Enhanced DNS support. Initial version.

A few people have reported that they have one or more invalid DNS servers in
/etc/resolv.conf, which they don't notice because the normal resolver
library just skips the broken ones.  sshuttle would abort because it got an
unexpected socket error, which isn't so good.

.gitignore

@@ -1,3 +1,6 @@
 *.pyc
 *~
 *.8
+/.do_built
+/.do_built.dir
+/.redo

Makefile

@@ -1,19 +1,10 @@
-PANDOC:=$(shell \
-	if pandoc </dev/null 2>/dev/null; then \
-		echo pandoc; \
-	else \
-		echo "Warning: pandoc not installed; can't generate manpages." >&2; \
-		echo '@echo Skipping: pandoc'; \
-	fi)
+all:
 
-default: all
+Makefile:
+	@
 
-all: sshuttle.8
+%: FORCE
+	+./do $@
 
-sshuttle.8: sshuttle.md
+.PHONY: FORCE
 
-%.8: %.md
-	$(PANDOC) -s -r markdown -w man -o $@ $<
-
-clean:
-	rm -f *~ */*~ .*~ */.*~ *.8 *.tmp */*.tmp *.pyc */*.pyc

README.md

@@ -1,3 +1,14 @@
+
+WARNING:
+On MacOS 10.6 (at least up to 10.6.6), your network will
+stop responding about 10 minutes after the first time you
+start sshuttle, because of a MacOS kernel bug relating to
+arp and the net.inet.ip.scopedroute sysctl.  To fix it,
+just switch your wireless off and on. Sshuttle makes the
+kernel setting it changes permanent, so this won't happen
+again, even after a reboot.
+
+
 sshuttle: where transparent proxy meets VPN meets ssh
 =====================================================
 

all.do

@@ -0,0 +1,11 @@
+exec >&2
+UI=
+[ "$(uname)" = "Darwin" ] && UI=ui-macos/all
+redo-ifchange sshuttle.8 $UI
+
+echo
+echo "What now?"
+[ -z "$UI" ] || echo "- Try the MacOS GUI: open ui-macos/Sshuttle*.app"
+echo "- Run sshuttle: ./sshuttle --dns -r HOSTNAME 0/0"
+echo "- Read the README: less README.md"
+echo "- Read the man page: less sshuttle.md"

clean.do

@@ -0,0 +1,2 @@
+redo ui-macos/clean
+rm -f *~ */*~ .*~ */.*~ *.8 *.tmp */*.tmp *.pyc */*.pyc

client.py

@@ -102,7 +102,7 @@ class FirewallClient:
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.dnsport = dnsport
-        argvbase = ([sys.argv[0]] +
+        argvbase = ([sys.argv[1], sys.argv[0], sys.argv[1]] +
                     ['-v'] * (helpers.verbose or 0) +
                     ['--firewall', str(port), str(dnsport)])
         if ssyslog._p:
@@ -175,8 +175,60 @@ class FirewallClient:
             raise Fatal('cleanup: %r returned %d' % (self.argv, rv))
 
 
+def unpack_dns_name(buf, off):
+    name = ''
+    while True:
+        # get the next octet from buffer
+        n = ord(buf[off])
+
+        # zero octet terminates name
+        if n == 0:
+            off += 1
+            break
+
+        # top two bits on
+        # => a 2 octect pointer to another part of the buffer
+        elif (n & 0xc0) == 0xc0:
+            ptr = struct.unpack('>H', buf[off:off+2])[0] & 0x3fff
+            off = ptr
+
+        # an octet representing the number of bytes to process.
+        else:
+            off += 1
+            name = name + buf[off:off+n] + '.'
+            off += n
+
+    return name.strip('.'), off
+
+class dnspkt:
+    def unpack(self, buf, off):
+        l = len(buf)
+
+        (self.id, self.op, self.qdcount, self.ancount, self.nscount, self.arcount) = struct.unpack("!HHHHHH",buf[off:off+12])
+        off += 12
+
+        self.q = []
+        for i in range(self.qdcount):
+            qname, off = unpack_dns_name(buf, off)
+            qtype, qclass = struct.unpack('!HH', buf[off:off+4])
+            off += 4
+            self.q.append( (qname,qtype,qclass) )
+
+        return off
+
+    def match_q_domain(self, domain):
+        l = len(domain)
+        for qname,qtype,qclass in self.q:
+            if qname[-l:] == domain:
+                if l==len(qname):
+                    return True
+                elif qname[-l-1] == '.':
+                    return True
+        return False
+
 def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
-          dnslistener, seed_hosts, auto_nets,
+          dnslistener, dnsforwarder, dns_domains, dns_to,
+          seed_hosts, auto_nets,
           syslog, daemon):
     handlers = []
     if helpers.verbose >= 1:
@@ -283,6 +335,7 @@ def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
     handlers.append(Handler([listener], onaccept))
 
