Add changelog entry for 1.0.3

Fix formatting typos in usage docs

.github/workflows/pythonpackage.yml

@@ -0,0 +1,35 @@
+# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Python package
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.5, 3.6, 3.7, 3.8]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements-tests.txt
+    - name: Lint with flake8
+      run: |
+        flake8 sshuttle tests --count --show-source --statistics
+    - name: Test with pytest
+      run: |
+        PYTHONPATH=$PWD pytest

.gitignore

@@ -1,7 +1,17 @@
-sshuttle/version.py
+/sshuttle/version.py
+/tmp/
+/.cache/
+/.eggs/
+/.tox/
+/build/
+/dist/
+/sshuttle.egg-info/
+/docs/_build/
 *.pyc
 *~
 *.8
 /.do_built
 /.do_built.dir
 /.redo
+/.pytest_cache/
+/.python-version

.prospector.yml

@@ -0,0 +1,24 @@
+strictness: medium
+
+pylint:
+  disable:
+    - too-many-statements
+    - too-many-locals
+    - too-many-function-args
+    - too-many-arguments
+    - too-many-branches
+    - bare-except
+    - protected-access
+    - no-else-return
+    - unused-argument
+    - method-hidden
+    - arguments-differ
+    - wrong-import-position
+    - raising-bad-type
+
+pep8:
+  options:
+    max-line-length: 79
+
+mccabe:
+  run: false

.travis.yml

@@ -1,11 +0,0 @@
-language: python
-python:
-- 2.7
-- 3.5
-- pypy
-
-install:
-    - travis_retry pip install -q pytest mock
-
-script:
-  - PYTHONPATH=. py.test

CHANGES.rst

@@ -1,13 +1,245 @@
-Release 0.77.1 (Mar 7, 2016)
-============================
+==========
+Change log
+==========
+All notable changes to this project will be documented in this file. The format
+is based on `Keep a Changelog`_ and this project
+adheres to `Semantic Versioning`_.
+
+.. _`Keep a Changelog`: http://keepachangelog.com/
+.. _`Semantic Versioning`: http://semver.org/
+
+
+1.0.3 - 2020-07-12
+------------------
+
+Fixed
+~~~~~
+* Ask setuptools to require Python 3.5 and above.
+* Add missing import.
+* Fix formatting typos in usage docs
+
+
+1.0.2 - 2020-06-18
+------------------
+
+Fixed
+~~~~~
+* Leave use of default port to ssh command.
+* Remove unwanted references to Python 2.7 in docs.
+* Replace usage of deprecated imp.
+* Fix connection with @ sign in username.
+
+
+1.0.1 - 2020-06-05
+------------------
+
+Fixed
+~~~~~
+* Errors in python long_documentation.
+
+
+1.0.0 - 2020-06-05
+------------------
+
+Added
+~~~~~
+* Python 3.8 support.
+* sshpass support.
+* Auto sudoers file (#269).
+* option for latency control buffer size.
+* Docs: FreeBSD'.
+* Docs: Nix'.
+* Docs: openwrt'.
+* Docs: install instructions for Fedora'.
+* Docs: install instructions for Arch Linux'.
+* Docs: 'My VPN broke and need a solution fast'.
+
+Removed
+~~~~~~~
+* Python 2.6 support.
+* Python 2.7 support.
+
+Fixed
+~~~~~
+* Remove debug message for getpeername failure.
+* Fix crash triggered by port scans closing socket.
+* Added "Running as a service" to docs.
+* Systemd integration.
+* Trap UnicodeError to handle cases where hostnames returned by DNS are invalid.
+* Formatting error in CHANGES.rst
+* Various errors in documentation.
+* Nftables based method.
+* Make hostwatch locale-independent (#379).
+* Add tproxy udp port mark filter that was missed in #144, fixes #367.
+* Capturing of local DNS servers.
+* Crashing on ECONNABORTED.
+* Size of pf_rule, which grew in OpenBSD 6.4.
+* Use prompt for sudo, not needed for doas.
+* Arch linux installation instructions.
+* tests for existing PR-312 (#337).
+* Hyphen in hostname.
+* Assembler import (#319).
+
+
+0.78.5 - 2019-01-28
+-------------------
+
+Added
+~~~~~
+* doas support as replacmeent for sudo on OpenBSD.
+* Added ChromeOS section to documentation (#262)
+* Add --no-sudo-pythonpath option
+
+Fixed
+~~~~~
+* Fix forwarding to a single port.
+* Various updates to documentation.
+* Don't crash if we can't look up peername
+* Fix missing string formatting argument
+* Moved sshuttle/tests into tests.
+* Updated bandit config.
+* Replace path /dev/null by os.devnull.
+* Added coverage report to tests.
+* Fixes support for OpenBSD (6.1+) (#282).
+* Close stdin, stdout, and stderr when using syslog or forking to daemon (#283).
+* Changes pf exclusion rules precedence.
+* Fix deadlock with iptables with large ruleset.
+* docs: document --ns-hosts --to-ns and update --dns.
+* Use subprocess.check_output instead of run.
+* Fix potential deadlock condition in nft_get_handle.
+* auto-nets: retrieve routes only if using auto-nets.
+
+
+0.78.4 - 2018-04-02
+-------------------
+
+Added
+~~~~~
+* Add homebrew instructions.
+* Route traffic by linux user.
+* Add nat-like method using nftables instead of iptables.
+
+Changed
+~~~~~~~
+* Talk to custom DNS server on pod, instead of the ones in /etc/resolv.conf.
+* Add new option for overriding destination DNS server.
+* Changed subnet parsing. Previously 10/8 become 10.0.0.0/8.  Now it gets
+  parsed as 0.0.0.10/8.
+* Make hostwatch find both fqdn and hostname.
+* Use versions of python3 greater than 3.5 when available (e.g. 3.6).
+
+Removed
+~~~~~~~
+* Remove Python 2.6 from automatic tests.
+
+Fixed
+~~~~~
+* Fix case where there is no --dns.
+* [pf] Avoid port forwarding from loopback address.
+* Use getaddrinfo to obtain a correct sockaddr.
+* Skip empty lines on incoming routes data.
+* Just skip empty lines of routes data instead of stopping processing.
+* [pf] Load pf kernel module when enabling pf.
+* [pf] Test double restore (ipv4, ipv6) disables only once; test kldload.
+* Fixes UDP and DNS proxies binding to the same socket address.
+* Mock socket bind to avoid depending on local IPs being available in test box.
+* Fix no value passed for argument auto_hosts in hw_main call.
+* Fixed incorrect license information in setup.py.
+* Preserve peer and port properly.
+* Make --to-dns and --ns-host work well together.
+* Remove test that fails under OSX.
+* Specify pip requirements for tests.
+* Use flake8 to find Python syntax errors or undefined names.
+* Fix compatibility with the sudoers file.
+* Stop using SO_REUSEADDR on sockets.
+* Declare 'verbosity' as global variable to placate linters.
+* Adds 'cd sshuttle' after 'git' to README and docs.
+* Documentation for loading options from configuration file.
+* Load options from a file.
+* Fix firewall.py.
+* Move sdnotify after setting up firewall rules.
+* Fix tests on Macos.
+
+
+0.78.3 - 2017-07-09
+-------------------
+The "I should have done a git pull" first release.
+
+Fixed
+~~~~~
+* Order first by port range and only then by swidth
+
+
+0.78.2 - 2017-07-09
+-------------------
+
+Added
+~~~~~
+* Adds support for tunneling specific port ranges (#144).
+* Add support for iproute2.
+* Allow remote hosts with colons in the username.
+* Re-introduce ipfw support for sshuttle on FreeBSD with support for --DNS option as well.
+* Add support for PfSense.
+* Tests and documentation for systemd integration.
+* Allow subnets to be given only by file (-s).
+
+Fixed
+~~~~~
+* Work around non tabular headers in BSD netstat.
+* Fix UDP and DNS support on Python 2.7 with tproxy method.
+* Fixed tests after adding support for iproute2.
+* Small refactoring of netstat/iproute parsing.
+* Set started_by_sshuttle False after disabling pf.
+* Fix punctuation and explain Type=notify.
+* Move pytest-runner to tests_require.
+* Fix warning: closed channel got=STOP_SENDING.
+* Support sdnotify for better systemd integration.
+* Fix #117 to allow for no subnets via file (-s).
+* Fix argument splitting for multi-word arguments.
+* requirements.rst: Fix mistakes.
+* Fix typo, space not required here.
+* Update installation instructions.
+* Support using run from different directory.
+* Ensure we update sshuttle/version.py in run.
+* Don't print python version in run.
+* Add CWD to PYTHONPATH in run.
+
+
+0.78.1 - 2016-08-06
+-------------------
+* Fix readthedocs versioning.
+* Don't crash on ENETUNREACH.
+* Various bug fixes.
+* Improvements to BSD and OSX support.
+
+
+0.78.0 - 2016-04-08
+-------------------
+
+* Don't force IPv6 if IPv6 nameservers supplied. Fixes #74.
+* Call /bin/sh as users shell may not be POSIX compliant. Fixes #77.
+* Use argparse for command line processing. Fixes #75.
+* Remove useless --server option.
+* Support multiple -s (subnet) options. Fixes #86.
+* Make server parts work with old versions of Python. Fixes #81.
+
+
+0.77.2 - 2016-03-07
+-------------------
+
+* Accidentally switched LGPL2 license with GPL2 license in 0.77.1 - now fixed.
+
+
+0.77.1 - 2016-03-07
+-------------------
 
 * Use semantic versioning. http://semver.org/
 * Update GPL 2 license text.
 * New release to fix PyPI.
 
 
-Release 0.77 (Mar 3, 2016)
-==========================
+0.77 - 2016-03-03
+-----------------
 
 * Various bug fixes.
 * Fix Documentation.
@@ -15,8 +247,8 @@ Release 0.77 (Mar 3, 2016)
 * Add support for OpenBSD.
 
 
-Release 0.76 (Jan 17, 2016)
-===========================
+0.76 - 2016-01-17
+-----------------
 
 * Add option to disable IPv6 support.
 * Update documentation.
@@ -24,14 +256,14 @@ Release 0.76 (Jan 17, 2016)
 * Use setuptools-scm for automatic versioning.
 
 
-Release 0.75 (Jan 12, 2016)
-===========================
+0.75 - 2016-01-12
+-----------------
 
 * Revert change that broke sshuttle entry point.
 
 
-Release 0.74 (Jan 10, 2016)
-===========================
+0.74 - 2016-01-10
+-----------------
 
 * Add CHANGES.rst file.
 * Numerous bug fixes.

LICENSE

@@ -1,22 +1,25 @@
-                    GNU GENERAL PUBLIC LICENSE
+                  GNU LIBRARY GENERAL PUBLIC LICENSE
                        Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Copyright (C) 1991 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
+[This is the first released version of the library GPL.  It is
+ numbered 2 because it goes with version 2 of the ordinary GPL.]
+
                             Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+  This license, the Library General Public License, applies to some
+specially designated Free Software Foundation software, and to any
+other libraries whose authors decide to use it.  You can use it for
+your libraries, too.
 
   When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
@@ -27,195 +30,347 @@ in new free programs; and that you know you can do these things.
 
   To protect your rights, we need to make restrictions that forbid
 anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
+These restrictions translate to certain responsibilities for you if
+you distribute copies of the library, or if you modify it.
 
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
+  For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you.  You must make sure that they, too, receive or can get the source
+code.  If you link a program with the library, you must provide
+complete object files to the recipients so that they can relink them
+with the library, after making changes to the library and recompiling
+it.  And you must show them these terms so they know their rights.
 
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
+  Our method of protecting your rights has two steps: (1) copyright
+the library, and (2) offer you this license which gives you legal
+permission to copy, distribute and/or modify the library.
 
-  Also, for each author's protection and ours, we want to make certain
+  Also, for each distributor's protection, we want to make certain
 that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
+library.  If the library is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original
+version, so that any problems introduced by others will not reflect on
+the original authors' reputations.
+
   Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
+patents.  We wish to avoid the danger that companies distributing free
+software will individually obtain patent licenses, thus in effect
+transforming the program into proprietary software.  To prevent this,
+we have made it clear that any patent must be licensed for everyone's
+free use or not licensed at all.
+
+  Most GNU software, including some libraries, is covered by the ordinary
+GNU General Public License, which was designed for utility programs.  This
+license, the GNU Library General Public License, applies to certain
+designated libraries.  This license is quite different from the ordinary
+one; be sure to read it in full, and don't assume that anything in it is
+the same as in the ordinary license.
+
+  The reason we have a separate public license for some libraries is that
+they blur the distinction we usually make between modifying or adding to a
+program and simply using it.  Linking a program with a library, without
+changing the library, is in some sense simply using the library, and is
+analogous to running a utility program or application program.  However, in
+a textual and legal sense, the linked executable is a combined work, a
+derivative of the original library, and the ordinary General Public License
+treats it as such.
+
+  Because of this blurred distinction, using the ordinary General
+Public License for libraries did not effectively promote software
+sharing, because most developers did not use the libraries.  We
+concluded that weaker conditions might promote sharing better.
+
+  However, unrestricted linking of non-free programs would deprive the
+users of those programs of all benefit from the free status of the
+libraries themselves.  This Library General Public License is intended to
+permit developers of non-free programs to use free libraries, while
+preserving your freedom as a user of such programs to change the free
+libraries that are incorporated in them.  (We have not seen how to achieve
+this as regards changes in header files, but we have achieved it as regards
+changes in the actual functions of the Library.)  The hope is that this
+will lead to faster development of free libraries.
 
   The precise terms and conditions for copying, distribution and
-modification follow.
+modification follow.  Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library".  The
+former contains code derived from the library, while the latter only
+works together with the library.
 
-                    GNU GENERAL PUBLIC LICENSE
+  Note that it is possible for a library to be covered by the ordinary
+General Public License rather than by this special one.
+
+                  GNU LIBRARY GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
+  0. This License Agreement applies to any software library which
+contains a notice placed by the copyright holder or other authorized
+party saying it may be distributed under the terms of this Library
+General Public License (also called "this License").  Each licensee is
+addressed as "you".
 
-Activities other than copying, distribution and modification are not
+  A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+  The "Library", below, refers to any such software library or work
+which has been distributed under these terms.  A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language.  (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+  "Source code" for a work means the preferred form of the work for
+making modifications to it.  For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+  Activities other than copying, distribution and modification are not
 covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it).  Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+  
+  1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
 
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
+  You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+  2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
 above, provided that you also meet all of these conditions:
 
-    a) You must cause the modified files to carry prominent notices
+    a) The modified work must itself be a software library.
+
+    b) You must cause the files modified to carry prominent notices
     stating that you changed the files and the date of any change.
 
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
+    c) You must cause the whole of the work to be licensed at no
+    charge to all third parties under the terms of this License.
 
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
+    d) If a facility in the modified Library refers to a function or a
+    table of data to be supplied by an application program that uses
+    the facility, other than as an argument passed when the facility
+    is invoked, then you must make a good faith effort to ensure that,
+    in the event an application does not supply such function or
+    table, the facility still operates, and performs whatever part of
+    its purpose remains meaningful.
+
+    (For example, a function in a library to compute square roots has
+    a purpose that is entirely well-defined independent of the
+    application.  Therefore, Subsection 2d requires that any
+    application-supplied function or table used by this function must
+    be optional: if the application does not supply it, the square
+    root function must still compute square roots.)
 
 These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
+identifiable sections of that work are not derived from the Library,
 and can be reasonably considered independent and separate works in
 themselves, then this License, and its terms, do not apply to those
 sections when you distribute them as separate works.  But when you
 distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
+on the Library, the distribution of the whole must be on the terms of
 this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
+entire whole, and thus to each and every part regardless of who wrote
+it.
 
 Thus, it is not the intent of this section to claim rights or contest
 your rights to work written entirely by you; rather, the intent is to
 exercise the right to control the distribution of derivative or
-collective works based on the Program.
+collective works based on the Library.
 
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
 a storage or distribution medium does not bring the other work under
 the scope of this License.
 
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
+  3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library.  To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License.  (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.)  Do not make any other change in
+these notices.
+
+  Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
 
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
+  This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
 
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
+  4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
 
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
+  If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
 compelled to copy the source along with the object code.
 
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
+  5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library".  Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
 
-  5. You are not required to accept this License, since you have not
+  However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library".  The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+  When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library.  The
+threshold for this to be true is not precisely defined by law.
+
+  If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work.  (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+  Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+  6. As an exception to the Sections above, you may also compile or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+  You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License.  You must supply a copy of this License.  If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License.  Also, you must do one
+of these things:
+
+    a) Accompany the work with the complete corresponding
+    machine-readable source code for the Library including whatever
+    changes were used in the work (which must be distributed under
+    Sections 1 and 2 above); and, if the work is an executable linked
+    with the Library, with the complete machine-readable "work that
+    uses the Library", as object code and/or source code, so that the
+    user can modify the Library and then relink to produce a modified
+    executable containing the modified Library.  (It is understood
+    that the user who changes the contents of definitions files in the
+    Library will not necessarily be able to recompile the application
+    to use the modified definitions.)
+
+    b) Accompany the work with a written offer, valid for at
+    least three years, to give the same user the materials
+    specified in Subsection 6a, above, for a charge no more
+    than the cost of performing this distribution.
+
+    c) If distribution of the work is made by offering access to copy
+    from a designated place, offer equivalent access to copy the above
+    specified materials from the same place.
+
+    d) Verify that the user has already received a copy of these
+    materials or that you have already sent this user a copy.
+
+  For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it.  However, as a special exception,
+the source code distributed need not include anything that is normally
+distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+  It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system.  Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+  7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+    a) Accompany the combined library with a copy of the same work
+    based on the Library, uncombined with any other library
+    facilities.  This must be distributed under the terms of the
+    Sections above.
+
+    b) Give prominent notice with the combined library of the fact
+    that part of it is a work based on the Library, and explaining
+    where to find the accompanying uncombined form of the same work.
+
+  8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License.  Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License.  However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+  9. You are not required to accept this License, since you have not
 signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
+distribute the Library or its derivative works.  These actions are
 prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
 all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
+the Library or works based on it.
 
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
+  10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties to
 this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
+
+  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot
 distribute so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
+may not distribute the Library at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Library by
 all those who receive copies directly or indirectly through you, then
 the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
+refrain entirely from distribution of the Library.
 
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
 
 It is not the purpose of this section to induce you to infringe any
 patents or other property right claims or to contest validity of any
 such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
+integrity of the free software distribution system which is
 implemented by public license practices.  Many people have made
 generous contributions to the wide range of software distributed
 through that system in reliance on consistent application of that
@@ -226,114 +381,101 @@ impose that choice.
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
 
-  8. If the distribution and/or use of the Program is restricted in
+  12. If the distribution and/or use of the Library is restricted in
 certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded.  In such case, this License incorporates the limitation as if
+written in the body of this License.
 
