(c or 0), int(d or 0),
-                      int(port or 0))
-    if a > 255 or b > 255 or c > 255 or d > 255:
-        raise Fatal('%d.%d.%d.%d has numbers > 255' % (a,b,c,d))
-    if port > 65535:
-        raise Fatal('*:%d is greater than the maximum of 65535' % port)
-    if a == None:
-        a = b = c = d = 0
-    return ('%d.%d.%d.%d' % (a,b,c,d), port)
-
-
-optspec = """
-sshuttle [-l [ip:]port] [-r [username@]sshserver[:port]] <subnets...>
-sshuttle --server
-sshuttle --firewall <port> <subnets...>
-sshuttle --hostwatch
---
-l,listen=  transproxy to this ip address and port number [127.0.0.1:0]
-H,auto-hosts scan for remote hostnames and update local /etc/hosts
-N,auto-nets  automatically determine subnets to route
-dns        capture local DNS requests and forward to the remote DNS server
-python=    path to python interpreter on the remote server [python]
-r,remote=  ssh hostname (and optional username) of remote sshuttle server
-x,exclude= exclude this subnet (can be used more than once)
-v,verbose  increase debug message verbosity
-e,ssh-cmd= the command to use to connect to the remote [ssh]
-seed-hosts= with -H, use these hostnames for initial scan (comma-separated)
-no-latency-control  sacrifice latency to improve bandwidth benchmarks
-wrap=      restart counting channel numbers after this number (for testing)
-D,daemon   run in the background as a daemon
-syslog     send log messages to syslog (default if you use --daemon)
-pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
-server     (internal use only)
-firewall   (internal use only)
-hostwatch  (internal use only)
-"""
-o = options.Options(optspec)
-(opt, flags, extra) = o.parse(sys.argv[1:])
-
-if opt.daemon:
-    opt.syslog = 1
-if opt.wrap:
-    import ssnet
-    ssnet.MAX_CHANNEL = int(opt.wrap)
-helpers.verbose = opt.verbose
-
-try:
-    if opt.server:
-        if len(extra) != 0:
-            o.fatal('no arguments expected')
-        server.latency_control = opt.latency_control
-        sys.exit(server.main())
-    elif opt.firewall:
-        if len(extra) != 2:
-            o.fatal('exactly two arguments expected')
-        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog))
-    elif opt.hostwatch:
-        sys.exit(hostwatch.hw_main(extra))
-    else:
-        if len(extra) < 1 and not opt.auto_nets:
-            o.fatal('at least one subnet (or -N) expected')
-        includes = extra
-        excludes = ['127.0.0.0/8']
-        for k,v in flags:
-            if k in ('-x','--exclude'):
-                excludes.append(v)
-        remotename = opt.remote
-        if remotename == '' or remotename == '-':
-            remotename = None
-        if opt.seed_hosts and not opt.auto_hosts:
-            o.fatal('--seed-hosts only works if you also use -H')
-        if opt.seed_hosts:
-            sh = re.split(r'[\s,]+', (opt.seed_hosts or "").strip())
-        elif opt.auto_hosts:
-            sh = []
-        else:
-            sh = None
-        sys.exit(client.main(parse_ipport(opt.listen or '0.0.0.0:0'),
-                             opt.ssh_cmd,
-                             remotename,
-                             opt.python,
-                             opt.latency_control,
-                             opt.dns,
-                             sh,
-                             opt.auto_nets,
-                             parse_subnets(includes),
-                             parse_subnets(excludes),
-                             opt.syslog, opt.daemon, opt.pidfile))
-except Fatal, e:
-    log('fatal: %s\n' % e)
-    sys.exit(99)
-except KeyboardInterrupt:
-    log('\n')
-    log('Keyboard interrupt: exiting.\n')
-    sys.exit(1)
+#!/bin/sh
+EXE=$0
+for i in 1 2 3 4 5 6 7 8 9 10; do
+	[ -L "$EXE" ] || break
+	EXE=$(readlink "$EXE")
+done
+DIR=$(dirname "$EXE")
+if python2 -V 2>/dev/null; then
+	exec python2 "$DIR/main.py" python2 "$@"
+else
+	exec python "$DIR/main.py" python "$@"
+fi