     dnsreqs = {}
+    dnsforwards = {}
     def dns_done(chan, data):
         peer,timeout = dnsreqs.get(chan) or (None,None)
         debug3('dns_done: channel=%r peer=%r\n' % (chan, peer))
@@ -295,16 +348,54 @@ def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
         now = time.time()
         if pkt:
             debug1('DNS request from %r: %d bytes\n' % (peer, len(pkt)))
+            dns = dnspkt()
+            dns.unpack(pkt, 0)
+
+            match=False
+            if dns_domains is not None:
+                for domain in dns_domains:
+                    if dns.match_q_domain(domain):
+                        match=True
+                        break
+
+            if match:
+                debug3("We need to redirect this request remotely\n")
                 chan = mux.next_channel()
                 dnsreqs[chan] = peer,now+30
                 mux.send(chan, ssnet.CMD_DNS_REQ, pkt)
                 mux.channels[chan] = lambda cmd,data: dns_done(chan,data)
+            else:
+                debug3("We need to forward this request locally\n")
+                dnsforwarder.sendto(pkt, dns_to)
+                dnsforwards[dns.id] = peer,now+30
         for chan,(peer,timeout) in dnsreqs.items():
             if timeout < now:
                 del dnsreqs[chan]
+        for chan,(peer,timeout) in dnsforwards.items():
+            if timeout < now:
+                del dnsforwards[chan]
         debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
+        debug3('Remaining DNS forwards: %d\n' % len(dnsforwards))
     if dnslistener:
         handlers.append(Handler([dnslistener], ondns))
+    def ondnsforward():
+        debug1("We got a response.\n")
+        pkt,server = dnsforwarder.recvfrom(4096)
+        now = time.time()
+        if server[0] != dns_to[0] or server[1] != dns_to[1]:
+            debug1("Ooops. The response came from the wrong server. Ignoring\n")
+        else:
+            dns = dnspkt()
+            dns.unpack(pkt, 0)
+            chan=dns.id
+            peer,timeout = dnsforwards.get(chan) or (None,None)
+            debug3('dns_done: channel=%r peer=%r\n' % (chan, peer))
+            if peer:
+                del dnsforwards[chan]
+                debug3('doing sendto %r\n' % (peer,))
+                dnslistener.sendto(pkt, peer)
+    if dnsforwarder:
+        handlers.append(Handler([dnsforwarder], ondnsforward))
 
     if seed_hosts != None:
         debug1('seed_hosts: %r\n' % seed_hosts)
@@ -321,7 +412,8 @@ def _main(listener, fw, ssh_cmd, remotename, python, latency_control,
         mux.callback()
 
 
-def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
+def main(listenip, ssh_cmd, remotename, python, latency_control,
+         dns, dns_domains, dns_to,
          seed_hosts, auto_nets,
          subnets_include, subnets_exclude, syslog, daemon, pidfile):
     if syslog:
@@ -366,15 +458,21 @@ def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
         dnsip = dnslistener.getsockname()
         debug1('DNS listening on %r.\n' % (dnsip,))
         dnsport = dnsip[1]
+
+        dnsforwarder = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        dnsforwarder.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        dnsforwarder.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
     else:
         dnsport = 0
         dnslistener = None
+        dnsforwarder = None
 
     fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport)
     
     try:
         return _main(listener, fw, ssh_cmd, remotename,
-                     python, latency_control, dnslistener,
+                     python, latency_control,
+                     dnslistener, dnsforwarder, dns_domains, dns_to,
                      seed_hosts, auto_nets, syslog, daemon)
     finally:
         try:

default.8.do

@@ -0,0 +1,7 @@
+exec >&2
+if pandoc </dev/null 2>/dev/null; then
+	pandoc -s -r markdown -w man -o $3 $1.md
+else
+	echo "Warning: pandoc not installed; can't generate manpages."
+	redo-always
+fi

do

@@ -0,0 +1,150 @@
+#!/bin/sh
+#
+# A minimal alternative to djb redo that doesn't support incremental builds.
+# For the full version, visit http://github.com/apenwarr/redo
+#
+# The author disclaims copyright to this source file and hereby places it in
+# the public domain. (2010 12 14)
+#
+
+# By default, no output coloring.
+GREEN=""
+BOLD=""
+PLAIN=""
+
+if [ -n "$TERM" -a "$TERM" != "dumb" ] && tty <&2 >/dev/null 2>&1; then
+	GREEN="$(printf '\033[32m')"
+	BOLD="$(printf '\033[1m')"
+	PLAIN="$(printf '\033[m')"
+fi
+
+_dirsplit()
+{
+	base=${1##*/}
+	dir=${1%$base}
+}
+
+_dirsplit "$0"
+export REDO=$(cd "${dir:-.}" && echo "$PWD/$base")
+
+DO_TOP=
+if [ -z "$DO_BUILT" ]; then
+	DO_TOP=1
+	[ -n "$*" ] || set all  # only toplevel redo has a default target
+	export DO_BUILT=$PWD/.do_built
+	: >>"$DO_BUILT"
+	echo "Removing previously built files..." >&2
+	sort -u "$DO_BUILT" | tee "$DO_BUILT.new" |
+	while read f; do printf "%s\0%s.did\0" "$f" "$f"; done |
+	xargs -0 rm -f 2>/dev/null
+	mv "$DO_BUILT.new" "$DO_BUILT"
+	DO_PATH=$DO_BUILT.dir
+	export PATH=$DO_PATH:$PATH
+	rm -rf "$DO_PATH"
+	mkdir "$DO_PATH"
+	for d in redo redo-ifchange; do
+		ln -s "$REDO" "$DO_PATH/$d";
+	done
+	[ -e /bin/true ] && TRUE=/bin/true || TRUE=/usr/bin/true
+	for d in redo-ifcreate redo-stamp redo-always; do 
+		ln -s $TRUE "$DO_PATH/$d";
+	done
+fi
+
+
+_find_dofile_pwd()
+{
+	DOFILE=default.$1.do
+	while :; do
+		DOFILE=default.${DOFILE#default.*.}
+		[ -e "$DOFILE" -o "$DOFILE" = default.do ] && break
+	done
+	EXT=${DOFILE#default}
+	EXT=${EXT%.do}
+	BASE=${1%$EXT}
+}
+
+
+_find_dofile()
+{
+	PREFIX=
+	while :; do
+		_find_dofile_pwd "$1"
+		[ -e "$DOFILE" ] && break
+		[ "$PWD" = "/" ] && break
+		TARGET=${PWD##*/}/$TARGET
+		PREFIX=${PWD##*/}/$PREFIX
+		cd ..
+	done
+	BASE=$PREFIX$BASE
+}
+
+
+_run_dofile()
+{
+	export DO_DEPTH="$DO_DEPTH  "
+	export REDO_TARGET=$PWD/$TARGET
+	set -e
+	read line1 <"$PWD/$DOFILE"
+	cmd=${line1#"#!/"}
+	if [ "$cmd" != "$line1" ]; then
+		/$cmd "$PWD/$DOFILE" "$@" >"$TARGET.tmp2"
+	else
+		. "$PWD/$DOFILE" >"$TARGET.tmp2"
+	fi
+}
+
+
+_do()
+{
+	DIR=$1
+	TARGET=$2
+	if [ ! -e "$TARGET" ] || [ -e "$TARGET/." -a ! -e "$TARGET.did" ]; then
+		printf '%sdo  %s%s%s%s\n' \
+			"$GREEN" "$DO_DEPTH" "$BOLD" "$DIR$TARGET" "$PLAIN" >&2
+		echo "$PWD/$TARGET" >>"$DO_BUILT"
+		DOFILE=$TARGET.do
+		BASE=$TARGET
+		EXT=
+		[ -e "$TARGET.do" ] || _find_dofile "$TARGET"
+		if [ ! -e "$DOFILE" ]; then
+			echo "do: $TARGET: no .do file" >&2
+			return 1
+		fi
+		[ ! -e "$DO_BUILD" ] || : >>"$TARGET.did"
+		( _run_dofile "$BASE" "$EXT" "$TARGET.tmp" )
+		RV=$?
+		if [ $RV != 0 ]; then
+			printf "do: %s%s\n" "$DO_DEPTH" \
+				"$DIR$TARGET: got exit code $RV" >&2
+			rm -f "$TARGET.tmp" "$TARGET.tmp2"
+			return $RV
+		fi
+		mv "$TARGET.tmp" "$TARGET" 2>/dev/null ||
+		! test -s "$TARGET.tmp2" ||
+		mv "$TARGET.tmp2" "$TARGET" 2>/dev/null
+		rm -f "$TARGET.tmp2"
+	else
+		echo "do  $DO_DEPTH$TARGET exists." >&2
+	fi
+}
+
+
+redo()
+{
+	for i in "$@"; do
+		_dirsplit "$i"
+		( cd "$dir" && _do "$dir" "$base" ) || return 1
+	done
+}
+
+
+set -e
+redo "$@"
+
+if [ -n "$DO_TOP" ]; then
+	echo "Removing stamp files..." >&2
+	[ ! -e "$DO_BUILT" ] ||
+	while read f; do printf "%s.did\0" "$f"; done <"$DO_BUILT" |
+	xargs -0 rm -f 2>/dev/null
+fi