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
+  13. The Free Software Foundation may publish revised and/or new
+versions of the Library General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
 
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
+Each version is given a distinguishing version number.  If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation.  If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+  14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission.  For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this.  Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
 
                             NO WARRANTY
 
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
+  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
 
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
+  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
 
                      END OF TERMS AND CONDITIONS
+
+           How to Apply These Terms to Your New Libraries
 
-            How to Apply These Terms to Your New Programs
+  If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change.  You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
 
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
+  To apply these terms, attach the following notices to the library.  It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
 
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
+    <one line to give the library's name and a brief idea of what it does.>
     Copyright (C) <year>  <name of author>
 
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Library General Public
+    License as published by the Free Software Foundation; either
+    version 2 of the License, or (at your option) any later version.
 
-    This program is distributed in the hope that it will be useful,
+    This library is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+    Library General Public License for more details.
 
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+    You should have received a copy of the GNU Library General Public
+    License along with this library; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 Also add information on how to contact you by electronic and paper mail.
 
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
 You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
+school, if any, to sign a "copyright disclaimer" for the library, if
 necessary.  Here is a sample; alter the names:
 
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the
+  library `Frob' (a library for tweaking knobs) written by James Random Hacker.
 
-  <signature of Ty Coon>, 1 April 1989
+  <signature of Ty Coon>, 1 April 1990
   Ty Coon, President of Vice
 
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
+That's all there is to it!

MANIFEST.in

@@ -11,3 +11,4 @@ recursive-include docs *.py
 recursive-include docs *.rst
 recursive-include docs Makefile
 recursive-include sshuttle *.py
+recursive-exclude docs/_build *

README.rst

@@ -23,25 +23,81 @@ common case:
 
 - You can't use openssh's PermitTunnel feature because
   it's disabled by default on openssh servers; plus it does
-  TCP-over-TCP, which has terrible performance (see below).
-
+  TCP-over-TCP, which has `terrible performance`_.
+  
+.. _terrible performance: https://sshuttle.readthedocs.io/en/stable/how-it-works.html
 
 Obtaining sshuttle
 ------------------
 
+- Debian stretch or later::
+
+      apt-get install sshuttle
+      
+- Arch Linux::
+
+      pacman -S sshuttle
+
+- Fedora::
+
+      dnf install sshuttle
+
+- NixOS::
+
+      nix-env -iA nixos.sshuttle
+
 - From PyPI::
 
-      pip install sshuttle
+      sudo pip install sshuttle
 
 - Clone::
 
       git clone https://github.com/sshuttle/sshuttle.git
+      cd sshuttle
+      sudo ./setup.py install
+
+- FreeBSD::
+
+      # ports
+      cd /usr/ports/net/py-sshuttle && make install clean
+      # pkg
+      pkg install py36-sshuttle
+
+It is also possible to install into a virtualenv as a non-root user.
+
+- From PyPI::
+
+      virtualenv -p python3 /tmp/sshuttle
+      . /tmp/sshuttle/bin/activate
+      pip install sshuttle
+
+- Clone::
+
+      virtualenv -p python3 /tmp/sshuttle
+      . /tmp/sshuttle/bin/activate
+      git clone https://github.com/sshuttle/sshuttle.git
+      cd sshuttle
       ./setup.py install
 
+- Homebrew::
+
+      brew install sshuttle
+
+- Nix::
+
+      nix-env -iA nixpkgs.sshuttle
+
+
 Documentation
 -------------
 The documentation for the stable version is available at:
-http://sshuttle.readthedocs.org/
+https://sshuttle.readthedocs.org/
 
 The documentation for the latest development version is available at:
-http://sshuttle.readthedocs.org/en/latest/
+https://sshuttle.readthedocs.org/en/latest/
+
+
+Running as a service
+--------------------
+Sshuttle can also be run as a service and configured using a config management system: 
+https://medium.com/@mike.reider/using-sshuttle-as-a-service-bec2684a65fe

bandit.yml

@@ -0,0 +1,9 @@
+exclude_dirs:
+  - tests
+skips:
+  - B101
+  - B104
+  - B404
+  - B603
+  - B606
+  - B607

bin/sudoers-add

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# William Mantly <wmantly@gmail.com>
+# MIT License
+# https://github.com/wmantly/sudoers-add
+
+NEWLINE=$'\n'
+CONTENT=""
+ME="$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")"
+
+if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
+	echo "Usage: $ME [file_path] [sudoers-file-name]"
+	echo "Usage: [content] | $ME sudoers-file-name"
+	echo "This will take a sudoers config validate it and add it to /etc/sudoers.d/{sudoers-file-name}"
+	echo "The config can come from a file, first usage example or piped in second example."
+
+	exit 0
+fi
+
+if [ "$1" == "" ]; then
+	(>&2 echo "This command take at lest one argument. See $ME --help")
+
+	exit 1	
+fi
+
+if [ "$2" == "" ]; then
+	FILE_NAME=$1
+	shift
+else
+	FILE_NAME=$2
+fi
+
+if [[ $EUID -ne 0 ]]; then
+	echo "This script must be run as root"
+
+	exit 1
+fi
+
+while read -r line
+do
+	CONTENT+="${line}${NEWLINE}"
+done < "${1:-/dev/stdin}"
+
+if [ "$CONTENT" == "" ]; then
+	(>&2 echo "No config content specified. See $ME --help")
+	exit 1
+fi
+
+if [ "$FILE_NAME" == "" ]; then
+	(>&2 echo "No sudoers file name specified. See $ME --help")
+	exit 1
+fi
+
+# Make a temp file to hold the sudoers config
+umask 077
+TEMP_FILE=$(mktemp)
+echo "$CONTENT" > "$TEMP_FILE"
+
+# Make sure the content is valid
+visudo_STDOUT=$(visudo -c -f "$TEMP_FILE" 2>&1)
+visudo_code=$?
+# The temp file is no longer needed
+rm "$TEMP_FILE"
+
+if [ $visudo_code -eq 0 ]; then
+	echo "$CONTENT" > "/etc/sudoers.d/$FILE_NAME"
+	chmod 0440 "/etc/sudoers.d/$FILE_NAME"
+	echo "The sudoers file /etc/sudoers.d/$FILE_NAME has been successfully created!"
+
+	exit 0
+else
+	echo "Invalid sudoers config!"
+	echo "$visudo_STDOUT"
+
+	exit 1
+fi
+

docs/changes.rst

@@ -1,4 +1 @@
-Changelog
----------
-
 .. include:: ../CHANGES.rst

docs/chromeos.rst

@@ -0,0 +1,12 @@
+Google ChromeOS
+===============
+
+Currently there is no built in support for running sshuttle directly on
+Google ChromeOS/Chromebooks.
+
+What we can really do is to create a Linux VM with Crostini.  In the default
+stretch/Debian 9 VM, you can then install sshuttle as on any Linux box and
+it just works, as do xterms and ssvncviewer etc.
+
+https://www.reddit.com/r/Crostini/wiki/getstarted/crostini-setup-guide
+

docs/conf.py

@@ -13,8 +13,10 @@
 # All configuration values have a default; values that are commented out
 # serve to show the default.
 
-# import sys
-# import os
+import sys
+import os
+sys.path.insert(0, os.path.abspath('..'))
+import sshuttle.version  # NOQA
 
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
@@ -53,11 +55,10 @@ copyright = '2016, Brian May'
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
-# The short X.Y version.
-from setuptools_scm import get_version
-version = get_version(root="..")
 # The full version, including alpha/beta/rc tags.
-release = version
+release = sshuttle.version.version
+# The short X.Y version.
+version = '.'.join(release.split('.')[:2])
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/installation.rst

@@ -5,7 +5,18 @@ Installation
 
       pip install sshuttle
 
+- Debain package manager::
+		sudo apt install sshuttle
+
 - Clone::
 
       git clone https://github.com/sshuttle/sshuttle.git
+      cd sshuttle
       ./setup.py install
+
+
+Optionally after installation
+-----------------------------
+
+- Add to sudoers file
+		sshuttle --sudoers

docs/manpage.rst

@@ -11,7 +11,7 @@ Description
 -----------
 :program:`sshuttle` allows you to create a VPN connection from your
 machine to any remote server that you can connect to via
-ssh, as long as that server has python 2.3 or higher.
+ssh, as long as that server has python 3.5 or higher.
 
 To work, you must have root access on the local machine,
 but you can have a normal account on the server.
@@ -28,22 +28,29 @@ Options
 -------
 .. program:: sshuttle
 
-.. option:: subnets
+.. option:: <subnets>
 
     A list of subnets to route over the VPN, in the form
-    ``a.b.c.d[/width]``.  Valid examples are 1.2.3.4 (a
+    ``a.b.c.d[/width][port[-port]]``.  Valid examples are 1.2.3.4 (a
     single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4),
     1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0
     netmask), and 0/0 ('just route everything through the
-    VPN').
+    VPN'). Any of the previous examples are also valid if you append
+    a port or a port range, so 1.2.3.4:8000 will only tunnel traffic
+    that has as the destination port 8000 of 1.2.3.4 and 
+    1.2.3.0/24:8000-9000 will tunnel traffic going to any port between
+    8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet.
+    It is also possible to use a name in which case the first IP it resolves
+    to during startup will be routed over the VPN. Valid examples are
+    example.com, example.com:8000 and example.com:8000-9000.
 
-.. option:: --method [auto|nat|tproxy|pf]
+.. option:: --method <auto|nat|nft|tproxy|pf>
 
    Which firewall method should sshuttle use? For auto, sshuttle attempts to
    guess the appropriate method depending on what it can find in PATH. The
    default value is auto.
 
-.. option:: -l, --listen=[ip:]port
+.. option:: -l <[ip:]port>, --listen=<[ip:]port>
 
     Use this ip address and port number as the transparent
     proxy port.  By default :program:`sshuttle` finds an available
@@ -54,9 +61,11 @@ Options
     connections from other machines on your network (ie. to
     run :program:`sshuttle` on a router) try enabling IP Forwarding in
     your kernel, then using ``--listen 0.0.0.0:0``.
+    You can use any name resolving to an IP address of the machine running
+    :program:`sshuttle`, e.g. ``--listen localhost``.
 
-    For the tproxy method this can be an IPv6 address. Use this option twice if
-    required, to provide both IPv4 and IPv6 addresses.
+    For the tproxy and pf methods this can be an IPv6 address. Use this option 
+    twice if required, to provide both IPv4 and IPv6 addresses.
 
 .. option:: -H, --auto-hosts
 
@@ -85,7 +94,30 @@ Options
 .. option:: --dns
 
     Capture local DNS requests and forward to the remote DNS
-    server.
+    server. All queries to any of the local system's DNS
+    servers (/etc/resolv.conf) will be intercepted and
+    resolved on the remote side of the tunnel instead, there
+    using the DNS specified via the :option:`--to-ns` option,
+    if specified.
+
+.. option:: --ns-hosts=<server1[,server2[,server3[...]]]>
+
+    Capture local DNS requests to the specified server(s)
+    and forward to the remote DNS server. Contrary to the
+    :option:`--dns` option, this flag allows to specify the
+    DNS server(s) the queries to which to intercept,
+    instead of intercepting all DNS traffic on the local
+    machine. This can be useful when only certain DNS
+    requests should be resolved on the remote side of the
+    tunnel, e.g. in combination with dnsmasq.
+
+.. option:: --to-ns=<server>
+
+    The DNS to forward requests to when remote DNS
+    resolution is enabled. If not given, sshuttle will
+    simply resolve using the system configured resolver on
+    the remote side (via /etc/resolv.conf on the remote
+    side).
 
 .. option:: --python
 
@@ -93,14 +125,14 @@ Options
     The default is just ``python``, which means to use the
     default python interpreter on the remote system's PATH.
 
-.. option:: -r, --remote=[username@]sshserver[:port]
+.. option:: -r <[username@]sshserver[:port]>, --remote=<[username@]sshserver[:port]>
 
     The remote hostname and optional username and ssh
     port number to use for connecting to the remote server.
     For example, example.com, testuser@example.com,
     testuser@example.com:2222, or example.com:2244.
 
-.. option:: -x, --exclude=subnet
+.. option:: -x <subnet>, --exclude=<subnet>
 
     Explicitly exclude this subnet from forwarding.  The
     format of this option is the same as the ``<subnets>``
@@ -109,7 +141,7 @@ Options
     ``0/0 -x 1.2.3.0/24`` to forward everything except the
     local subnet over the VPN, for example.
 
-.. option:: -X, --exclude-from=file
+.. option:: -X <file>, --exclude-from=<file>
 
     Exclude the subnets specified in a file, one subnet per
     line. Useful when you have lots of subnets to exclude.
@@ -136,6 +168,10 @@ Options
     if you use this option to give it a few names to start
     from.
 
+    If this option is used *without* :option:`--auto-hosts`,
+    then the listed hostnames will be scanned and added, but
+    no further hostnames will be added.
+
 .. option:: --no-latency-control
 
     Sacrifice latency to improve bandwidth benchmarks. ssh
@@ -153,6 +189,13 @@ Options
     control feature, maximizing bandwidth usage.  Use at
     your own risk.
 
+.. option:: --latency-buffer-size
+
+    Set the size of the buffer used in latency control. The
+    default is ``32768``. Changing this option allows a compromise
+    to be made between latency and bandwidth without completely
+    disabling latency control (with :option:`--no-latency-control`).
+
 .. option:: -D, --daemon
 
     Automatically fork into the background after connecting
@@ -164,7 +207,7 @@ Options
     :manpage:`syslog(3)` service instead of stderr.  This is
     implicit if you use :option:`--daemon`.
 
-.. option:: --pidfile=pidfilename
+.. option:: --pidfile=<pidfilename>
 
     when using :option:`--daemon`, save :program:`sshuttle`'s pid to
     *pidfilename*.  The default is ``sshuttle.pid`` in the
@@ -172,7 +215,7 @@ Options
 
 .. option:: --disable-ipv6
 
-    If using the tproxy method, this will disable IPv6 support.
+    If using tproxy or pf methods, this will disable IPv6 support.
 
 .. option:: --firewall
 
@@ -191,6 +234,56 @@ Options
     makes it a lot easier to debug and test the :option:`--auto-hosts`
     feature.
 
+.. option:: --sudoers
+
+    sshuttle will auto generate the proper sudoers.d config file and add it.
+    Once this is completed, sshuttle will exit and tell the user if
+    it succeed or not. Do not call this options with sudo, it may generate a
+    incorrect config file.
+
+.. option:: --sudoers-no-modify
+
+    sshuttle will auto generate the proper sudoers.d config and print it to
+    stdout. The option will not modify the system at all.
+
+.. option:: --sudoers-user
+
+    Set the user name or group with %group_name for passwordless operation.
+    Default is the current user.set ALL for all users. Only works with
+    --sudoers or --sudoers-no-modify option.
+
+.. option:: --sudoers-filename
+
+    Set the file name for the sudoers.d file to be added. Default is
+    "sshuttle_auto". Only works with --sudoers.
+
+.. option:: --version
+
+    Print program version.
+
+
+Configuration File
+------------------
+All the options described above can optionally be specified in a configuration
+file.
+
+To run :program:`sshuttle` with options defined in, e.g., `/etc/sshuttle.conf`
+just pass the path to the file preceded by the `@` character, e.g.
+`@/etc/sshuttle.conf`.
+
+When running :program:`sshuttle` with options defined in a configuration file,
+options can still be passed via the command line in addition to what is
+defined in the file. If a given option is defined both in the file and in
+the command line, the value in the command line will take precedence.
+
+Arguments read from a file must be one per line, as shown below::
+
+    value
+    --option1
+    value1
+    --option2
+    value2
+
 
 Examples
 --------
@@ -240,6 +333,24 @@ and subnet guessing::
     c : Keyboard interrupt: exiting.
     c : SW#6:192.168.42.121:60554: deleting
 
+Run :program:`sshuttle` with a `/etc/sshuttle.conf` configuration file::
+
+    $ sshuttle @/etc/sshuttle.conf
+
+Use the options defined in `/etc/sshuttle.conf` but be more verbose::
+
+    $ sshuttle @/etc/sshuttle.conf -vvv
+
+Override the remote server defined in `/etc/sshuttle.conf`::
+
+    $ sshuttle @/etc/sshuttle.conf -r otheruser@test.example.com
+
+Example configuration file::
+
+    192.168.0.0/16
+    --remote
+    user@example.com
+
 
 Discussion
 ----------

docs/openwrt.rst

@@ -0,0 +1,8 @@
+OpenWRT
+========
+
+Run::
+
+    opkg install python3 python3-pip iptables-mod-nat-extra iptables-mod-ipopt
+    python3 /usr/bin/pip3 install sshuttle
+    sshuttle -l 0.0.0.0 -r <IP> -x 192.168.1.1 0/0

docs/overview.rst

@@ -4,7 +4,7 @@ Overview
 As far as I know, sshuttle is the only program that solves the following
 common case:
 
-- Your client machine (or router) is Linux, FreeBSD, or MacOS.
+- Your client machine (or router) is Linux, MacOS, FreeBSD, OpenBSD or pfSense.
 
 - You have access to a remote network via ssh.
 

docs/platform.rst

@@ -6,5 +6,7 @@ Contents:
 .. toctree::
    :maxdepth: 2
 
+   chromeos
    tproxy
    windows
+   openwrt

docs/requirements.rst

@@ -6,7 +6,7 @@ Client side Requirements
 
 - sudo, or root access on your client machine.
   (The server doesn't need admin access.)
-- Python 2.7 or Python 3.5.
+- Python 3.5 or greater.
 
 
 Linux with NAT method
@@ -26,28 +26,23 @@ Linux with TPROXY method
 Supports:
 
 * IPv4 TCP
-* IPv4 UDP (requires ``recmsg`` - see below)
-* IPv6 DNS (requires ``recmsg`` - see below)
+* IPv4 UDP (requires ``recvmsg`` - see below)
+* IPv6 DNS (requires ``recvmsg`` - see below)
 * IPv6 TCP
-* IPv6 UDP (requires ``recmsg`` - see below)
-* IPv6 DNS (requires ``recmsg`` - see below)
-
-.. _PyXAPI: http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
-
-Full UDP or DNS support with the TPROXY method requires the ``recvmsg()``
-syscall. This is not available in Python 2, however is in Python 3.5 and
-later. Under Python 2 you might find it sufficient installing PyXAPI_ to get
-the ``recvmsg()`` function. See :doc:`tproxy` for more information.
+* IPv6 UDP (requires ``recvmsg`` - see below)
+* IPv6 DNS (requires ``recvmsg`` - see below)
 
 
-MacOS / FreeBSD / OpenBSD
-~~~~~~~~~~~~~~~~~~~~~~~~~
+MacOS / FreeBSD / OpenBSD / pfSense
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Method: pf
 
 Supports:
 
 * IPv4 TCP
 * IPv4 DNS
+* IPv6 TCP
+* IPv6 DNS
 
 Requires:
 
@@ -62,11 +57,28 @@ cmd.exe with Administrator access. See :doc:`windows` for more information.
 