Sshuttle VPN.app/Contents/Resources/sshuttle/ssnet.py

@@ -40,7 +40,11 @@ cmd_to_name = {
     CMD_DNS_REQ: 'DNS_REQ',
     CMD_DNS_RESPONSE: 'DNS_RESPONSE',
 }
-    
+
+
+NET_ERRS = [errno.ECONNREFUSED, errno.ETIMEDOUT,
+            errno.EHOSTUNREACH, errno.ENETUNREACH,
+            errno.EHOSTDOWN, errno.ENETDOWN]
 
 
 def _add(l, elem):
@@ -86,7 +90,7 @@ class SockWrapper:
     def __init__(self, rsock, wsock, connect_to=None, peername=None):
         global _swcount
         _swcount += 1
-        debug3('creating new SockWrapper (%d now exist\n)' % _swcount)
+        debug3('creating new SockWrapper (%d now exist)\n' % _swcount)
         self.exc = None
         self.rsock = rsock
         self.wsock = wsock
@@ -101,7 +105,7 @@ class SockWrapper:
         _swcount -= 1
         debug1('%r: deleting (%d remain)\n' % (self, _swcount))
         if self.exc:
-            debug1('%r: error was: %r\n' % (self, self.exc))
+            debug1('%r: error was: %s\n' % (self, self.exc))
 
     def __repr__(self):
         if self.rsock == self.wsock:
@@ -124,20 +128,45 @@ class SockWrapper:
             return  # already connected
         self.rsock.setblocking(False)
         debug3('%r: trying connect to %r\n' % (self, self.connect_to))
+        if socket.inet_aton(self.connect_to[0])[0] == '\0':
+            self.seterr(Exception("Can't connect to %r: "
+                                  "IP address starts with zero\n"
+                                  % (self.connect_to,)))
+            self.connect_to = None
+            return
         try:
             self.rsock.connect(self.connect_to)
             # connected successfully (Linux)
             self.connect_to = None
         except socket.error, e:
-            debug3('%r: connect result: %r\n' % (self, e))
+            debug3('%r: connect result: %s\n' % (self, e))
+            if e.args[0] == errno.EINVAL:
+                # this is what happens when you call connect() on a socket
+                # that is now connected but returned EINPROGRESS last time,
+                # on BSD, on python pre-2.5.1.  We need to use getsockopt()
+                # to get the "real" error.  Later pythons do this
+                # automatically, so this code won't run.
+                realerr = self.rsock.getsockopt(socket.SOL_SOCKET,
+                                                socket.SO_ERROR)
+                e = socket.error(realerr, os.strerror(realerr))
+                debug3('%r: fixed connect result: %s\n' % (self, e))
             if e.args[0] in [errno.EINPROGRESS, errno.EALREADY]:
                 pass  # not connected yet
+            elif e.args[0] == 0:
+                # connected successfully (weird Linux bug?)
+                # Sometimes Linux seems to return EINVAL when it isn't
+                # invalid.  This *may* be caused by a race condition
+                # between connect() and getsockopt(SO_ERROR) (ie. it
+                # finishes connecting in between the two, so there is no
+                # longer an error).  However, I'm not sure of that.
+                #
+                # I did get at least one report that the problem went away
+                # when we added this, however.
+                self.connect_to = None
             elif e.args[0] == errno.EISCONN:
                 # connected successfully (BSD)
                 self.connect_to = None
-            elif e.args[0] in [errno.ECONNREFUSED, errno.ETIMEDOUT,
-                               errno.EHOSTUNREACH, errno.ENETUNREACH,
-                               errno.EACCES, errno.EPERM]:
+            elif e.args[0] in NET_ERRS + [errno.EACCES, errno.EPERM]:
                 # a "normal" kind of error
                 self.connect_to = None
                 self.seterr(e)

Sshuttle VPN.app/Contents/Resources/sshuttle/stresstest.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 import sys, os, socket, select, struct, time
 
 listener = socket.socket()