firewall.py

@@ -7,6 +7,13 @@ from helpers import *
 IPPROTO_DIVERT = 254
 
 
+def nonfatal(func, *args):
+    try:
+        func(*args)
+    except Fatal, e:
+        log('error: %s\n' % e)
+
+
 def ipt_chain_exists(name):
     argv = ['iptables', '-t', 'nat', '-nL']
     p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
@@ -57,9 +64,9 @@ def do_iptables(port, dnsport, subnets):
 
     # basic cleanup/setup of chains
     if ipt_chain_exists(chain):
-        ipt('-D', 'OUTPUT', '-j', chain)
-        ipt('-D', 'PREROUTING', '-j', chain)
-        ipt('-F', chain)
+        nonfatal(ipt, '-D', 'OUTPUT', '-j', chain)
+        nonfatal(ipt, '-D', 'PREROUTING', '-j', chain)
+        nonfatal(ipt, '-F', chain)
         ipt('-X', chain)
 
     if subnets or dnsport:
@@ -143,7 +150,7 @@ def sysctl_set(name, val, permanent=False):
         _fill_oldctls(PREFIX)
     if not (name in _oldctls):
         debug1('>> No such sysctl: %r\n' % name)
-        return
+        return False
     oldval = _oldctls[name]
     if val != oldval:
         rv = _sysctl_set(name, val)
@@ -156,6 +163,7 @@ def sysctl_set(name, val, permanent=False):
             f.close()
         else:
             _changedctls.append(name)
+        return True
 
 
 def _udp_unpack(p):
@@ -214,7 +222,18 @@ def do_ipfw(port, dnsport, subnets):
 
     if subnets or dnsport:
         sysctl_set('net.inet.ip.fw.enable', 1)
-        sysctl_set('net.inet.ip.scopedroute', 0, permanent=True)
+        changed = sysctl_set('net.inet.ip.scopedroute', 0, permanent=True)
+        if changed:
+            log("\n"
+                "        WARNING: ONE-TIME NETWORK DISRUPTION:\n"
+                "        =====================================\n"
+                "sshuttle has changed a MacOS kernel setting to work around\n"
+                "a bug in MacOS 10.6.  This will cause your network to drop\n"
+                "within 5-10 minutes unless you restart your network\n"
+                "interface (change wireless networks or unplug/plug the\n"
+                "ethernet port) NOW, then restart sshuttle.  The fix is\n"
+                "permanent; you only have to do this once.\n\n")
+            sys.exit(1)
 
         ipfw('add', sport, 'check-state', 'ip',
              'from', 'any', 'to', 'any')