 Server side Requirements
 ------------------------
-Python 2.7 or Python 3.5.
+
+- Python 3.5 or greater.
 
 
 Additional Suggested Software
 -----------------------------
 
-- You may want to use autossh, available in various package management
-  systems
+- If you are using systemd, sshuttle can notify it when the connection to
+  the remote end is established and the firewall rules are installed. For
+  this feature to work you must configure the process start-up type for the
+  sshuttle service unit to notify, as shown in the example below. 
+
+.. code-block:: ini
+   :emphasize-lines: 6
+
+   [Unit]
+   Description=sshuttle
+   After=network.target
+   
+   [Service]
+   Type=notify
+   ExecStart=/usr/bin/sshuttle --dns --remote <user>@<server> <subnets...>
+   
+   [Install]
+   WantedBy=multi-user.target

docs/usage.rst

@@ -20,6 +20,11 @@ Forward all traffic::
 
       sshuttle -r username@sshserver 0/0
 
+
+- For 'My VPN broke and need a temporary solution FAST to access local IPv4 addresses'::
+
+      sshuttle --dns -NHr username@sshserver 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+
 If you would also like your DNS queries to be proxied
 through the DNS server of the server you are connect to::
 
@@ -60,3 +65,46 @@ the data back and forth through ssh.
 Fun, right?  A poor man's instant VPN, and you don't even have to have
 admin access on the server.
 
+Sudoers File
+------------
+sshuttle can auto-generate the proper sudoers.d file using the current user 
+for Linux and OSX. Doing this will allow sshuttle to run without asking for
+the local sudo password and to give users who do not have sudo access
+ability to run sshuttle::
+
+  sshuttle --sudoers
+
+DO NOT run this command with sudo, it will ask for your sudo password when
+it is needed.
+
+A costume user or group can be set with the :
+option:`sshuttle --sudoers --sudoers-username {user_descriptor}` option. Valid
+values for this vary based on how your system is configured. Values such as 
+usernames, groups pre-pended with `%` and sudoers user aliases will work. See
+the sudoers manual for more information on valid user specif actions.
+The options must be used with `--sudoers`::
+
+  sshuttle --sudoers --sudoers-user mike
+  sshuttle --sudoers --sudoers-user %sudo
+
+The name of the file to be added to sudoers.d can be configured as well. This
+is mostly not necessary but can be useful for giving more than one user
+access to sshuttle. The default is `sshuttle_auto`::
+
+  sshuttle --sudoer --sudoers-filename sshuttle_auto_mike
+  sshuttle --sudoer --sudoers-filename sshuttle_auto_tommy
+
+You can also see what configuration will be added to your system without
+modifying anything. This can be helpfull is the auto feature does not work, or
+you want more control. This option also works with `--sudoers-username`.
+`--sudoers-filename` has no effect with this option::
+
+  sshuttle --sudoers-no-modify
+
+This will simply sprint the generated configuration to STDOUT. Example::
+
+  08:40 PM william$ sshuttle --sudoers-no-modify
+
+  Cmnd_Alias SSHUTTLE304 = /usr/bin/env PYTHONPATH=/usr/local/lib/python2.7/dist-packages/sshuttle-0.78.5.dev30+gba5e6b5.d20180909-py2.7.egg /usr/bin/python /usr/local/bin/sshuttle --method auto --firewall
+
+  william ALL=NOPASSWD: SSHUTTLE304

requirements-tests.txt

@@ -0,0 +1,7 @@
+-r requirements.txt
+attrs==19.3.0
+pytest==5.4.3
+pytest-cov==2.10.0
+mock==2.0.0
+flake8==3.8.3
+pyflakes==2.2.0

requirements.txt

@@ -1 +1 @@
-setuptools_scm
+setuptools-scm==4.1.2

run

@@ -1,6 +1,15 @@
-#!/bin/sh
-if python3.5 -V 2>/dev/null; then
-	exec python3.5 -m "sshuttle" "$@"
-else
-	exec python -m "sshuttle" "$@"
-fi
+#!/usr/bin/env sh
+set -e
+export PYTHONPATH="$(dirname $0):$PYTHONPATH"
+export PATH="$(dirname $0)/bin:$PATH"
+
+python_best_version() {
+  if [ -x "$(command -v python3)" ] &&
+      python3 -c "import sys; sys.exit(not sys.version_info > (3, 5))"; then
+    exec python3 "$@"
+  else
+    exec python "$@"
+  fi
+}
+
+python_best_version -m "sshuttle" "$@"

setup.cfg

@@ -0,0 +1,17 @@
+[aliases]
+test=pytest
+
+[bdist_wheel]
+universal = 1
+
+[upload]
+sign=true
+identity=0x1784577F811F6EAC
+
+[flake8]
+count=true
+show-source=true
+statistics=true
+
+[tool:pytest]
+addopts = --cov=sshuttle --cov-branch --cov-report=term-missing

setup.py

@@ -2,20 +2,20 @@
 
 # Copyright 2012-2014 Brian May
 #
-# This file is part of python-tldap.
+# This file is part of sshuttle.
 #
-# python-tldap is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
+# sshuttle is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
 #
-# python-tldap is distributed in the hope that it will be useful,
+# sshuttle is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with python-tldap  If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with sshuttle; If not, see <http://www.gnu.org/licenses/>.
 
 from setuptools import setup, find_packages
 
@@ -25,6 +25,7 @@ def version_scheme(version):
     version = guess_next_dev_version(version)
     return version.lstrip("v")
 
+
 setup(
     name="sshuttle",
     use_scm_version={
@@ -38,24 +39,35 @@ setup(
     author_email='brian@linuxpenguins.xyz',
     description='Full-featured" VPN over an SSH tunnel',
     packages=find_packages(),
-    license="GPL2+",
+    license="LGPL2.1+",
     long_description=open('README.rst').read(),
+    long_description_content_type="text/x-rst",
     classifiers=[
         "Development Status :: 5 - Production/Stable",
         "Intended Audience :: Developers",
         "Intended Audience :: End Users/Desktop",
         "License :: OSI Approved :: "
-            "GNU General Public License v2 or later (GPLv2+)",
+            "GNU Lesser General Public License v2 or later (LGPLv2+)",
         "Operating System :: OS Independent",
-        "Programming Language :: Python :: 2.7",
         "Programming Language :: Python :: 3.5",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
         "Topic :: System :: Networking",
     ],
+    scripts=['bin/sudoers-add'],
     entry_points={
         'console_scripts': [
             'sshuttle = sshuttle.cmdline:main',
         ],
     },
-    tests_require=['pytest', 'mock'],
+    python_requires='>=3.5',
+    tests_require=[
+        'pytest',
+        'pytest-cov',
+        'pytest-runner',
+        'mock',
+        'flake8',
+    ],
     keywords="ssh vpn",
 )

sshuttle/__init__.py

@@ -0,0 +1,4 @@
+try:
+    from sshuttle.version import version as __version__
+except ImportError:
+    __version__ = "unknown"

sshuttle/assembler.py

@@ -1,26 +1,28 @@
 import sys
 import zlib
-import imp
+import types
 
+verbosity = verbosity  # noqa: F821 must be a previously defined global
 z = zlib.decompressobj()
 while 1:
-    name = stdin.readline().strip()
+    name = sys.stdin.readline().strip()
     if name:
         name = name.decode("ASCII")
 
-        nbytes = int(stdin.readline())
+        nbytes = int(sys.stdin.readline())
         if verbosity >= 2:
             sys.stderr.write('server: assembling %r (%d bytes)\n'
                              % (name, nbytes))
-        content = z.decompress(stdin.read(nbytes))
+        content = z.decompress(sys.stdin.read(nbytes))
 
-        module = imp.new_module(name)
-        parent, _, parent_name = name.rpartition(".")
-        if parent != "":
+        module = types.ModuleType(name)
+        parents = name.rsplit(".", 1)
+        if len(parents) == 2:
+            parent, parent_name = parents
             setattr(sys.modules[parent], parent_name, module)
 
         code = compile(content, name, "exec")
-        exec(code, module.__dict__)
+        exec(code, module.__dict__)  # nosec
         sys.modules[name] = module
     else:
         break
@@ -28,9 +30,12 @@ while 1:
 sys.stderr.flush()
 sys.stdout.flush()
 
-import sshuttle.helpers
+# import can only happen once the code has been transferred to
+# the server. 'noqa: E402' excludes these lines from QA checks.
+import sshuttle.helpers  # noqa: E402
 sshuttle.helpers.verbose = verbosity
 
-import sshuttle.cmdline_options as options
-from sshuttle.server import main
-main(options.latency_control)
+import sshuttle.cmdline_options as options  # noqa: E402
+from sshuttle.server import main  # noqa: E402
+main(options.latency_control, options.auto_hosts, options.to_nameserver,
+     options.auto_nets)

sshuttle/client.py

@@ -1,22 +1,41 @@
-import socket
 import errno
 import re
 import signal
 import time
 import subprocess as ssubprocess
-import sshuttle.helpers as helpers
 import os
+import sys
+import platform
+
+import sshuttle.helpers as helpers
 import sshuttle.ssnet as ssnet
 import sshuttle.ssh as ssh
 import sshuttle.ssyslog as ssyslog
-import sys
-import platform
+import sshuttle.sdnotify as sdnotify
 from sshuttle.ssnet import SockWrapper, Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, islocal, \
     resolvconf_nameservers
 from sshuttle.methods import get_method, Features
+try:
+    from pwd import getpwnam
+except ImportError:
+    getpwnam = None
 
-_extra_fd = os.open('/dev/null', os.O_RDONLY)
+try:
+    # try getting recvmsg from python
+    import socket as pythonsocket
+    getattr(pythonsocket.socket, "recvmsg")
+    socket = pythonsocket
+except AttributeError:
+    # try getting recvmsg from socket_ext library
+    try:
+        import socket_ext
+        getattr(socket_ext.socket, "recvmsg")
+        socket = socket_ext
+    except ImportError:
+        import socket
+
+_extra_fd = os.open(os.devnull, os.O_RDONLY)
 
 
 def got_signal(signum, frame):
@@ -76,7 +95,7 @@ def daemonize():
     # be deleted.
     signal.signal(signal.SIGTERM, got_signal)
 
-    si = open('/dev/null', 'r+')
+    si = open(os.devnull, 'r+')
     os.dup2(si.fileno(), 0)
     os.dup2(si.fileno(), 1)
     si.close()
@@ -94,8 +113,8 @@ def daemon_cleanup():
 
 class MultiListener:
 
-    def __init__(self, type=socket.SOCK_STREAM, proto=0):
-        self.type = type
+    def __init__(self, kind=socket.SOCK_STREAM, proto=0):
+        self.type = kind
         self.proto = proto
         self.v6 = None
         self.v4 = None
@@ -143,13 +162,11 @@ class MultiListener:
         self.bind_called = True
         if address_v6 is not None:
             self.v6 = socket.socket(socket.AF_INET6, self.type, self.proto)
-            self.v6.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
             self.v6.bind(address_v6)
         else:
             self.v6 = None
         if address_v4 is not None:
             self.v4 = socket.socket(socket.AF_INET, self.type, self.proto)
-            self.v4.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
             self.v4.bind(address_v4)
         else:
             self.v4 = None
@@ -168,7 +185,7 @@ class MultiListener:
 
 class FirewallClient:
 
-    def __init__(self, method_name):
+    def __init__(self, method_name, sudo_pythonpath):
         self.auto_nets = []
         python_path = os.path.dirname(os.path.dirname(__file__))
         argvbase = ([sys.executable, sys.argv[0]] +
@@ -177,11 +194,15 @@ class FirewallClient:
                     ['--firewall'])
         if ssyslog._p:
             argvbase += ['--syslog']
-        argv_tries = [
-            ['sudo', '-p', '[local sudo] Password: ',
-                ('PYTHONPATH=%s' % python_path), '--'] + argvbase,
-            argvbase
-        ]
+        # Default to sudo unless on OpenBSD in which case use built in `doas`
+        if platform.platform().startswith('OpenBSD'):
+            elev_prefix = ['doas']
+        else:
+            elev_prefix = ['sudo', '-p', '[local sudo] Password: ']
+        if sudo_pythonpath:
+            elev_prefix += ['/usr/bin/env',
+                            'PYTHONPATH=%s' % python_path]
+        argv_tries = [elev_prefix + argvbase, argvbase]
 
         # we can't use stdin/stdout=subprocess.PIPE here, as we normally would,
         # because stupid Linux 'su' requires that stdin be attached to a tty.
@@ -200,18 +221,14 @@ class FirewallClient:
                 if argv[0] == 'su':
                     sys.stderr.write('[local su] ')
                 self.p = ssubprocess.Popen(argv, stdout=s1, preexec_fn=setup)
+                # No env: Talking to `FirewallClient.start`, which has no i18n.
                 e = None
                 break
-            except OSError as e:
+            except OSError:
                 pass
         self.argv = argv
         s1.close()
-        if sys.version_info < (3, 0):
-            # python 2.7
-            self.pfile = s2.makefile('wb+')
-        else:
-            # python 3.5
-            self.pfile = s2.makefile('rwb')
+        self.pfile = s2.makefile('rwb')
         if e:
             log('Spawning firewall manager: %r\n' % self.argv)
             raise Fatal(e)
@@ -224,7 +241,8 @@ class FirewallClient:
         self.method.set_firewall(self)
 
     def setup(self, subnets_include, subnets_exclude, nslist,
-              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp):
+              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp,
+              user):
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.nslist = nslist
@@ -233,6 +251,7 @@ class FirewallClient:
         self.dnsport_v6 = dnsport_v6
         self.dnsport_v4 = dnsport_v4
         self.udp = udp
+        self.user = user
 
     def check(self):
         rv = self.p.poll()
@@ -241,12 +260,15 @@ class FirewallClient:
 
     def start(self):
         self.pfile.write(b'ROUTES\n')
-        for (family, ip, width) in self.subnets_include + self.auto_nets:
-            self.pfile.write(b'%d,%d,0,%s\n'
-                             % (family, width, ip.encode("ASCII")))
-        for (family, ip, width) in self.subnets_exclude:
-            self.pfile.write(b'%d,%d,1,%s\n'
-                             % (family, width, ip.encode("ASCII")))
+        for (family, ip, width, fport, lport) \
+                in self.subnets_include + self.auto_nets:
+            self.pfile.write(b'%d,%d,0,%s,%d,%d\n' % (family, width,
+                                                      ip.encode("ASCII"),
+                                                      fport, lport))
+        for (family, ip, width, fport, lport) in self.subnets_exclude:
+            self.pfile.write(b'%d,%d,1,%s,%d,%d\n' % (family, width,
+                                                      ip.encode("ASCII"),
+                                                      fport, lport))
 
         self.pfile.write(b'NSLIST\n')
         for (family, ip) in self.nslist:
@@ -261,8 +283,14 @@ class FirewallClient:
         udp = 0
         if self.udp:
             udp = 1
+        if self.user is None:
+            user = b'-'
+        elif isinstance(self.user, str):
+            user = bytes(self.user, 'utf-8')
+        else:
+            user = b'%d' % self.user
 
-        self.pfile.write(b'GO %d\n' % udp)
+        self.pfile.write(b'GO %d %s\n' % (udp, user))
         self.pfile.flush()
 
         line = self.pfile.readline()
@@ -271,8 +299,8 @@ class FirewallClient:
             raise Fatal('%r expected STARTED, got %r' % (self.argv, line))
 
     def sethostip(self, hostname, ip):
-        assert(not re.search(b'[^-\w]', hostname))
-        assert(not re.search(b'[^0-9.]', ip))
+        assert(not re.search(rb'[^-\w\.]', hostname))
+        assert(not re.search(rb'[^0-9.]', ip))
         self.pfile.write(b'HOST %s,%s\n' % (hostname, ip))
         self.pfile.flush()
 
@@ -323,7 +351,7 @@ def onaccept_tcp(listener, method, mux, handlers):
                 sock, srcip = listener.accept()
                 sock.close()
             finally:
-                _extra_fd = os.open('/dev/null', os.O_RDONLY)
+                _extra_fd = os.open(os.devnull, os.O_RDONLY)
             return
         else:
             raise
@@ -362,7 +390,7 @@ def onaccept_udp(listener, method, mux, handlers):
     srcip, dstip, data = t
     debug1('Accept UDP: %r -> %r.\n' % (srcip, dstip,))
     if srcip in udp_by_src:
-        chan, timeout = udp_by_src[srcip]
+        chan, _ = udp_by_src[srcip]
     else:
         chan = mux.next_channel()
         mux.channels[chan] = lambda cmd, data: udp_done(
@@ -400,7 +428,8 @@ def ondns(listener, method, mux, handlers):
 
 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
           python, latency_control,
-          dns_listener, seed_hosts, auto_nets, daemon):
+          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon,
+          to_nameserver):
 
     debug1('Starting client with Python version %s\n'
            % platform.python_version())
@@ -418,13 +447,16 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
         (serverproc, serversock) = ssh.connect(
             ssh_cmd, remotename, python,
             stderr=ssyslog._p and ssyslog._p.stdin,
-            options=dict(latency_control=latency_control))
+            options=dict(latency_control=latency_control,
+                         auto_hosts=auto_hosts,
+                         to_nameserver=to_nameserver,
+                         auto_nets=auto_nets))
     except socket.error as e:
         if e.args[0] == errno.EPIPE:
             raise Fatal("failed to establish ssh session (1)")
         else:
             raise
-    mux = Mux(serversock, serversock)
+    mux = Mux(serversock.makefile("rb"), serversock.makefile("wb"))
     handlers.append(mux)
 
     expected = b'SSHUTTLE0001'
@@ -459,6 +491,8 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
     def onroutes(routestr):
         if auto_nets:
             for line in routestr.strip().split(b'\n'):
+                if not line:
+                    continue
                 (family, ip, width) = line.split(b',', 2)
                 family = int(family)
                 width = int(width)
@@ -469,7 +503,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                     debug2("Ignored auto net %d/%s/%d\n" % (family, ip, width))
                 else:
                     debug2("Adding auto net %d/%s/%d\n" % (family, ip, width))
-                    fw.auto_nets.append((family, ip, width))
+                    fw.auto_nets.append((family, ip, width, 0, 0))
 
         # we definitely want to do this *after* starting ssh, or we might end
         # up intercepting the ssh connection!
@@ -479,9 +513,14 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
         # set --auto-nets, we might as well wait for the message first, then
         # ignore its contents.
         mux.got_routes = None
-        fw.start()
+        serverready()
+
     mux.got_routes = onroutes
 
+    def serverready():
+        fw.start()
+        sdnotify.send(sdnotify.ready(), sdnotify.status('Connected'))
+
     def onhostlist(hostlist):
         debug2('got host list: %r\n' % hostlist)
         for line in hostlist.strip().split():
@@ -514,8 +553,9 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
 
 def main(listenip_v6, listenip_v4,
          ssh_cmd, remotename, python, latency_control, dns, nslist,
-         method_name, seed_hosts, auto_nets,
-         subnets_include, subnets_exclude, daemon, pidfile):
+         method_name, seed_hosts, auto_hosts, auto_nets,
+         subnets_include, subnets_exclude, daemon, to_nameserver, pidfile,
+         user, sudo_pythonpath):
 
     if daemon:
         try:
@@ -525,11 +565,16 @@ def main(listenip_v6, listenip_v4,
             return 5
     debug1('Starting sshuttle proxy.\n')
 
-    fw = FirewallClient(method_name)
+    fw = FirewallClient(method_name, sudo_pythonpath)
 
     # Get family specific subnet lists
     if dns:
         nslist += resolvconf_nameservers()
+        if to_nameserver is not None:
+            to_nameserver = "%s@%s" % tuple(to_nameserver[1:])
+    else:
+        # option doesn't make sense if we aren't proxying dns
+        to_nameserver = None
 
     subnets = subnets_include + subnets_exclude  # we don't care here
     subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
@@ -547,10 +592,29 @@ def main(listenip_v6, listenip_v4,
         else:
             listenip_v6 = None
 
-    required.ipv6 = len(subnets_v6) > 0 or len(nslist_v6) > 0 \
-        or listenip_v6 is not None
+    if user is not None:
+        if getpwnam is None:
+            raise Fatal("Routing by user not available on this system.")
+        try:
+            user = getpwnam(user).pw_uid
+        except KeyError:
+            raise Fatal("User %s does not exist." % user)
+
+    if fw.method.name != 'nat':
+        required.ipv6 = len(subnets_v6) > 0 or listenip_v6 is not None
+        required.ipv4 = len(subnets_v4) > 0 or listenip_v4 is not None
+    else:
+        required.ipv6 = None
+        required.ipv4 = None
+
     required.udp = avail.udp
     required.dns = len(nslist) > 0
+    required.user = False if user is None else True
+
+    # if IPv6 not supported, ignore IPv6 DNS servers
+    if not required.ipv6:
+        nslist_v6 = []
+        nslist = nslist_v4
 
     fw.method.assert_features(required)
 
@@ -561,17 +625,29 @@ def main(listenip_v6, listenip_v4,
     debug1("IPv6 enabled: %r\n" % required.ipv6)
     debug1("UDP enabled: %r\n" % required.udp)
     debug1("DNS enabled: %r\n" % required.dns)
+    debug1("User enabled: %r\n" % required.user)
 
     # bind to required ports
     if listenip_v4 == "auto":
         listenip_v4 = ('127.0.0.1', 0)
 
+    if required.ipv4 and \
+            not any(listenip_v4[0] == sex[1] for sex in subnets_v4):
+        subnets_exclude.append((socket.AF_INET, listenip_v4[0], 32, 0, 0))
+
+    if required.ipv6 and \
+            not any(listenip_v6[0] == sex[1] for sex in subnets_v6):
+        subnets_exclude.append((socket.AF_INET6, listenip_v6[0], 128, 0, 0))
+
     if listenip_v6 and listenip_v6[1] and listenip_v4 and listenip_v4[1]:
         # if both ports given, no need to search for a spare port
         ports = [0, ]
     else:
         # if at least one port missing, we have to search
         ports = range(12300, 9000, -1)
+        # keep track of failed bindings and used ports to avoid trying to
+        # bind to the same socket address twice in different listeners
+        used_ports = []
 
     # search for free ports and try to bind
     last_e = None
@@ -613,10 +689,12 @@ def main(listenip_v6, listenip_v4,
             if udp_listener:
                 udp_listener.bind(lv6, lv4)
             bound = True
+            used_ports.append(port)
             break
         except socket.error as e:
             if e.errno == errno.EADDRINUSE:
                 last_e = e
+                used_ports.append(port)
             else:
                 raise e
 
@@ -636,6 +714,9 @@ def main(listenip_v6, listenip_v4,
         ports = range(12300, 9000, -1)
         for port in ports:
             debug2(' %d' % port)
+            if port in used_ports:
+                continue
+
             dns_listener = MultiListener(socket.SOCK_DGRAM)
 
             if listenip_v6:
@@ -655,10 +736,12 @@ def main(listenip_v6, listenip_v4,
             try:
                 dns_listener.bind(lv6, lv4)
                 bound = True
+                used_ports.append(port)
                 break
             except socket.error as e:
                 if e.errno == errno.EADDRINUSE:
                     last_e = e
+                    used_ports.append(port)
                 else:
                     raise e
         debug2('\n')
@@ -674,22 +757,22 @@ def main(listenip_v6, listenip_v4,
     # Last minute sanity checks.
     # These should never fail.
     # If these do fail, something is broken above.
-    if len(subnets_v6) > 0:
+    if subnets_v6:
         assert required.ipv6
         if redirectport_v6 == 0:
             raise Fatal("IPv6 subnets defined but not listening")
 
-    if len(nslist_v6) > 0:
+    if nslist_v6:
         assert required.dns
         assert required.ipv6
         if dnsport_v6 == 0:
             raise Fatal("IPv6 ns servers defined but not listening")
 
-    if len(subnets_v4) > 0:
+    if subnets_v4:
         if redirectport_v4 == 0:
             raise Fatal("IPv4 subnets defined but not listening")
 
-    if len(nslist_v4) > 0:
+    if nslist_v4:
         if dnsport_v4 == 0:
             raise Fatal("IPv4 ns servers defined but not listening")
 
@@ -703,19 +786,21 @@ def main(listenip_v6, listenip_v4,
     # start the firewall
     fw.setup(subnets_include, subnets_exclude, nslist,
              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4,
-             required.udp)
+             required.udp, user)
 
     # start the client process
     try:
         return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                      python, latency_control, dns_listener,
-                     seed_hosts, auto_nets, daemon)
+                     seed_hosts, auto_hosts, auto_nets, daemon, to_nameserver)
     finally:
         try:
             if daemon:
                 # it's not our child anymore; can't waitpid
                 fw.p.returncode = 0
             fw.done()
+            sdnotify.send(sdnotify.stop())
+
         finally:
             if daemon:
                 daemon_cleanup()

sshuttle/cmdline.py

@@ -1,208 +1,77 @@
-import sys
 import re
 import socket
+import platform
 import sshuttle.helpers as helpers
-import sshuttle.options as options
 import sshuttle.client as client
 import sshuttle.firewall as firewall
 import sshuttle.hostwatch as hostwatch
 import sshuttle.ssyslog as ssyslog
+from sshuttle.options import parser, parse_ipport
 from sshuttle.helpers import family_ip_tuple, log, Fatal
-
-
-# 1.2.3.4/5 or just 1.2.3.4
-def parse_subnet4(s):
-    m = re.match(r'(\d+)(?:\.(\d+)\.(\d+)\.(\d+))?(?:/(\d+))?$', s)
-    if not m:
-        raise Fatal('%r is not a valid IP subnet format' % s)
-    (a, b, c, d, width) = m.groups()
-    (a, b, c, d) = (int(a or 0), int(b or 0), int(c or 0), int(d or 0))
-    if width is None:
-        width = 32
-    else:
-        width = int(width)
-    if a > 255 or b > 255 or c > 255 or d > 255:
-        raise Fatal('%d.%d.%d.%d has numbers > 255' % (a, b, c, d))
-    if width > 32:
-        raise Fatal('*/%d is greater than the maximum of 32' % width)
-    return(socket.AF_INET, '%d.%d.%d.%d' % (a, b, c, d), width)
-
-
-# 1:2::3/64 or just 1:2::3
-def parse_subnet6(s):
-    m = re.match(r'(?:([a-fA-F\d:]+))?(?:/(\d+))?$', s)
-    if not m:
-        raise Fatal('%r is not a valid IP subnet format' % s)
-    (net, width) = m.groups()
-    if width is None:
-        width = 128
-    else:
-        width = int(width)
-    if width > 128:
-        raise Fatal('*/%d is greater than the maximum of 128' % width)
-    return(socket.AF_INET6, net, width)
-
-
-# Subnet file, supporting empty lines and hash-started comment lines
-def parse_subnet_file(s):
-    try:
-        handle = open(s, 'r')
-    except OSError:
-        raise Fatal('Unable to open subnet file: %s' % s)
-
-    raw_config_lines = handle.readlines()
-    config_lines = []
-    for line_no, line in enumerate(raw_config_lines):
-        line = line.strip()
-        if len(line) == 0:
-            continue
-        if line[0] == '#':
-            continue
-        config_lines.append(line)
-
-    return config_lines
-
-
-# list of:
-# 1.2.3.4/5 or just 1.2.3.4
-# 1:2::3/64 or just 1:2::3
-def parse_subnets(subnets_str):
-    subnets = []
-    for s in subnets_str:
-        if ':' in s:
-            subnet = parse_subnet6(s)
-        else:
-            subnet = parse_subnet4(s)
-        subnets.append(subnet)
-    return subnets
-
-
-# 1.2.3.4:567 or just 1.2.3.4 or just 567
-def parse_ipport4(s):
-    s = str(s)
-    m = re.match(r'(?:(\d+)\.(\d+)\.(\d+)\.(\d+))?(?::)?(?:(\d+))?$', s)
-    if not m:
-        raise Fatal('%r is not a valid IP:port format' % s)
-    (a, b, c, d, port) = m.groups()
-    (a, b, c, d, port) = (int(a or 0), int(b or 0), int(c or 0), int(d or 0),
-                          int(port or 0))
-    if a > 255 or b > 255 or c > 255 or d > 255:
-        raise Fatal('%d.%d.%d.%d has numbers > 255' % (a, b, c, d))
-    if port > 65535:
-        raise Fatal('*:%d is greater than the maximum of 65535' % port)
-    if a is None:
-        a = b = c = d = 0
-    return ('%d.%d.%d.%d' % (a, b, c, d), port)
-
-
-# [1:2::3]:456 or [1:2::3] or 456
-def parse_ipport6(s):
-    s = str(s)
-    m = re.match(r'(?:\[([^]]*)])?(?::)?(?:(\d+))?$', s)
-    if not m:
-        raise Fatal('%s is not a valid IP:port format' % s)
-    (ip, port) = m.groups()
-    (ip, port) = (ip or '::', int(port or 0))
-    return (ip, port)
-
-
-def parse_list(list):
-    return re.split(r'[\s,]+', list.strip()) if list else []
-
-
-optspec = """
-sshuttle [-l [ip:]port] [-r [username@]sshserver[:port]] <subnets...>
-sshuttle --firewall <port> <subnets...>
-sshuttle --hostwatch
---
-l,listen=  transproxy to this ip address and port number
-H,auto-hosts scan for remote hostnames and update local /etc/hosts
-N,auto-nets  automatically determine subnets to route
-dns        capture local DNS requests and forward to the remote DNS server
-ns-hosts=  capture and forward remote DNS requests to the following servers
-method=    auto, nat, tproxy or pf
-python=    path to python interpreter on the remote server
-r,remote=  ssh hostname (and optional username) of remote sshuttle server
-x,exclude= exclude this subnet (can be used more than once)
-X,exclude-from=  exclude the subnets in a file (whitespace separated)
-v,verbose  increase debug message verbosity
-V,version  print the sshuttle version number and exit
-e,ssh-cmd= the command to use to connect to the remote [ssh]
-seed-hosts= with -H, use these hostnames for initial scan (comma-separated)
-no-latency-control  sacrifice latency to improve bandwidth benchmarks
-wrap=      restart counting channel numbers after this number (for testing)
-disable-ipv6 disables ipv6 support
-D,daemon   run in the background as a daemon
-s,subnets= file where the subnets are stored, instead of on the command line
-syslog     send log messages to syslog (default if you use --daemon)
-pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
-server     (internal use only)
-firewall   (internal use only)
-hostwatch  (internal use only)
-"""
+from sshuttle.sudoers import sudoers
 
 
 def main():
-    o = options.Options(optspec)
-    (opt, flags, extra) = o.parse(sys.argv[1:])
+    opt = parser.parse_args()
+
+    if opt.sudoers or opt.sudoers_no_modify:
+        if platform.platform().startswith('OpenBSD'):
+            log('Automatic sudoers does not work on BSD')
+            exit(1)
+
+        if not opt.sudoers_filename:
+            log('--sudoers-file must be set or omited.')
+            exit(1)
+
+        sudoers(
+            user_name=opt.sudoers_user,
+            no_modify=opt.sudoers_no_modify,
+            file_name=opt.sudoers_filename
+        )
 
-    if opt.version:
-        from sshuttle.version import version
-        print(version)
-        return 0
     if opt.daemon:
         opt.syslog = 1
     if opt.wrap:
         import sshuttle.ssnet as ssnet
-        ssnet.MAX_CHANNEL = int(opt.wrap)
-    helpers.verbose = opt.verbose or 0
+        ssnet.MAX_CHANNEL = opt.wrap
+    if opt.latency_buffer_size:
+        import sshuttle.ssnet as ssnet
+        ssnet.LATENCY_BUFFER_SIZE = opt.latency_buffer_size
+    helpers.verbose = opt.verbose
 
     try:
         if opt.firewall:
-            if len(extra) != 0:
-                o.fatal('exactly zero arguments expected')
+            if opt.subnets or opt.subnets_file:
+                parser.error('exactly zero arguments expected')
             return firewall.main(opt.method, opt.syslog)
         elif opt.hostwatch:
-            return hostwatch.hw_main(extra)
+            return hostwatch.hw_main(opt.subnets, opt.auto_hosts)
         else:
-            if len(extra) < 1 and not opt.auto_nets and not opt.subnets:
-                o.fatal('at least one subnet, subnet file, or -N expected')
-            includes = extra
-            excludes = ['127.0.0.0/8']
-            for k, v in flags:
-                if k in ('-x', '--exclude'):
-                    excludes.append(v)
-                if k in ('-X', '--exclude-from'):
-                    excludes += open(v).read().split()
+            includes = opt.subnets + opt.subnets_file
+            excludes = opt.exclude
+            if not includes and not opt.auto_nets:
+                parser.error('at least one subnet, subnet file, '
+                             'or -N expected')
             remotename = opt.remote
             if remotename == '' or remotename == '-':
                 remotename = None
-            nslist = [family_ip_tuple(ns) for ns in parse_list(opt.ns_hosts)]
-            if opt.seed_hosts and not opt.auto_hosts:
-                o.fatal('--seed-hosts only works if you also use -H')
+            nslist = [family_ip_tuple(ns) for ns in opt.ns_hosts]
             if opt.seed_hosts:
                 sh = re.split(r'[\s,]+', (opt.seed_hosts or "").strip())
             elif opt.auto_hosts:
                 sh = []
             else:
                 sh = None
-            if opt.subnets:
-                includes = parse_subnet_file(opt.subnets)
-            if not opt.method:
-                method_name = "auto"
-            elif opt.method in ["auto", "nat", "tproxy", "pf"]:
-                method_name = opt.method
-            else:
-                o.fatal("method_name %s not supported" % opt.method)
             if opt.listen:
                 ipport_v6 = None
                 ipport_v4 = None
-                list = opt.listen.split(",")
-                for ip in list:
-                    if '[' in ip and ']' in ip:
-                        ipport_v6 = parse_ipport6(ip)
+                lst = opt.listen.split(",")
+                for ip in lst:
+                    family, ip, port = parse_ipport(ip)
+                    if family == socket.AF_INET6:
+                        ipport_v6 = (ip, port)
                     else:
-                        ipport_v4 = parse_ipport4(ip)
+                        ipport_v4 = (ip, port)
             else:
                 # parse_ipport4('127.0.0.1:0')
                 ipport_v4 = "auto"
@@ -210,6 +79,8 @@ def main():
                 ipport_v6 = "auto" if not opt.disable_ipv6 else None
             if opt.syslog:
                 ssyslog.start_syslog()
+                ssyslog.close_stdin()
+                ssyslog.stdout_to_syslog()
                 ssyslog.stderr_to_syslog()
             return_code = client.main(ipport_v6, ipport_v4,
                                       opt.ssh_cmd,
@@ -218,17 +89,22 @@ def main():
                                       opt.latency_control,
                                       opt.dns,
                                       nslist,
-                                      method_name,
+                                      opt.method,
                                       sh,
+                                      opt.auto_hosts,
                                       opt.auto_nets,
-                                      parse_subnets(includes),
-                                      parse_subnets(excludes),
-                                      opt.daemon, opt.pidfile)
+                                      includes,
+                                      excludes,
+                                      opt.daemon,
+                                      opt.to_ns,
+                                      opt.pidfile,
+                                      opt.user,
+                                      opt.sudo_pythonpath)
 
             if return_code == 0:
                 log('Normal exit code, exiting...')
             else:
-                log('Abnormal exit code detected, failing...' % return_code)
+                log('Abnormal exit code %d detected, failing...' % return_code)
             return return_code
 
     except Fatal as e:

sshuttle/firewall.py

@@ -1,11 +1,12 @@
 import errno
 import socket
 import signal
-import sshuttle.ssyslog as ssyslog
 import sys
 import os
 import platform
 import traceback
+
+import sshuttle.ssyslog as ssyslog
 from sshuttle.helpers import debug1, debug2, Fatal
 from sshuttle.methods import get_auto_method, get_method
 
@@ -74,6 +75,16 @@ def setup_daemon():
     return sys.stdin, sys.stdout
 
 
+# Note that we're sorting in a very particular order:
+# we need to go from smaller, more specific, port ranges, to larger,
+# less-specific, port ranges. At each level, we order by subnet
+# width, from most-specific subnets (largest swidth) to
+# least-specific. On ties, excludes come first.
+# s:(inet, subnet width, exclude flag, subnet, first port, last port)
+def subnet_weight(s):
+    return (-s[-1] + (s[-2] or -65535), s[1], s[2])
+
+
 # This is some voodoo for setting up the kernel's transparent
 # proxying stuff.  If subnets is empty, we just delete our sshuttle rules;
 # otherwise we delete it, then make them from scratch.
@@ -119,10 +130,17 @@ def main(method_name, syslog):
         elif line.startswith("NSLIST\n"):
             break
         try:
-            (family, width, exclude, ip) = line.strip().split(',', 3)
-        except:
+            (family, width, exclude, ip, fport, lport) = \
+                    line.strip().split(',', 5)
+        except BaseException:
             raise Fatal('firewall: expected route or NSLIST but got %r' % line)
-        subnets.append((int(family), int(width), bool(int(exclude)), ip))
+        subnets.append((
+            int(family),
+            int(width),
+            bool(int(exclude)),
+            ip,
+            int(fport),
+            int(lport)))
     debug2('firewall manager: Got subnets: %r\n' % subnets)
 
     nslist = []
@@ -136,7 +154,7 @@ def main(method_name, syslog):
             break
         try:
             (family, ip) = line.strip().split(',', 1)
-        except:
+        except BaseException:
             raise Fatal('firewall: expected nslist or PORTS but got %r' % line)
         nslist.append((int(family), ip))
         debug2('firewall manager: Got partial nslist: %r\n' % nslist)
@@ -147,7 +165,7 @@ def main(method_name, syslog):
     _, _, ports = line.partition(" ")
     ports = ports.split(",")
     if len(ports) != 4:
-        raise Fatal('firewall: expected 4 ports but got %n' % len(ports))
+        raise Fatal('firewall: expected 4 ports but got %d' % len(ports))
     port_v6 = int(ports[0])
     port_v4 = int(ports[1])
     dnsport_v6 = int(ports[2])
@@ -171,9 +189,12 @@ def main(method_name, syslog):
     elif not line.startswith("GO "):
         raise Fatal('firewall: expected GO but got %r' % line)
 