hostwatch.py

@@ -13,7 +13,11 @@ _nmb_ok = True
 _smb_ok = True
 hostnames = {}
 queue = {}
-null = open('/dev/null', 'rb+')
+try:
+    null = open('/dev/null', 'wb')
+except IOError, e:
+    log('warning: %s\n' % e)
+    null = os.popen("sh -c 'while read x; do :; done'", 'wb', 4096)
 
 
 def _is_ip(s):

main.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python
 import sys, os, re
 import helpers, options, client, server, firewall, hostwatch
 import compat.ssubprocess as ssubprocess
@@ -55,7 +54,9 @@ l,listen=  transproxy to this ip address and port number [127.0.0.1:0]
 H,auto-hosts scan for remote hostnames and update local /etc/hosts
 N,auto-nets  automatically determine subnets to route
 dns        capture local DNS requests and forward to the remote DNS server
-python=    path to python interpreter on the remote server [python]
+dns-domains= comma seperated list of DNS domains for DNS forwarding
+dns-to=    forward any DNS requests that don't match domains to this address
+python=    path to python interpreter on the remote server
 r,remote=  ssh hostname (and optional username) of remote sshuttle server
 x,exclude= exclude this subnet (can be used more than once)
 v,verbose  increase debug message verbosity
@@ -71,7 +72,7 @@ firewall   (internal use only)
 hostwatch  (internal use only)
 """
 o = options.Options(optspec)
-(opt, flags, extra) = o.parse(sys.argv[1:])
+(opt, flags, extra) = o.parse(sys.argv[2:])
 
 if opt.daemon:
     opt.syslog = 1
@@ -111,12 +112,26 @@ try:
             sh = []
         else:
             sh = None
+        if opt.dns and opt.dns_domains:
+            dns_domains = opt.dns_domains.split(",")
+            if opt.dns_to:
+                addr,colon,port = opt.dns_to.rpartition(":")
+                if colon == ":":
+                    dns_to = ( addr, int(port) )
+                else:
+                    dns_to = ( port, 53 )
+            else:
+                o.fatal('--dns-to=ip is required with --dns-domains=list')
+        else:
+            dns_domains = None
+            dns_to = None
+
         sys.exit(client.main(parse_ipport(opt.listen or '0.0.0.0:0'),
                              opt.ssh_cmd,
                              remotename,
                              opt.python,
                              opt.latency_control,
-                             opt.dns,
+                             opt.dns, dns_domains, dns_to,
                              sh,
                              opt.auto_nets,
                              parse_subnets(includes),

server.py

@@ -110,16 +110,51 @@ class DnsProxy(Handler):
     def __init__(self, mux, chan, request):
         sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
         Handler.__init__(self, [sock])
-        self.sock = sock
         self.timeout = time.time()+30
         self.mux = mux
         self.chan = chan
+        self.tries = 0
+        self.peer = None
+        self.request = request
+        self.sock = sock
         self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
-        self.sock.connect((resolvconf_random_nameserver(), 53))
-        self.sock.send(request)
+        self.try_send()
+
+    def try_send(self):
+        if self.tries >= 3:
+            return
+        self.tries += 1
+        self.peer = resolvconf_random_nameserver()
+        self.sock.connect((self.peer, 53))
+        debug2('DNS: sending to %r\n' % self.peer)
+        try:
+            self.sock.send(self.request)
+        except socket.error, e:
+            if e.args[0] in [errno.ECONNREFUSED, errno.EHOSTUNREACH]:
+                # might have been spurious; try again.
+                # Note: these errors sometimes are reported by recv(),
+                # and sometimes by send().  We have to catch both.
+                debug2('DNS send to %r: %s\n' % (self.peer, e))
+                self.try_send()
+                return
+            else:
+                log('DNS send to %r: %s\n' % (self.peer, e))
+                return
 
     def callback(self):
+        try:
             data = self.sock.recv(4096)
+        except socket.error, e:
+            if e.args[0] in [errno.ECONNREFUSED, errno.EHOSTUNREACH]:
+                # might have been spurious; try again.
+                # Note: these errors sometimes are reported by recv(),
+                # and sometimes by send().  We have to catch both.
+                debug2('DNS recv from %r: %s\n' % (self.peer, e))
+                self.try_send()
+                return
+            else:
+                log('DNS recv from %r: %s\n' % (self.peer, e))
+                return
         debug2('DNS response: %d bytes\n' % len(data))
         self.mux.send(self.chan, ssnet.CMD_DNS_RESPONSE, data)
         self.ok = False