-    _, _, udp = line.partition(" ")
+    _, _, args = line.partition(" ")
+    udp, user = args.strip().split(" ", 1)
     udp = bool(int(udp))
-    debug2('firewall manager: Got udp: %r\n' % udp)
+    if user == '-':
+        user = None
+    debug2('firewall manager: Got udp: %r, user: %r\n' % (udp, user))
 
     subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
     nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
@@ -183,17 +204,19 @@ def main(method_name, syslog):
     try:
         debug1('firewall manager: setting up.\n')
 
-        if len(subnets_v6) > 0 or len(nslist_v6) > 0:
+        if subnets_v6 or nslist_v6:
             debug2('firewall manager: setting up IPv6.\n')
             method.setup_firewall(
                 port_v6, dnsport_v6, nslist_v6,
-                socket.AF_INET6, subnets_v6, udp)
+                socket.AF_INET6, subnets_v6, udp,
+                user)
 
-        if len(subnets_v4) > 0 or len(nslist_v4) > 0:
+        if subnets_v4 or nslist_v4:
             debug2('firewall manager: setting up IPv4.\n')
             method.setup_firewall(
                 port_v4, dnsport_v4, nslist_v4,
-                socket.AF_INET, subnets_v4, udp)
+                socket.AF_INET, subnets_v4, udp,
+                user)
 
         stdout.write('STARTED\n')
 
@@ -222,43 +245,43 @@ def main(method_name, syslog):
     finally:
         try:
             debug1('firewall manager: undoing changes.\n')
-        except:
-            pass
+        except BaseException:
+            debug2('An error occurred, ignoring it.')
 
         try:
-            if len(subnets_v6) > 0 or len(nslist_v6) > 0:
+            if subnets_v6 or nslist_v6:
                 debug2('firewall manager: undoing IPv6 changes.\n')
-                method.restore_firewall(port_v6, socket.AF_INET6, udp)
-        except:
+                method.restore_firewall(port_v6, socket.AF_INET6, udp, user)
+        except BaseException:
             try:
                 debug1("firewall manager: "
                        "Error trying to undo IPv6 firewall.\n")
                 for line in traceback.format_exc().splitlines():
                     debug1("---> %s\n" % line)
-            except:
-                pass
+            except BaseException:
+                debug2('An error occurred, ignoring it.')
 
         try:
-            if len(subnets_v4) > 0 or len(nslist_v4) > 0:
+            if subnets_v4 or nslist_v4:
                 debug2('firewall manager: undoing IPv4 changes.\n')
-                method.restore_firewall(port_v4, socket.AF_INET, udp)
-        except:
+                method.restore_firewall(port_v4, socket.AF_INET, udp, user)
+        except BaseException:
             try:
                 debug1("firewall manager: "
                        "Error trying to undo IPv4 firewall.\n")
                 for line in traceback.format_exc().splitlines():
                     debug1("firewall manager: ---> %s\n" % line)
-            except:
-                pass
+            except BaseException:
+                debug2('An error occurred, ignoring it.')
 
         try:
             debug2('firewall manager: undoing /etc/hosts changes.\n')
             restore_etc_hosts(port_v6 or port_v4)
-        except:
+        except BaseException:
             try:
                 debug1("firewall manager: "
                        "Error trying to undo /etc/hosts changes.\n")
                 for line in traceback.format_exc().splitlines():
                     debug1("firewall manager: ---> %s\n" % line)
-            except:
-                pass
+            except BaseException:
+                debug2('An error occurred, ignoring it.')

sshuttle/helpers.py

@@ -6,6 +6,10 @@ logprefix = ''
 verbose = 0
 
 
+def b(s):
+    return s.encode("ASCII")
+
+
 def log(s):
     global logprefix
     try:
@@ -45,22 +49,22 @@ class Fatal(Exception):
 
 
 def resolvconf_nameservers():
-    l = []
+    lines = []
     for line in open('/etc/resolv.conf'):
         words = line.lower().split()
         if len(words) >= 2 and words[0] == 'nameserver':
-            l.append(family_ip_tuple(words[1]))
-    return l
+            lines.append(family_ip_tuple(words[1]))
+    return lines
 
 
 def resolvconf_random_nameserver():
-    l = resolvconf_nameservers()
-    if l:
-        if len(l) > 1:
+    lines = resolvconf_nameservers()
+    if lines:
+        if len(lines) > 1:
             # don't import this unless we really need it
             import random
-            random.shuffle(l)
-        return l[0]
+            random.shuffle(lines)
+        return lines[0]
     else:
         return (socket.AF_INET, '127.0.0.1')
 
@@ -70,7 +74,8 @@ def islocal(ip, family):
     try:
         try:
             sock.bind((ip, 0))
-        except socket.error as e:
+        except socket.error:
+            _, e = sys.exc_info()[:2]
             if e.args[0] == errno.EADDRNOTAVAIL:
                 return False  # not a local IP
             else:

sshuttle/hostwatch.py

@@ -21,8 +21,9 @@ _smb_ok = True
 hostnames = {}
 queue = {}
 try:
-    null = open('/dev/null', 'wb')
-except IOError as e:
+    null = open(os.devnull, 'wb')
+except IOError:
+    _, e = sys.exc_info()[:2]
     log('warning: %s\n' % e)
     null = os.popen("sh -c 'while read x; do :; done'", 'wb', 4096)
 
@@ -38,19 +39,20 @@ def write_host_cache():
         for name, ip in sorted(hostnames.items()):
             f.write(('%s,%s\n' % (name, ip)).encode("ASCII"))
         f.close()
-        os.chmod(tmpname, 0o600)
+        os.chmod(tmpname, 384)  # 600 in octal, 'rw-------'
         os.rename(tmpname, CACHEFILE)
     finally:
         try:
             os.unlink(tmpname)
-        except:
+        except BaseException:
             pass
 
 
 def read_host_cache():
     try:
         f = open(CACHEFILE)
-    except IOError as e:
+    except IOError:
+        _, e = sys.exc_info()[:2]
         if e.errno == errno.ENOENT:
             return
         else:
@@ -59,23 +61,27 @@ def read_host_cache():
         words = line.strip().split(',')
         if len(words) == 2:
             (name, ip) = words
-            name = re.sub(r'[^-\w]', '-', name).strip()
+            name = re.sub(r'[^-\w\.]', '-', name).strip()
             ip = re.sub(r'[^0-9.]', '', ip).strip()
             if name and ip:
                 found_host(name, ip)
 
 
-def found_host(hostname, ip):
-    hostname = re.sub(r'\..*', '', hostname)
-    hostname = re.sub(r'[^-\w]', '_', hostname)
-    if (ip.startswith('127.') or ip.startswith('255.')
-            or hostname == 'localhost'):
+def found_host(name, ip):
+    hostname = re.sub(r'\..*', '', name)
+    hostname = re.sub(r'[^-\w\.]', '_', hostname)
+    if (ip.startswith('127.') or ip.startswith('255.') or
+            hostname == 'localhost'):
         return
-    oldip = hostnames.get(hostname)
+
+    if hostname != name:
+        found_host(hostname, ip)
+
+    oldip = hostnames.get(name)
     if oldip != ip:
-        hostnames[hostname] = ip
-        debug1('Found: %s: %s\n' % (hostname, ip))
-        sys.stdout.write('%s,%s\n' % (hostname, ip))
+        hostnames[name] = ip
+        debug1('Found: %s: %s\n' % (name, ip))
+        sys.stdout.write('%s,%s\n' % (name, ip))
         write_host_cache()
 
 
@@ -102,7 +108,7 @@ def _check_revdns(ip):
         debug3('<    %s\n' % r[0])
         check_host(r[0])
         found_host(r[0], ip)
-    except socket.herror:
+    except (socket.herror, UnicodeError):
         pass
 
 
@@ -113,18 +119,24 @@ def _check_dns(hostname):
         debug3('<    %s\n' % ip)
         check_host(ip)
         found_host(hostname, ip)
-    except socket.gaierror:
+    except (socket.gaierror, UnicodeError):
         pass
 
 
 def _check_netstat():
     debug2(' > netstat\n')
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
     argv = ['netstat', '-n']
     try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
+                              env=env)
         content = p.stdout.read().decode("ASCII")
         p.wait()
-    except OSError as e:
+    except OSError:
+        _, e = sys.exc_info()[:2]
         log('%r failed: %r\n' % (argv, e))
         return
 
@@ -138,13 +150,19 @@ def _check_smb(hostname):
     global _smb_ok
     if not _smb_ok:
         return
-    argv = ['smbclient', '-U', '%', '-L', hostname]
     debug2(' > smb: %s\n' % hostname)
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    argv = ['smbclient', '-U', '%', '-L', hostname]
     try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
+                              env=env)
         lines = p.stdout.readlines()
         p.wait()
-    except OSError as e:
+    except OSError:
+        _, e = sys.exc_info()[:2]
         log('%r failed: %r\n' % (argv, e))
         _smb_ok = False
         return
@@ -195,13 +213,19 @@ def _check_nmb(hostname, is_workgroup, is_master):
     global _nmb_ok
     if not _nmb_ok:
         return
-    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
     debug2(' > n%d%d: %s\n' % (is_workgroup, is_master, hostname))
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
     try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
+                              env=env)
         lines = p.stdout.readlines()
         rv = p.wait()
-    except OSError as e:
+    except OSError:
+        _, e = sys.exc_info()[:2]
         log('%r failed: %r\n' % (argv, e))
         _nmb_ok = False
         return
@@ -242,7 +266,7 @@ def _enqueue(op, *args):
 
 
 def _stdin_still_ok(timeout):
-    r, w, x = select.select([sys.stdin.fileno()], [], [], timeout)
+    r, _, _ = select.select([sys.stdin.fileno()], [], [], timeout)
     if r:
         b = os.read(sys.stdin.fileno(), 4096)
         if not b:
@@ -250,7 +274,7 @@ def _stdin_still_ok(timeout):
     return True
 
 
-def hw_main(seed_hosts):
+def hw_main(seed_hosts, auto_hosts):
     if helpers.verbose >= 2:
         helpers.logprefix = 'HH: '
     else:
@@ -259,17 +283,18 @@ def hw_main(seed_hosts):
     debug1('Starting hostwatch with Python version %s\n'
            % platform.python_version())
 
-    read_host_cache()
-
-    _enqueue(_check_etc_hosts)
-    _enqueue(_check_netstat)
-    check_host('localhost')
-    check_host(socket.gethostname())
-    check_workgroup('workgroup')
-    check_workgroup('-')
     for h in seed_hosts:
         check_host(h)
 
+    if auto_hosts:
+        read_host_cache()
+        _enqueue(_check_etc_hosts)
+        _enqueue(_check_netstat)
+        check_host('localhost')
+        check_host(socket.gethostname())
+        check_workgroup('workgroup')
+        check_workgroup('-')
+
     while 1:
         now = time.time()
         for t, last_polled in list(queue.items()):

sshuttle/linux.py

@@ -1,3 +1,4 @@
+import os
 import socket
 import subprocess as ssubprocess
 from sshuttle.helpers import log, debug1, Fatal, family_to_string
@@ -18,13 +19,17 @@ def ipt_chain_exists(family, table, name):
     else:
         raise Exception('Unsupported family "%s"' % family_to_string(family))
     argv = [cmd, '-t', table, '-nL']
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE)
-    for line in p.stdout:
-        if line.startswith(b'Chain %s ' % name.encode("ASCII")):
-            return True
-    rv = p.wait()
-    if rv:
-        raise Fatal('%r returned %d' % (argv, rv))
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    try:
+        output = ssubprocess.check_output(argv, env=env)
+        for line in output.decode('ASCII').split('\n'):
+            if line.startswith('Chain %s ' % name):
+                return True
+    except ssubprocess.CalledProcessError as e:
+        raise Fatal('%r returned %d' % (argv, e.returncode))
 
 
 def ipt(family, table, *args):
@@ -35,7 +40,26 @@ def ipt(family, table, *args):
     else:
         raise Exception('Unsupported family "%s"' % family_to_string(family))
     debug1('>> %s\n' % ' '.join(argv))
-    rv = ssubprocess.call(argv)
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    rv = ssubprocess.call(argv, env=env)
+    if rv:
+        raise Fatal('%r returned %d' % (argv, rv))
+
+
+def nft(family, table, action, *args):
+    if family in (socket.AF_INET, socket.AF_INET6):
+        argv = ['nft', action, 'inet', table] + list(args)
+    else:
+        raise Exception('Unsupported family "%s"' % family_to_string(family))
+    debug1('>> %s\n' % ' '.join(argv))
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    rv = ssubprocess.call(argv, env=env)
     if rv:
         raise Fatal('%r returned %d' % (argv, rv))
 

sshuttle/methods/__init__.py

@@ -35,17 +35,21 @@ class BaseMethod(object):
     def set_firewall(self, firewall):
         self.firewall = firewall
 
-    def get_supported_features(self):
+    @staticmethod
+    def get_supported_features():
         result = Features()
         result.ipv6 = False
         result.udp = False
         result.dns = True
+        result.user = False
         return result
 
-    def get_tcp_dstip(self, sock):
+    @staticmethod
+    def get_tcp_dstip(sock):
         return original_dst(sock)
 
-    def recv_udp(self, udp_listener, bufsize):
+    @staticmethod
+    def recv_udp(udp_listener, bufsize):
         debug3('Accept UDP using recvfrom.\n')
         data, srcip = udp_listener.recvfrom(bufsize)
         return (srcip, None, data)
@@ -64,19 +68,21 @@ class BaseMethod(object):
 
     def assert_features(self, features):
         avail = self.get_supported_features()
-        for key in ["udp", "dns", "ipv6"]:
+        for key in ["udp", "dns", "ipv6", "user"]:
             if getattr(features, key) and not getattr(avail, key):
                 raise Fatal(
                     "Feature %s not supported with method %s.\n" %
                     (key, self.name))
 
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
         raise NotImplementedError()
 
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         raise NotImplementedError()
 
-    def firewall_command(self, line):
+    @staticmethod
+    def firewall_command(line):
         return False
 
 
@@ -96,10 +102,14 @@ def get_method(method_name):
 def get_auto_method():
     if _program_exists('iptables'):
         method_name = "nat"
+    elif _program_exists('nft'):
+        method_name = "nft"
     elif _program_exists('pfctl'):
         method_name = "pf"
+    elif _program_exists('ipfw'):
+        method_name = "ipfw"
     else:
         raise Fatal(
-            "can't find either iptables or pfctl; check your PATH")
+            "can't find either iptables, nft or pfctl; check your PATH")
 
     return get_method(method_name)

sshuttle/methods/ipfw.py

@@ -0,0 +1,263 @@
+import os
+import subprocess as ssubprocess
+from sshuttle.methods import BaseMethod
+from sshuttle.helpers import log, debug1, debug3, \
+    Fatal, family_to_string
+
+recvmsg = None
+try:
+    # try getting recvmsg from python
+    import socket as pythonsocket
+    getattr(pythonsocket.socket, "recvmsg")
+    socket = pythonsocket
+    recvmsg = "python"
+except AttributeError:
+    # try getting recvmsg from socket_ext library
+    try:
+        import socket_ext
+        getattr(socket_ext.socket, "recvmsg")
+        socket = socket_ext
+        recvmsg = "socket_ext"
+    except ImportError:
+        import socket
+
+IP_BINDANY = 24
+IP_RECVDSTADDR = 7
+SOL_IPV6 = 41
+IPV6_RECVDSTADDR = 74
+
+if recvmsg == "python":
+    def recv_udp(listener, bufsize):
+        debug3('Accept UDP python using recvmsg.\n')
+        data, ancdata, _, srcip = listener.recvmsg(4096,
+                                                   socket.CMSG_SPACE(4))
+        dstip = None
+        for cmsg_level, cmsg_type, cmsg_data in ancdata:
+            if cmsg_level == socket.SOL_IP and cmsg_type == IP_RECVDSTADDR:
+                port = 53
+                ip = socket.inet_ntop(socket.AF_INET, cmsg_data[0:4])
+                dstip = (ip, port)
+                break
+        return (srcip, dstip, data)
+elif recvmsg == "socket_ext":
+    def recv_udp(listener, bufsize):
+        debug3('Accept UDP using socket_ext recvmsg.\n')
+        srcip, data, adata, _ = listener.recvmsg((bufsize,),
+                                                 socket.CMSG_SPACE(4))
+        dstip = None
+        for a in adata:
+            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_RECVDSTADDR:
+                port = 53
+                ip = socket.inet_ntop(socket.AF_INET, a.cmsg_data[0:4])
+                dstip = (ip, port)
+                break
+        return (srcip, dstip, data[0])
+else:
+    def recv_udp(listener, bufsize):
+        debug3('Accept UDP using recvfrom.\n')
+        data, srcip = listener.recvfrom(bufsize)
+        return (srcip, None, data)
+
+
+def ipfw_rule_exists(n):
+    argv = ['ipfw', 'list']
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+
+    found = False
+    for line in p.stdout:
+        if line.startswith(b'%05d ' % n):
+            if not ('ipttl 42' in line or 'check-state' in line):
+                log('non-sshuttle ipfw rule: %r\n' % line.strip())
+                raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
+            found = True
+    rv = p.wait()
+    if rv:
+        raise Fatal('%r returned %d' % (argv, rv))
+    return found
+
+
+_oldctls = {}
+
+
+def _fill_oldctls(prefix):
+    argv = ['sysctl', prefix]
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    for line in p.stdout:
+        line = line.decode()
+        assert(line[-1] == '\n')
+        (k, v) = line[:-1].split(': ', 1)
+        _oldctls[k] = v.strip()
+    rv = p.wait()
+    if rv:
+        raise Fatal('%r returned %d' % (argv, rv))
+    if not line:
+        raise Fatal('%r returned no data' % (argv,))
+
+
+def _sysctl_set(name, val):
+    argv = ['sysctl', '-w', '%s=%s' % (name, val)]
+    debug1('>> %s\n' % ' '.join(argv))
+    return ssubprocess.call(argv, stdout=open(os.devnull, 'w'))
+    # No env: No output. (Or error that won't be parsed.)
+
+
+_changedctls = []
+
+
+def sysctl_set(name, val, permanent=False):
+    PREFIX = 'net.inet.ip'
+    assert(name.startswith(PREFIX + '.'))
+    val = str(val)
+    if not _oldctls:
+        _fill_oldctls(PREFIX)
+    if not (name in _oldctls):
+        debug1('>> No such sysctl: %r\n' % name)
+        return False
+    oldval = _oldctls[name]
+    if val != oldval:
+        rv = _sysctl_set(name, val)
+        if rv == 0 and permanent:
+            debug1('>>   ...saving permanently in /etc/sysctl.conf\n')
+            f = open('/etc/sysctl.conf', 'a')
+            f.write('\n'
+                    '# Added by sshuttle\n'
+                    '%s=%s\n' % (name, val))
+            f.close()
+        else:
+            _changedctls.append(name)
+        return True
+
+
+def ipfw(*args):
+    argv = ['ipfw', '-q'] + list(args)
+    debug1('>> %s\n' % ' '.join(argv))
+    rv = ssubprocess.call(argv)
+    # No env: No output. (Or error that won't be parsed.)
+    if rv:
+        raise Fatal('%r returned %d' % (argv, rv))
+
+
+def ipfw_noexit(*args):
+    argv = ['ipfw', '-q'] + list(args)
+    debug1('>> %s\n' % ' '.join(argv))
+    ssubprocess.call(argv)
+    # No env: No output. (Or error that won't be parsed.)
+
+
+class Method(BaseMethod):
+
+    def get_supported_features(self):
+        result = super(Method, self).get_supported_features()
+        result.ipv6 = False
+        result.udp = False  # NOTE: Almost there, kernel patch needed
+        result.dns = True
+        return result
+
+    def get_tcp_dstip(self, sock):
+        return sock.getsockname()
+
+    def recv_udp(self, udp_listener, bufsize):
+        srcip, dstip, data = recv_udp(udp_listener, bufsize)
+        if not dstip:
+            debug1(
+                   "-- ignored UDP from %r: "
+                   "couldn't determine destination IP address\n" % (srcip,))
+            return None
+        return srcip, dstip, data
+
+    def send_udp(self, sock, srcip, dstip, data):
+        if not srcip:
+            debug1(
+               "-- ignored UDP to %r: "
+               "couldn't determine source IP address\n" % (dstip,))
+            return
+
+        # debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
+        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
+        sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
+        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
+        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+        sender.bind(srcip)
+        sender.sendto(data, dstip)
+        sender.close()
+
+    def setup_udp_listener(self, udp_listener):
+        if udp_listener.v4 is not None:
+            udp_listener.v4.setsockopt(socket.SOL_IP, IP_RECVDSTADDR, 1)
+        # if udp_listener.v6 is not None:
+        #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
+
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
+        # IPv6 not supported
+        if family not in [socket.AF_INET]:
+            raise Exception(
+                'Address family "%s" unsupported by ipfw method_name'
+                % family_to_string(family))
+
+        # XXX: Any risk from this?
+        ipfw_noexit('delete', '1')
+
+        while _changedctls:
+            name = _changedctls.pop()
+            oldval = _oldctls[name]
+            _sysctl_set(name, oldval)
+
+        if subnets or dnsport:
+            sysctl_set('net.inet.ip.fw.enable', 1)
+
+        ipfw('add', '1', 'check-state', 'ip',
+             'from', 'any', 'to', 'any')
+
+        ipfw('add', '1', 'skipto', '2',
+             'tcp',
+             'from', 'any', 'to', 'table(125)')
+        ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
+             'tcp',
+             'from', 'any', 'to', 'table(126)',
+             'not', 'ipttl', '42', 'keep-state', 'setup')
+
+        ipfw_noexit('table', '124', 'flush')
+        dnscount = 0
+        for _, ip in [i for i in nslist if i[0] == family]:
+            ipfw('table', '124', 'add', '%s' % (ip))
+            dnscount += 1
+        if dnscount > 0:
+            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
+                 'udp',
+                 'from', 'any', 'to', 'table(124)',
+                 'not', 'ipttl', '42')
+        ipfw('add', '1', 'allow',
+             'udp',
+             'from', 'any', 'to', 'any',
+             'ipttl', '42')
+
+        if subnets:
+            # create new subnet entries
+            for _, swidth, sexclude, snet in sorted(subnets,
+                                                    key=lambda s: s[1],
+                                                    reverse=True):
+                if sexclude:
+                    ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
+            else:
+                ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))
+
+    def restore_firewall(self, port, family, udp, user):
+        if family not in [socket.AF_INET]:
+            raise Exception(
+                'Address family "%s" unsupported by tproxy method'
+                % family_to_string(family))
+
+        ipfw_noexit('delete', '1')
+        ipfw_noexit('table', '124', 'flush')
+        ipfw_noexit('table', '125', 'flush')
+        ipfw_noexit('table', '126', 'flush')

sshuttle/methods/nat.py

@@ -1,4 +1,5 @@
 import socket
+from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string
 from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists, nonfatal
 from sshuttle.methods import BaseMethod
@@ -11,7 +12,8 @@ class Method(BaseMethod):
     # the multiple copies shouldn't have overlapping subnets, or only the most-
     # recently-started one will win (because we use "-I OUTPUT 1" instead of
     # "-A OUTPUT").
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
         # only ipv4 supported with NAT
         if family != socket.AF_INET:
             raise Exception(
@@ -28,41 +30,62 @@ class Method(BaseMethod):
         def _ipt_ttl(*args):
             return ipt_ttl(family, table, *args)
 
+        def _ipm(*args):
+            return ipt(family, "mangle", *args)
+
         chain = 'sshuttle-%s' % port
 
         # basic cleanup/setup of chains
-        self.restore_firewall(port, family, udp)
+        self.restore_firewall(port, family, udp, user)
 
         _ipt('-N', chain)
         _ipt('-F', chain)
-        _ipt('-I', 'OUTPUT', '1', '-j', chain)
-        _ipt('-I', 'PREROUTING', '1', '-j', chain)
+        if user is not None:
+            _ipm('-I', 'OUTPUT', '1', '-m', 'owner', '--uid-owner', str(user),
+                 '-j', 'MARK', '--set-mark', str(port))
+            args = '-m', 'mark', '--mark', str(port), '-j', chain
+        else:
+            args = '-j', chain
+
+        _ipt('-I', 'OUTPUT', '1', *args)
+        _ipt('-I', 'PREROUTING', '1', *args)
+
+        # Firstly we always skip all LOCAL addtrype address, i.e. avoid
+        # tunnelling the traffic designated to all local TCP/IP addresses.
+        _ipt('-A', chain, '-j', 'RETURN',
+             '-m', 'addrtype',
+             '--dst-type', 'LOCAL',
+             '!', '-p', 'udp')
+        # Skip LOCAL traffic if it's not DNS.
+        _ipt('-A', chain, '-j', 'RETURN',
+             '-m', 'addrtype',
+             '--dst-type', 'LOCAL',
+             '-p', 'udp', '!', '--dport', '53')
+
+        # create new subnet entries.
+        for _, swidth, sexclude, snet, fport, lport \
+                in sorted(subnets, key=subnet_weight, reverse=True):
+            tcp_ports = ('-p', 'tcp')
+            if fport:
+                tcp_ports = tcp_ports + ('--dport', '%d:%d' % (fport, lport))
 
-        # create new subnet entries.  Note that we're sorting in a very
-        # particular order: we need to go from most-specific (largest
-        # swidth) to least-specific, and at any given level of specificity,
-        # we want excludes to come first.  That's why the columns are in
-        # such a non- intuitive order.
-        for f, swidth, sexclude, snet \
-                in sorted(subnets, key=lambda s: s[1], reverse=True):
             if sexclude:
                 _ipt('-A', chain, '-j', 'RETURN',
                      '--dest', '%s/%s' % (snet, swidth),
-                     '-p', 'tcp')
+                     *tcp_ports)
             else:
                 _ipt_ttl('-A', chain, '-j', 'REDIRECT',
                          '--dest', '%s/%s' % (snet, swidth),
-                         '-p', 'tcp',
-                         '--to-ports', str(port))
+                         *(tcp_ports + ('--to-ports', str(port))))
 
-        for f, ip in [i for i in nslist if i[0] == family]:
+        for _, ip in [i for i in nslist if i[0] == family]:
             _ipt_ttl('-A', chain, '-j', 'REDIRECT',
                      '--dest', '%s/32' % ip,
                      '-p', 'udp',
                      '--dport', '53',
                      '--to-ports', str(dnsport))
 
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         # only ipv4 supported with NAT
         if family != socket.AF_INET:
             raise Exception(
@@ -79,11 +102,25 @@ class Method(BaseMethod):
         def _ipt_ttl(*args):
             return ipt_ttl(family, table, *args)
 
+        def _ipm(*args):
+            return ipt(family, "mangle", *args)
+
         chain = 'sshuttle-%s' % port
 
         # basic cleanup/setup of chains
         if ipt_chain_exists(family, table, chain):
-            nonfatal(_ipt, '-D', 'OUTPUT', '-j', chain)
-            nonfatal(_ipt, '-D', 'PREROUTING', '-j', chain)
+            if user is not None:
+                nonfatal(_ipm, '-D', 'OUTPUT', '-m', 'owner', '--uid-owner',
+                         str(user), '-j', 'MARK', '--set-mark', str(port))
+                args = '-m', 'mark', '--mark', str(port), '-j', chain
+            else:
+                args = '-j', chain
+            nonfatal(_ipt, '-D', 'OUTPUT', *args)
+            nonfatal(_ipt, '-D', 'PREROUTING', *args)
             nonfatal(_ipt, '-F', chain)
             _ipt('-X', chain)
+
+    def get_supported_features(self):
+        result = super(Method, self).get_supported_features()
+        result.user = True
+        return result

sshuttle/methods/nft.py

@@ -0,0 +1,76 @@
+import socket
+from sshuttle.firewall import subnet_weight
+from sshuttle.linux import nft, nonfatal
+from sshuttle.methods import BaseMethod
+
+
+class Method(BaseMethod):
+
+    # We name the chain based on the transproxy port number so that it's
+    # possible to run multiple copies of sshuttle at the same time.  Of course,
+    # the multiple copies shouldn't have overlapping subnets, or only the most-
+    # recently-started one will win (because we use "-I OUTPUT 1" instead of
+    # "-A OUTPUT").
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
+        if udp:
+            raise Exception("UDP not supported by nft")
+
+        table = 'sshuttle-%s' % port
+
+        def _nft(action, *args):
+            return nft(family, table, action, *args)
+
+        chain = table
+
+        # basic cleanup/setup of chains
+        _nft('add table', '')
+        _nft('add chain', 'prerouting',
+             '{ type nat hook prerouting priority -100; policy accept; }')
+        _nft('add chain', 'output',
+             '{ type nat hook output priority -100; policy accept; }')
+        _nft('add chain', chain)
+        _nft('flush chain', chain)
+        _nft('add rule', 'output jump %s' % chain)
+        _nft('add rule', 'prerouting jump %s' % chain)
+
+        # create new subnet entries.
+        for _, swidth, sexclude, snet, fport, lport \
+                in sorted(subnets, key=subnet_weight, reverse=True):
+            tcp_ports = ('ip', 'protocol', 'tcp')
+            if fport and fport != lport:
+                tcp_ports = \
+                    tcp_ports + \
+                    ('tcp', 'dport', '{ %d-%d }' % (fport, lport))
+            elif fport and fport == lport:
+                tcp_ports = tcp_ports + ('tcp', 'dport', '%d' % (fport))
+
+            if sexclude:
+                _nft('add rule', chain, *(tcp_ports + (
+                     'ip daddr %s/%s' % (snet, swidth), 'return')))
+            else:
+                _nft('add rule', chain, *(tcp_ports + (
+                     'ip daddr %s/%s' % (snet, swidth), 'ip ttl != 42',
+                     ('redirect to :' + str(port)))))
+
+        for _, ip in [i for i in nslist if i[0] == family]:
+            if family == socket.AF_INET:
+                _nft('add rule', chain, 'ip protocol udp ip daddr %s' % ip,
+                     'udp dport { 53 }', 'ip ttl != 42',
+                     ('redirect to :' + str(dnsport)))
+            elif family == socket.AF_INET6:
+                _nft('add rule', chain, 'ip6 protocol udp ip6 daddr %s' % ip,
+                     'udp dport { 53 }', 'ip ttl != 42',
+                     ('redirect to :' + str(dnsport)))
+
+    def restore_firewall(self, port, family, udp, user):
+        if udp:
+            raise Exception("UDP not supported by nft method_name")
+
+        table = 'sshuttle-%s' % port
+
+        def _nft(action, *args):
+            return nft(family, table, action, *args)
+
+        # basic cleanup/setup of chains
+        nonfatal(_nft, 'delete table', '')

sshuttle/methods/pf.py

@@ -1,17 +1,25 @@
 import os
 import sys
+import platform
 import re
 import socket
+import errno
 import struct
 import subprocess as ssubprocess
+import shlex
 from fcntl import ioctl
 from ctypes import c_char, c_uint8, c_uint16, c_uint32, Union, Structure, \
     sizeof, addressof, memmove
+from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string
 from sshuttle.methods import BaseMethod
 
 
-_pf_context = {'started_by_sshuttle': False, 'Xtoken': None}
+_pf_context = {
+    'started_by_sshuttle': 0,
+    'loaded_by_sshuttle': True,
+    'Xtoken': []
+}
 _pf_fd = None
 
 
@@ -28,7 +36,7 @@ class Generic(object):
 
     class pf_addr(Structure):
         class _pfa(Union):
-             _fields_ = [("v4", c_uint32),     # struct in_addr
+            _fields_ = [("v4", c_uint32),      # struct in_addr
                         ("v6", c_uint32 * 4),  # struct in6_addr
                         ("addr8", c_uint8 * 16),
                         ("addr16", c_uint16 * 8),
@@ -57,11 +65,14 @@ class Generic(object):
     def enable(self):
         if b'INFO:\nStatus: Disabled' in self.status:
             pfctl('-e')
-            _pf_context['started_by_sshuttle'] = True
+            _pf_context['started_by_sshuttle'] += 1
 
-    def disable(self):
-        if _pf_context['started_by_sshuttle']:
+    @staticmethod
+    def disable(anchor):
+        pfctl('-a %s -F all' % anchor)
+        if _pf_context['started_by_sshuttle'] == 1:
             pfctl('-d')
+        _pf_context['started_by_sshuttle'] -= 1
 
     def query_nat(self, family, proto, src_ip, src_port, dst_ip, dst_port):
         [proto, family, src_port, dst_port] = [
@@ -89,41 +100,58 @@ class Generic(object):
         port = socket.ntohs(self._get_natlook_port(pnl.rdxport))
         return (ip, port)
 
-    def _add_natlook_ports(self, pnl, src_port, dst_port):
+    @staticmethod
+    def _add_natlook_ports(pnl, src_port, dst_port):
         pnl.sxport = socket.htons(src_port)
         pnl.dxport = socket.htons(dst_port)
 
-    def _get_natlook_port(self, xport):
+    @staticmethod
+    def _get_natlook_port(xport):
         return xport
 
-    def add_anchors(self, status=None):
+    def add_anchors(self, anchor, status=None):
         if status is None:
             status = pfctl('-s all')[0]
         self.status = status
-        if b'\nanchor "sshuttle"' not in status:
-            self._add_anchor_rule(self.PF_PASS, b"sshuttle")
+        if ('\nanchor "%s"' % anchor).encode('ASCII') not in status:
+            self._add_anchor_rule(self.PF_PASS, anchor.encode('ASCII'))
 
-    def _add_anchor_rule(self, type, name, pr=None):
+    def _add_anchor_rule(self, kind, name, pr=None):
         if pr is None:
             pr = self.pfioc_rule()
 
         memmove(addressof(pr) + self.ANCHOR_CALL_OFFSET, name,
                 min(self.MAXPATHLEN, len(name)))  # anchor_call = name
         memmove(addressof(pr) + self.RULE_ACTION_OFFSET,
-                struct.pack('I', type), 4)  # rule.action = type
+                struct.pack('I', kind), 4)  # rule.action = kind
 
-        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
-            'I', self.PF_CHANGE_GET_TICKET), 4)  # action = PF_CHANGE_GET_TICKET
+        memmove(addressof(pr) + self.ACTION_OFFSET,
+                struct.pack('I', self.PF_CHANGE_GET_TICKET),
+                4)  # action = PF_CHANGE_GET_TICKET
         ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
 
-        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
-            'I', self.PF_CHANGE_ADD_TAIL), 4)  # action = PF_CHANGE_ADD_TAIL
+        memmove(addressof(pr) + self.ACTION_OFFSET,
+                struct.pack('I', self.PF_CHANGE_ADD_TAIL),
+                4)  # action = PF_CHANGE_ADD_TAIL
         ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
 
-    def add_rules(self, rules):
+    @staticmethod
+    def _inet_version(family):
+        return b'inet' if family == socket.AF_INET else b'inet6'
+
+    @staticmethod
+    def _lo_addr(family):
+        return b'127.0.0.1' if family == socket.AF_INET else b'::1'
+
+    @staticmethod
+    def add_rules(anchor, rules):
         assert isinstance(rules, bytes)
         debug3("rules:\n" + rules.decode("ASCII"))
-        pfctl('-a sshuttle -f /dev/stdin', rules)
+        pfctl('-a %s -f /dev/stdin' % anchor, rules)
+
+    @staticmethod
+    def has_skip_loopback():
+        return b'skip' in pfctl('-s Interfaces -i lo -v')[0]
 
 
 class FreeBsd(Generic):
@@ -150,52 +178,68 @@ class FreeBsd(Generic):
         freebsd.pfioc_natlook = pfioc_natlook
         return freebsd
 
-    def __init__(self):
-        super(FreeBsd, self).__init__()
+    def enable(self):
+        returncode = ssubprocess.call(['kldload', 'pf'])
+        # No env: No output.
+        super(FreeBsd, self).enable()
+        if returncode == 0:
+            _pf_context['loaded_by_sshuttle'] = True
 
-    def add_anchors(self):
+    def disable(self, anchor):
+        super(FreeBsd, self).disable(anchor)
+        if _pf_context['loaded_by_sshuttle'] and \
+                _pf_context['started_by_sshuttle'] == 0:
+            ssubprocess.call(['kldunload', 'pf'])
+            # No env: No output.
+
+    def add_anchors(self, anchor):
         status = pfctl('-s all')[0]
-        if b'\nrdr-anchor "sshuttle"' not in status:
-            self._add_anchor_rule(self.PF_RDR, b'sshuttle')
-        super(FreeBsd, self).add_anchors(status=status)
+        if ('\nrdr-anchor "%s"' % anchor).encode('ASCII') not in status:
+            self._add_anchor_rule(self.PF_RDR, anchor.encode('ASCII'))
+        super(FreeBsd, self).add_anchors(anchor, status=status)
 
-    def _add_anchor_rule(self, type, name):
-        pr = self.pfioc_rule()
+    def _add_anchor_rule(self, kind, name, pr=None):
+        pr = pr or self.pfioc_rule()
         ppa = self.pfioc_pooladdr()
 
         ioctl(pf_get_dev(), self.DIOCBEGINADDRS, ppa)
         # pool ticket
         memmove(addressof(pr) + self.POOL_TICKET_OFFSET, ppa[4:8], 4)
-        super(FreeBsd, self)._add_anchor_rule(type, name, pr=pr)
+        super(FreeBsd, self)._add_anchor_rule(kind, name, pr=pr)
 