ssh.py

@@ -73,16 +73,23 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
 
         
     if not rhost:
-        argv = [python, '-c', pyscript]
+        # ignore the --python argument when running locally; we already know
+        # which python version works.
+        argv = [sys.argv[1], '-c', pyscript]
     else:
         if ssh_cmd:
             sshl = ssh_cmd.split(' ')
         else:
             sshl = ['ssh']
+        if python:
+            pycmd = "'%s' -c '%s'" % (python, pyscript)
+        else:
+            pycmd = ("P=python2; $P -V 2>/dev/null || P=python; "
+                     "\"$P\" -c '%s'") % pyscript
         argv = (sshl + 
                 portl + 
                 ipv6flag + 
-                [rhost, '--', "'%s' -c '%s'" % (python, pyscript)])
+                [rhost, '--', pycmd])
     (s1,s2) = socket.socketpair()
     def setup():
         # runs in the child process

sshuttle

@@ -1 +0,0 @@
-main.py

sshuttle

@@ -0,0 +1,7 @@
+#!/bin/sh
+DIR=$(dirname "$0")
+if python2 -V 2>/dev/null; then
+	exec python2 "$DIR/main.py" python2 "$@"
+else
+	exec python "$DIR/main.py" python "$@"
+fi

sshuttle.md

@@ -253,6 +253,17 @@ between the two separate streams, so a tcp-based tunnel is
 fine.
 
 
+# BUGS
+
+On MacOS 10.6 (at least up to 10.6.6), your network will
+stop responding about 10 minutes after the first time you
+start sshuttle, because of a MacOS kernel bug relating to
+arp and the net.inet.ip.scopedroute sysctl.  To fix it,
+just switch your wireless off and on. Sshuttle makes the
+kernel setting it changes permanent, so this won't happen
+again, even after a reboot.
+
+
 # SEE ALSO
 
 `ssh`(1), `python`(1)

ssnet.py

@@ -86,7 +86,7 @@ class SockWrapper:
     def __init__(self, rsock, wsock, connect_to=None, peername=None):
         global _swcount
         _swcount += 1
-        debug3('creating new SockWrapper (%d now exist\n)' % _swcount)
+        debug3('creating new SockWrapper (%d now exist)\n' % _swcount)
         self.exc = None
         self.rsock = rsock
         self.wsock = wsock
@@ -101,7 +101,7 @@ class SockWrapper:
         _swcount -= 1
         debug1('%r: deleting (%d remain)\n' % (self, _swcount))
         if self.exc:
-            debug1('%r: error was: %r\n' % (self, self.exc))
+            debug1('%r: error was: %s\n' % (self, self.exc))
 
     def __repr__(self):
         if self.rsock == self.wsock:
@@ -129,7 +129,17 @@ class SockWrapper:
             # connected successfully (Linux)
             self.connect_to = None
         except socket.error, e:
-            debug3('%r: connect result: %r\n' % (self, e))
+            debug3('%r: connect result: %s\n' % (self, e))
+            if e.args[0] == errno.EINVAL:
+                # this is what happens when you call connect() on a socket
+                # that is now connected but returned EINPROGRESS last time,
+                # on BSD, on python pre-2.5.1.  We need to use getsockopt()
+                # to get the "real" error.  Later pythons do this
+                # automatically, so this code won't run.
+                realerr = self.rsock.getsockopt(socket.SOL_SOCKET,
+                                                socket.SO_ERROR)
+                e = socket.error(realerr, os.strerror(realerr))
+                debug3('%r: fixed connect result: %s\n' % (self, e))
             if e.args[0] in [errno.EINPROGRESS, errno.EALREADY]:
                 pass  # not connected yet
             elif e.args[0] == errno.EISCONN:

stresstest.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 import sys, os, socket, select, struct, time
 
 listener = socket.socket()

ui-macos/clean.do

@@ -1,4 +1,4 @@
 exec >&2
-find -name '*~' | xargs rm -f
+find . -name '*~' | xargs rm -f
 rm -rf *.app *.zip *.tar.gz
 rm -f bits/runpython *.nib sources.list