-    def add_rules(self, includes, port, dnsport, nslist):
-        tables = [
-            b'table <forward_subnets> {%s}' % b','.join(includes)
-        ]
+    def add_rules(self, anchor, includes, port, dnsport, nslist, family):
+        inet_version = self._inet_version(family)
+        lo_addr = self._lo_addr(family)
+
+        tables = []
         translating_rules = [
-            b'rdr pass on lo0 proto tcp '
-            b'to <forward_subnets> -> 127.0.0.1 port %r' % port
+            b'rdr pass on lo0 %s proto tcp from ! %s to %s '
+            b'-> %s port %r' % (inet_version, lo_addr, subnet, lo_addr, port)
+            for exclude, subnet in includes if not exclude
         ]
         filtering_rules = [
-            b'pass out route-to lo0 inet proto tcp '
-            b'to <forward_subnets> keep state'
+            b'pass out route-to lo0 %s proto tcp '
+            b'to %s keep state' % (inet_version, subnet)
+            if not exclude else
+            b'pass out %s proto tcp to %s' % (inet_version, subnet)
+            for exclude, subnet in includes
         ]
 
-        if len(nslist) > 0:
+        if nslist:
             tables.append(
                 b'table <dns_servers> {%s}' %
                 b','.join([ns[1].encode("ASCII") for ns in nslist]))
             translating_rules.append(
-                b'rdr pass on lo0 proto udp to '
-                b'<dns_servers> port 53 -> 127.0.0.1 port %r' % dnsport)
+                b'rdr pass on lo0 %s proto udp to <dns_servers> '
+                b'port 53 -> %s port %r' % (inet_version, lo_addr, dnsport))
             filtering_rules.append(
-                b'pass out route-to lo0 inet proto udp to '
-                b'<dns_servers> port 53 keep state')
+                b'pass out route-to lo0 %s proto udp to '
+                b'<dns_servers> port 53 keep state' % inet_version)
 
         rules = b'\n'.join(tables + translating_rules + filtering_rules) \
                 + b'\n'
 
-        super(FreeBsd, self).add_rules(rules)
+        super(FreeBsd, self).add_rules(anchor, rules)
 
 
 class OpenBsd(Generic):
@@ -221,45 +265,51 @@ class OpenBsd(Generic):
                         ("proto_variant", c_uint8),
                         ("direction", c_uint8)]
 
-        self.pfioc_rule = c_char * 3400
+        self.pfioc_rule = c_char * 3424
         self.pfioc_natlook = pfioc_natlook
         super(OpenBsd, self).__init__()
 
-    def add_anchors(self):
+    def add_anchors(self, anchor):
         # before adding anchors and rules we must override the skip lo
         # that comes by default in openbsd pf.conf so the rules we will add,
         # which rely on translating/filtering  packets on lo, can work
-        pfctl('-f /dev/stdin', b'match on lo\n')
-        super(OpenBsd, self).add_anchors()
+        if self.has_skip_loopback():
+            pfctl('-f /dev/stdin', b'match on lo\n')
+        super(OpenBsd, self).add_anchors(anchor)
 
-    def add_rules(self, includes, port, dnsport, nslist):
-        tables = [
-            b'table <forward_subnets> {%s}' % b','.join(includes)
-        ]
+    def add_rules(self, anchor, includes, port, dnsport, nslist, family):
+        inet_version = self._inet_version(family)
+        lo_addr = self._lo_addr(family)
+
+        tables = []
         translating_rules = [
-            b'pass in on lo0 inet proto tcp '
-            b'divert-to 127.0.0.1 port %r' % port
+            b'pass in on lo0 %s proto tcp to %s '
+            b'divert-to %s port %r' % (inet_version, subnet, lo_addr, port)
+            for exclude, subnet in includes if not exclude
         ]
         filtering_rules = [
-            b'pass out inet proto tcp '
-            b'to <forward_subnets> route-to lo0 keep state'
+            b'pass out %s proto tcp to %s '
+            b'route-to lo0 keep state' % (inet_version, subnet)
+            if not exclude else
+            b'pass out %s proto tcp to %s' % (inet_version, subnet)
+            for exclude, subnet in includes
         ]
 
-        if len(nslist) > 0:
+        if nslist:
             tables.append(
                 b'table <dns_servers> {%s}' %
                 b','.join([ns[1].encode("ASCII") for ns in nslist]))
             translating_rules.append(
-                b'pass in on lo0 inet proto udp to <dns_servers>'
-                b'port 53 rdr-to 127.0.0.1 port %r' % dnsport)
+                b'pass in on lo0 %s proto udp to <dns_servers> port 53 '
+                b'rdr-to %s port %r' % (inet_version, lo_addr, dnsport))
             filtering_rules.append(
-                b'pass out inet proto udp to '
-                b'<dns_servers> port 53 route-to lo0 keep state')
+                b'pass out %s proto udp to <dns_servers> port 53 '
+                b'route-to lo0 keep state' % inet_version)
 
         rules = b'\n'.join(tables + translating_rules + filtering_rules) \
                 + b'\n'
 
-        super(OpenBsd, self).add_rules(rules)
+        super(OpenBsd, self).add_rules(anchor, rules)
 
 
 class Darwin(FreeBsd):
@@ -292,19 +342,20 @@ class Darwin(FreeBsd):
 
     def enable(self):
         o = pfctl('-E')
-        _pf_context['Xtoken'] = \
-            re.search(b'Token : (.+)', o[1]).group(1)
+        _pf_context['Xtoken'].append(re.search(b'Token : (.+)', o[1]).group(1))
 
-    def disable(self):
-        if _pf_context['Xtoken'] is not None:
-            pfctl('-X %s' % _pf_context['Xtoken'].decode("ASCII"))
+    def disable(self, anchor):
+        pfctl('-a %s -F all' % anchor)
+        if _pf_context['Xtoken']:
+            pfctl('-X %s' % _pf_context['Xtoken'].pop().decode("ASCII"))
 
-    def add_anchors(self):
+    def add_anchors(self, anchor):
         # before adding anchors and rules we must override the skip lo
         # that in some cases ends up in the chain so the rules we will add,
         # which rely on translating/filtering  packets on lo, can work
-        pfctl('-f /dev/stdin', b'pass on lo\n')
-        super(Darwin, self).add_anchors()
+        if self.has_skip_loopback():
+            pfctl('-f /dev/stdin', b'pass on lo\n')
+        super(Darwin, self).add_anchors(anchor)
 
     def _add_natlook_ports(self, pnl, src_port, dst_port):
         pnl.sxport.port = socket.htons(src_port)
@@ -314,21 +365,36 @@ class Darwin(FreeBsd):
         return xport.port
 
 
+class PfSense(FreeBsd):
+    RULE_ACTION_OFFSET = 3040
+
+    def __init__(self):
+        self.pfioc_rule = c_char * 3112
+        super(PfSense, self).__init__()
+
+
 if sys.platform == 'darwin':
     pf = Darwin()
 elif sys.platform.startswith('openbsd'):
     pf = OpenBsd()
+elif platform.version().endswith('pfSense'):
+    pf = PfSense()
 else:
     pf = FreeBsd()
 
 
 def pfctl(args, stdin=None):
-    argv = ['pfctl'] + list(args.split(" "))
+    argv = ['pfctl'] + shlex.split(args)
     debug1('>> %s\n' % ' '.join(argv))
 
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
     p = ssubprocess.Popen(argv, stdin=ssubprocess.PIPE,
                           stdout=ssubprocess.PIPE,
-                          stderr=ssubprocess.PIPE)
+                          stderr=ssubprocess.PIPE,
+                          env=env)
     o = p.communicate(stdin)
     if p.returncode:
         raise Fatal('%r returned %d' % (argv, p.returncode))
@@ -344,13 +410,27 @@ def pf_get_dev():
     return _pf_fd
 
 
+def pf_get_anchor(family, port):
+    return 'sshuttle%s-%d' % ('' if family == socket.AF_INET else '6', port)
+
 
 class Method(BaseMethod):
 
+    def get_supported_features(self):
+        result = super(Method, self).get_supported_features()
+        result.ipv6 = True
+        return result
+
     def get_tcp_dstip(self, sock):
         pfile = self.firewall.pfile
 
-        peer = sock.getpeername()
+        try:
+            peer = sock.getpeername()
+        except socket.error:
+            _, e = sys.exc_info()[:2]
+            if e.args[0] == errno.EINVAL:
+                return sock.getsockname()
+
         proxy = sock.getsockname()
 
         argv = (sock.family, socket.IPPROTO_TCP,
@@ -367,44 +447,41 @@ class Method(BaseMethod):
 
         return sock.getsockname()
 
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
-        tables = []
-        translating_rules = []
-        filtering_rules = []
-
-        if family != socket.AF_INET:
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
+        if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by pf method_name'
                 % family_to_string(family))
         if udp:
             raise Exception("UDP not supported by pf method_name")
 
-        if len(subnets) > 0:
+        if subnets:
             includes = []
             # If a given subnet is both included and excluded, list the
             # exclusion first; the table will ignore the second, opposite
             # definition
-            for f, swidth, sexclude, snet in sorted(
-                    subnets, key=lambda s: (s[1], s[2]), reverse=True):
-                includes.append(b"%s%s/%d" %
-                                (b"!" if sexclude else b"",
-                                    snet.encode("ASCII"),
-                                    swidth))
+            for _, swidth, sexclude, snet, fport, lport \
+                    in sorted(subnets, key=subnet_weight):
+                includes.append((sexclude, b"%s/%d%s" % (
+                    snet.encode("ASCII"),
+                    swidth,
+                    b" port %d:%d" % (fport, lport) if fport else b"")))
 
-        pf.add_anchors()
-        pf.add_rules(includes, port, dnsport, nslist)
+        anchor = pf_get_anchor(family, port)
+        pf.add_anchors(anchor)
+        pf.add_rules(anchor, includes, port, dnsport, nslist, family)
         pf.enable()
 
-    def restore_firewall(self, port, family, udp):
-        if family != socket.AF_INET:
+    def restore_firewall(self, port, family, udp, user):
+        if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by pf method_name'
                 % family_to_string(family))
         if udp:
             raise Exception("UDP not supported by pf method_name")
 
-        pfctl('-a sshuttle -F all')
-        pf.disable()
+        pf.disable(pf_get_anchor(family, port))
 
     def firewall_command(self, line):
         if line.startswith('QUERY_PF_NAT '):

sshuttle/methods/tproxy.py

@@ -1,4 +1,5 @@
 import struct
+from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string
 from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists
 from sshuttle.methods import BaseMethod
@@ -32,7 +33,7 @@ IPV6_RECVORIGDSTADDR = IPV6_ORIGDSTADDR
 if recvmsg == "python":
     def recv_udp(listener, bufsize):
         debug3('Accept UDP python using recvmsg.\n')
-        data, ancdata, msg_flags, srcip = listener.recvmsg(
+        data, ancdata, _, srcip = listener.recvmsg(
             4096, socket.CMSG_SPACE(24))
         dstip = None
         family = None
@@ -63,7 +64,7 @@ if recvmsg == "python":
 elif recvmsg == "socket_ext":
     def recv_udp(listener, bufsize):
         debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, flags = listener.recvmsg(
+        srcip, data, adata, _ = listener.recvmsg(
             (bufsize,), socket.CMSG_SPACE(24))
         dstip = None
         family = None
@@ -149,7 +150,8 @@ class Method(BaseMethod):
         if udp_listener.v6 is not None:
             udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)
 
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by tproxy method'
@@ -163,12 +165,16 @@ class Method(BaseMethod):
         def _ipt_ttl(*args):
             return ipt_ttl(family, table, *args)
 
+        def _ipt_proto_ports(proto, fport, lport):
+            return proto + ('--dport', '%d:%d' % (fport, lport)) \
+                    if fport else proto
+
         mark_chain = 'sshuttle-m-%s' % port
         tproxy_chain = 'sshuttle-t-%s' % port
         divert_chain = 'sshuttle-d-%s' % port
 
         # basic cleanup/setup of chains
-        self.restore_firewall(port, family, udp)
+        self.restore_firewall(port, family, udp, user)
 
         _ipt('-N', mark_chain)
         _ipt('-F', mark_chain)
@@ -187,7 +193,7 @@ class Method(BaseMethod):
             _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
                  '-m', 'udp', '-p', 'udp')
 
-        for f, ip in [i for i in nslist if i[0] == family]:
+        for _, ip in [i for i in nslist if i[0] == family]:
             _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                  '--dest', '%s/32' % ip,
                  '-m', 'udp', '-p', 'udp', '--dport', '53')
@@ -197,44 +203,56 @@ class Method(BaseMethod):
                  '-m', 'udp', '-p', 'udp', '--dport', '53',
                  '--on-port', str(dnsport))
 
-        for f, swidth, sexclude, snet \
-                in sorted(subnets, key=lambda s: s[1], reverse=True):
+        for _, swidth, sexclude, snet, fport, lport \
+                in sorted(subnets, key=subnet_weight, reverse=True):
+            tcp_ports = ('-p', 'tcp')
+            tcp_ports = _ipt_proto_ports(tcp_ports, fport, lport)
+
             if sexclude:
                 _ipt('-A', mark_chain, '-j', 'RETURN',
                      '--dest', '%s/%s' % (snet, swidth),
-                     '-m', 'tcp', '-p', 'tcp')
+                     '-m', 'tcp',
+                     *tcp_ports)
                 _ipt('-A', tproxy_chain, '-j', 'RETURN',
                      '--dest', '%s/%s' % (snet, swidth),
-                     '-m', 'tcp', '-p', 'tcp')
+                     '-m', 'tcp',
+                     *tcp_ports)
             else:
                 _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                      '--dest', '%s/%s' % (snet, swidth),
-                     '-m', 'tcp', '-p', 'tcp')
+                     '-m', 'tcp',
+                     *tcp_ports)
                 _ipt('-A', tproxy_chain, '-j', 'TPROXY',
                      '--tproxy-mark', '0x1/0x1',
                      '--dest', '%s/%s' % (snet, swidth),
-                     '-m', 'tcp', '-p', 'tcp',
-                     '--on-port', str(port))
+                     '-m', 'tcp',
+                     *(tcp_ports + ('--on-port', str(port))))
 
             if udp:
+                udp_ports = ('-p', 'udp')
+                udp_ports = _ipt_proto_ports(udp_ports, fport, lport)
+
                 if sexclude:
                     _ipt('-A', mark_chain, '-j', 'RETURN',
                          '--dest', '%s/%s' % (snet, swidth),
-                         '-m', 'udp', '-p', 'udp')
+                         '-m', 'udp',
+                         *udp_ports)
                     _ipt('-A', tproxy_chain, '-j', 'RETURN',
                          '--dest', '%s/%s' % (snet, swidth),
-                         '-m', 'udp', '-p', 'udp')
+                         '-m', 'udp',
+                         *udp_ports)
                 else:
                     _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                          '--dest', '%s/%s' % (snet, swidth),
-                         '-m', 'udp', '-p', 'udp')
+                         '-m', 'udp',
+                         *udp_ports)
                     _ipt('-A', tproxy_chain, '-j', 'TPROXY',
                          '--tproxy-mark', '0x1/0x1',
                          '--dest', '%s/%s' % (snet, swidth),
-                         '-m', 'udp', '-p', 'udp',
-                         '--on-port', str(port))
+                         '-m', 'udp',
+                         *(udp_ports + ('--on-port', str(port))))
 
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by tproxy method'

sshuttle/options.py

@@ -1,215 +1,362 @@
-"""Command-line options parser.
-With the help of an options spec string, easily parse command-line options.
-"""
-import sys
-import os
-import textwrap
-import getopt
 import re
-import struct
+import socket
+from argparse import ArgumentParser, Action, ArgumentTypeError as Fatal
+
+from sshuttle import __version__
 
 
-class OptDict:
-
-    def __init__(self):
-        self._opts = {}
-
-    def __setitem__(self, k, v):
-        if k.startswith('no-') or k.startswith('no_'):
-            k = k[3:]
-            v = not v
-        self._opts[k] = v
-
-    def __getitem__(self, k):
-        if k.startswith('no-') or k.startswith('no_'):
-            return not self._opts[k[3:]]
-        return self._opts[k]
-
-    def __getattr__(self, k):
-        return self[k]
-
-
-def _default_onabort(msg):
-    sys.exit(97)
-
-
-def _intify(v):
+# Subnet file, supporting empty lines and hash-started comment lines
+def parse_subnetport_file(s):
     try:
-        vv = int(v or '')
-        if str(vv) == v:
-            return vv
-    except ValueError:
-        pass
-    return v
+        handle = open(s, 'r')
+    except OSError:
+        raise Fatal('Unable to open subnet file: %s' % s)
+
+    raw_config_lines = handle.readlines()
+    subnets = []
+    for _, line in enumerate(raw_config_lines):
+        line = line.strip()
+        if not line:
+            continue
+        if line[0] == '#':
+            continue
+        subnets.append(parse_subnetport(line))
+
+    return subnets
 
 
-def _atoi(v):
+# 1.2.3.4/5:678, 1.2.3.4:567, 1.2.3.4/16 or just 1.2.3.4
+# [1:2::3/64]:456, [1:2::3]:456, 1:2::3/64 or just 1:2::3
+# example.com:123 or just example.com
+def parse_subnetport(s):
+    if s.count(':') > 1:
+        rx = r'(?:\[?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
+    else:
+        rx = r'([\w\.\-]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
+
+    m = re.match(rx, s)
+    if not m:
+        raise Fatal('%r is not a valid address/mask:port format' % s)
+
+    addr, width, fport, lport = m.groups()
     try:
-        return int(v or 0)
-    except ValueError:
-        return 0
+        addrinfo = socket.getaddrinfo(addr, 0, 0, socket.SOCK_STREAM)
+    except socket.gaierror:
+        raise Fatal('Unable to resolve address: %s' % addr)
+
+    family, _, _, _, addr = min(addrinfo)
+    max_width = 32 if family == socket.AF_INET else 128
+    width = int(width or max_width)
+    if not 0 <= width <= max_width:
+        raise Fatal('width %d is not between 0 and %d' % (width, max_width))
+
+    return (family, addr[0], width, int(fport or 0), int(lport or fport or 0))
 
 
-def _remove_negative_kv(k, v):
-    if k.startswith('no-') or k.startswith('no_'):
-        return k[3:], not v
-    return k, v
+# 1.2.3.4:567 or just 1.2.3.4 or just 567
+# [1:2::3]:456 or [1:2::3] or just [::]:567
+# example.com:123 or just example.com
+def parse_ipport(s):
+    s = str(s)
+    if s.isdigit():
+        rx = r'()(\d+)$'
+    elif ']' in s:
+        rx = r'(?:\[([^]]+)])(?::(\d+))?$'
+    else:
+        rx = r'([\w\.\-]+)(?::(\d+))?$'
 
+    m = re.match(rx, s)
+    if not m:
+        raise Fatal('%r is not a valid IP:port format' % s)
 
-def _remove_negative_k(k):
-    return _remove_negative_kv(k, None)[0]
+    ip, port = m.groups()
+    ip = ip or '0.0.0.0'
+    port = int(port or 0)
 
-
-def _tty_width():
-    if not hasattr(sys.stderr, "fileno"):
-        return _atoi(os.environ.get('WIDTH')) or 70
-    s = struct.pack("HHHH", 0, 0, 0, 0)
     try:
-        import fcntl
-        import termios
-        s = fcntl.ioctl(sys.stderr.fileno(), termios.TIOCGWINSZ, s)
-    except (IOError, ImportError):
-        return _atoi(os.environ.get('WIDTH')) or 70
-    (ysize, xsize, ypix, xpix) = struct.unpack('HHHH', s)
-    return xsize or 70
+        addrinfo = socket.getaddrinfo(ip, port, 0, socket.SOCK_STREAM)
+    except socket.gaierror:
+        raise Fatal('%r is not a valid IP:port format' % s)
+
+    family, _, _, _, addr = min(addrinfo)
+    return (family,) + addr[:2]
 
 
-class Options:
+def parse_list(lst):
+    return re.split(r'[\s,]+', lst.strip()) if lst else []
 
-    """Option parser.
-    When constructed, two strings are mandatory. The first one is the command
-    name showed before error messages. The second one is a string called an
-    optspec that specifies the synopsis and option flags and their description.
-    For more information about optspecs, consult the bup-options(1) man page.
 
-    Two optional arguments specify an alternative parsing function and an
-    alternative behaviour on abort (after having output the usage string).
+class Concat(Action):
+    def __init__(self, option_strings, dest, nargs=None, **kwargs):
+        if nargs is not None:
+            raise ValueError("nargs not supported")
+        super(Concat, self).__init__(option_strings, dest, **kwargs)
 
-    By default, the parser function is getopt.gnu_getopt, and the abort
-    behaviour is to exit the program.
+    def __call__(self, parser, namespace, values, option_string=None):
+        curr_value = getattr(namespace, self.dest, None) or []
+        setattr(namespace, self.dest, curr_value + values)
+
+
+parser = ArgumentParser(
+    prog="sshuttle",
+    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>",
+    fromfile_prefix_chars="@"
+)
+parser.add_argument(
+    "subnets",
+    metavar="IP/MASK[:PORT[-PORT]]...",
+    nargs="*",
+    type=parse_subnetport,
+    help="""
+    capture and forward traffic to these subnets (whitespace separated)
     """
+)
+parser.add_argument(
+    "-l", "--listen",
+    metavar="[IP:]PORT",
+    help="""
+    transproxy to this ip address and port number
+    """
+)
+parser.add_argument(
+    "-H", "--auto-hosts",
+    action="store_true",
+    help="""
+    continuously scan for remote hostnames and update local /etc/hosts as
+    they are found
+    """
+)
+parser.add_argument(
+    "-N", "--auto-nets",
+    action="store_true",
+    help="""
+    automatically determine subnets to route
+    """
+)
+parser.add_argument(
+    "--dns",
+    action="store_true",
+    help="""
+    capture local DNS requests and forward to the remote DNS server
+    """
+)
+parser.add_argument(
+    "--ns-hosts",
+    metavar="IP[,IP]",
+    default=[],
+    type=parse_list,
+    help="""
+    capture and forward DNS requests made to the following servers
+    """
+)
+parser.add_argument(
+    "--to-ns",
+    metavar="IP[:PORT]",
+    type=parse_ipport,
+    help="""
+    the DNS server to forward requests to; defaults to servers in
+    /etc/resolv.conf on remote side if not given.
+    """
+)
 
-    def __init__(self, optspec, optfunc=getopt.gnu_getopt,
-                 onabort=_default_onabort):
-        self.optspec = optspec
-        self._onabort = onabort
-        self.optfunc = optfunc
-        self._aliases = {}
-        self._shortopts = 'h?'
-        self._longopts = ['help']
-        self._hasparms = {}
-        self._defaults = {}
-        self._usagestr = self._gen_usage()
-
-    def _gen_usage(self):
-        out = []
-        lines = self.optspec.strip().split('\n')
-        lines.reverse()
-        first_syn = True
-        while lines:
-            l = lines.pop()
-            if l == '--':
-                break
-            out.append('%s: %s\n' % (first_syn and 'usage' or '   or', l))
-            first_syn = False
-        out.append('\n')
-        last_was_option = False
-        while lines:
-            l = lines.pop()
-            if l.startswith(' '):
-                out.append('%s%s\n' % (last_was_option and '\n' or '',
-                                       l.lstrip()))
-                last_was_option = False
-            elif l:
-                (flags, extra) = l.split(' ', 1)
-                extra = extra.strip()
-                if flags.endswith('='):
-                    flags = flags[:-1]
-                    has_parm = 1
-                else:
-                    has_parm = 0
-                g = re.search(r'\[([^\]]*)\]$', extra)
-                if g:
-                    defval = g.group(1)
-                else:
-                    defval = None
-                flagl = flags.split(',')
-                flagl_nice = []
-                for _f in flagl:
-                    f, dvi = _remove_negative_kv(_f, _intify(defval))
-                    self._aliases[f] = _remove_negative_k(flagl[0])
-                    self._hasparms[f] = has_parm
-                    self._defaults[f] = dvi
-                    if len(f) == 1:
-                        self._shortopts += f + (has_parm and ':' or '')
-                        flagl_nice.append('-' + f)
-                    else:
-                        f_nice = re.sub(r'\W', '_', f)
-                        self._aliases[f_nice] = _remove_negative_k(flagl[0])
-                        self._longopts.append(f + (has_parm and '=' or ''))
-                        self._longopts.append('no-' + f)
-                        flagl_nice.append('--' + _f)
-                flags_nice = ', '.join(flagl_nice)
-                if has_parm:
-                    flags_nice += ' ...'
-                prefix = '    %-20s  ' % flags_nice
-                argtext = '\n'.join(textwrap.wrap(extra, width=_tty_width(),
-                                                  initial_indent=prefix,
-                                                  subsequent_indent=' ' * 28))
-                out.append(argtext + '\n')
-                last_was_option = True
-            else:
-                out.append('\n')
-                last_was_option = False
-        return ''.join(out).rstrip() + '\n'
-
-    def usage(self, msg=""):
-        """Print usage string to stderr and abort."""
-        sys.stderr.write(self._usagestr)
-        e = self._onabort and self._onabort(msg) or None
-        if e:
-            raise e
-
-    def fatal(self, s):
-        """Print an error message to stderr and abort with usage string."""
-        msg = 'error: %s\n' % s
-        sys.stderr.write(msg)
-        return self.usage(msg)
-
-    def parse(self, args):
-        """Parse a list of arguments and return (options, flags, extra).
-
-        In the returned tuple, "options" is an OptDict with known options,
-        "flags" is a list of option flags that were used on the command-line,
-        and "extra" is a list of positional arguments.
-        """
-        try:
-            (flags, extra) = self.optfunc(
-                args, self._shortopts, self._longopts)
-        except getopt.GetoptError as e:
-            self.fatal(e)
-
-        opt = OptDict()
-
-        for k, v in self._defaults.items():
-            k = self._aliases[k]
-            opt[k] = v
-
-        for (k, v) in flags:
-            k = k.lstrip('-')
-            if k in ('h', '?', 'help'):
-                self.usage()
-            if k.startswith('no-'):
-                k = self._aliases[k[3:]]
-                v = 0
-            else:
-                k = self._aliases[k]
-                if not self._hasparms[k]:
-                    assert(v == '')
-                    v = (opt._opts.get(k) or 0) + 1
-                else:
-                    v = _intify(v)
-            opt[k] = v
-        for (f1, f2) in self._aliases.items():
-            opt[f1] = opt._opts.get(f2)
-        return (opt, flags, extra)
+parser.add_argument(
+    "--method",
+    choices=["auto", "nat", "nft", "tproxy", "pf", "ipfw"],
+    metavar="TYPE",
+    default="auto",
+    help="""
+    %(choices)s
+    """
+)
+parser.add_argument(
+    "--python",
+    metavar="PATH",
+    help="""
+    path to python interpreter on the remote server
+    """
+)
+parser.add_argument(
+    "-r", "--remote",
+    metavar="[USERNAME[:PASSWORD]@]ADDR[:PORT]",
+    help="""
+    ssh hostname (and optional username and password) of remote %(prog)s server
+    """
+)
+parser.add_argument(
+    "-x", "--exclude",
+    metavar="IP/MASK[:PORT[-PORT]]",
+    action="append",
+    default=[],
+    type=parse_subnetport,
+    help="""
+    exclude this subnet (can be used more than once)
+    """
+)
+parser.add_argument(
+    "-X", "--exclude-from",
+    metavar="PATH",
+    action=Concat,
+    dest="exclude",
+    type=parse_subnetport_file,
+    help="""
+    exclude the subnets in a file (whitespace separated)
+    """
+)
+parser.add_argument(
+    "-v", "--verbose",
+    action="count",
+    default=0,
+    help="""
+    increase debug message verbosity
+    """
+)
+parser.add_argument(
+    "-V", "--version",
+    action="version",
+    version=__version__,
+    help="""
+    print the %(prog)s version number and exit
+    """
+)
+parser.add_argument(
+    "-e", "--ssh-cmd",
+    metavar="CMD",
+    default="ssh",
+    help="""
+    the command to use to connect to the remote [%(default)s]
+    """
+)
+parser.add_argument(
+    "--seed-hosts",
+    metavar="HOSTNAME[,HOSTNAME]",
+    default=[],
+    help="""
+    comma-separated list of hostnames for initial scan (may be used with
+    or without --auto-hosts)
+    """
+)
+parser.add_argument(
+    "--no-latency-control",
+    action="store_false",
+    dest="latency_control",
+    help="""
+    sacrifice latency to improve bandwidth benchmarks
+    """
+)
+parser.add_argument(
+    "--latency-buffer-size",
+    metavar="SIZE",
+    type=int,
+    default=32768,
+    dest="latency_buffer_size",
+    help="""
+    size of latency control buffer
+    """
+)
+parser.add_argument(
+    "--wrap",
+    metavar="NUM",
+    type=int,
+    help="""
+    restart counting channel numbers after this number (for testing)
+    """
+)
+parser.add_argument(
+    "--disable-ipv6",
+    action="store_true",
+    help="""
+    disable IPv6 support
+    """
+)
+parser.add_argument(
+    "-D", "--daemon",
+    action="store_true",
+    help="""
+    run in the background as a daemon
+    """
+)
+parser.add_argument(
+    "-s", "--subnets",
+    metavar="PATH",
+    action=Concat,
+    dest="subnets_file",
+    default=[],
+    type=parse_subnetport_file,
+    help="""
+    file where the subnets are stored, instead of on the command line
+    """
+)
+parser.add_argument(
+    "--syslog",
+    action="store_true",
+    help="""
+    send log messages to syslog (default if you use --daemon)
+    """
+)
+parser.add_argument(
+    "--pidfile",
+    metavar="PATH",
+    default="./sshuttle.pid",
+    help="""
+    pidfile name (only if using --daemon) [%(default)s]
+    """
+)
+parser.add_argument(
+    "--user",
+    help="""
+    apply all the rules only to this linux user
+    """
+)
+parser.add_argument(
+    "--firewall",
+    action="store_true",
+    help="""
+    (internal use only)
+    """
+)
+parser.add_argument(
+    "--hostwatch",
+    action="store_true",
+    help="""
+    (internal use only)
+    """
+)
+parser.add_argument(
+    "--sudoers",
+    action="store_true",
+    help="""
+    Add sshuttle to the sudoers for this user
+    """
+)
+parser.add_argument(
+    "--sudoers-no-modify",
+    action="store_true",
+    help="""
+    Prints the sudoers config to STDOUT and DOES NOT modify anything.
+    """
+)
+parser.add_argument(
+    "--sudoers-user",
+    default="",
+    help="""
+    Set the user name or group with %%group_name for passwordless operation.
+    Default is the current user.set ALL for all users. Only works with
+    --sudoers or --sudoers-no-modify option.
+    """
+)
+parser.add_argument(
+    "--sudoers-filename",
+    default="sshuttle_auto",
+    help="""
+    Set the file name for the sudoers.d file to be added. Default is
+    "sshuttle_auto". Only works with --sudoers or --sudoers-no-modify option.
+    """
+)
+parser.add_argument(
+    "--no-sudo-pythonpath",
+    action="store_false",
+    dest="sudo_pythonpath",
+    help="""
+    do not set PYTHONPATH when invoking sudo
+    """
+)

sshuttle/sdnotify.py

@@ -0,0 +1,46 @@
+import socket
+import os
+
+from sshuttle.helpers import debug1
+
+
+def _notify(message):
+    addr = os.environ.get("NOTIFY_SOCKET", None)
+
+    if not addr or len(addr) == 1 or addr[0] not in ('/', '@'):
+        return False
+
+    addr = '\0' + addr[1:] if addr[0] == '@' else addr
+
+    try:
+        sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+    except (OSError, IOError) as e:
+        debug1("Error creating socket to notify systemd: %s\n" % e)
+        return False
+
+    if not message:
+        return False
+
+    assert isinstance(message, bytes)
+
+    try:
+        return (sock.sendto(message, addr) > 0)
+    except (OSError, IOError) as e:
+        debug1("Error notifying systemd: %s\n" % e)
+        return False
+
+
+def send(*messages):
+    return _notify(b'\n'.join(messages))
+
+
+def ready():
+    return b"READY=1"
+
+
+def stop():
+    return b"STOPPING=1"
+
+
+def status(message):
+    return b"STATUS=%s" % message.encode('utf8')

sshuttle/server.py

@@ -6,38 +6,41 @@ import time
 import sys
 import os
 import platform
+from shutil import which
 
 import sshuttle.ssnet as ssnet
 import sshuttle.helpers as helpers
 import sshuttle.hostwatch as hostwatch
 import subprocess as ssubprocess
 from sshuttle.ssnet import Handler, Proxy, Mux, MuxWrapper
-from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, \
+from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal, \
     resolvconf_random_nameserver
 
 
 def _ipmatch(ipstr):
-    if ipstr == b'default':
-        ipstr = b'0.0.0.0/0'
-    m = re.match(b'^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
+    # FIXME: IPv4 only
+    if ipstr == 'default':
+        ipstr = '0.0.0.0/0'
+    m = re.match(r'^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
     if m:
         g = m.groups()
         ips = g[0]
         width = int(g[4] or 32)
         if g[1] is None:
-            ips += b'.0.0.0'
+            ips += '.0.0.0'
             width = min(width, 8)
         elif g[2] is None:
-            ips += b'.0.0'
+            ips += '.0.0'
             width = min(width, 16)
         elif g[3] is None:
-            ips += b'.0'
+            ips += '.0'
             width = min(width, 24)
-        ips = ips.decode("ASCII")
+        ips = ips
         return (struct.unpack('!I', socket.inet_aton(ips))[0], width)
 
 
 def _ipstr(ip, width):
+    # FIXME: IPv4 only
     if width >= 32:
         return ip
     else:
@@ -45,6 +48,7 @@ def _ipstr(ip, width):
 
 
 def _maskbits(netmask):
+    # FIXME: IPv4 only
     if not netmask:
         return 32
     for i in range(32):
@@ -57,18 +61,39 @@ def _shl(n, bits):
     return n * int(2 ** bits)
 
 
-def _list_routes():
+def _route_netstat(line):
+    cols = line.split(None)
+    if len(cols) < 3:
+        return None, None
+    ipw = _ipmatch(cols[0])
+    maskw = _ipmatch(cols[2])  # linux only
+    mask = _maskbits(maskw)   # returns 32 if maskw is null
+    return ipw, mask
+
+
+def _route_iproute(line):
+    ipm = line.split(None, 1)[0]
+    if '/' not in ipm:
+        return None, None
+    ip, mask = ipm.split('/')
+    ipw = _ipmatch(ip)
+    return ipw, int(mask)
+
+
+def _list_routes(argv, extract_route):
     # FIXME: IPv4 only
-    argv = ['netstat', '-rn']
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE)
+    env = {
+        'PATH': os.environ['PATH'],
+        'LC_ALL': "C",
+    }
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
     routes = []
     for line in p.stdout:
-        cols = re.split(b'\s+', line)
-        ipw = _ipmatch(cols[0])
+        if not line.strip():
+            continue
+        ipw, mask = extract_route(line.decode("ASCII"))
         if not ipw:
-            continue  # some lines won't be parseable; never mind
-        maskw = _ipmatch(cols[2])  # linux only
-        mask = _maskbits(maskw)   # returns 32 if maskw is null
+            continue
         width = min(ipw[1], mask)
         ip = ipw[0] & _shl(_shl(1, width) - 1, 32 - width)
         routes.append(
@@ -77,11 +102,20 @@ def _list_routes():
     if rv != 0:
         log('WARNING: %r returned %d\n' % (argv, rv))
         log('WARNING: That prevents --auto-nets from working.\n')
+
     return routes
 
 
 def list_routes():
-    for (family, ip, width) in _list_routes():
+    if which('ip'):
+        routes = _list_routes(['ip', 'route'], _route_iproute)
+    elif which('netstat'):
+        routes = _list_routes(['netstat', '-rn'], _route_netstat)
+    else:
+        log('WARNING: Neither ip nor netstat were found on the server.\n')
+        routes = []
+
+    for (family, ip, width) in routes:
         if not ip.startswith('0.') and not ip.startswith('127.'):
             yield (family, ip, width)
 
@@ -91,7 +125,7 @@ def _exc_dump():
     return ''.join(traceback.format_exception(*exc_info))
 
 
-def start_hostwatch(seed_hosts):
+def start_hostwatch(seed_hosts, auto_hosts):
     s1, s2 = socket.socketpair()
     pid = os.fork()
     if not pid:
@@ -103,7 +137,7 @@ def start_hostwatch(seed_hosts):
                 os.dup2(s1.fileno(), 1)
                 os.dup2(s1.fileno(), 0)
                 s1.close()
-                rv = hostwatch.hw_main(seed_hosts) or 0
+                rv = hostwatch.hw_main(seed_hosts, auto_hosts) or 0
             except Exception:
                 log('%s\n' % _exc_dump())
                 rv = 98
@@ -122,7 +156,7 @@ class Hostwatch:
 
 class DnsProxy(Handler):
 
-    def __init__(self, mux, chan, request):
+    def __init__(self, mux, chan, request, to_nameserver):
         Handler.__init__(self, [])
         self.timeout = time.time() + 30
         self.mux = mux
@@ -130,26 +164,48 @@ class DnsProxy(Handler):
         self.tries = 0
         self.request = request
         self.peers = {}
+        self.to_ns_peer = None
+        self.to_ns_port = None
+        if to_nameserver is None:
+            self.to_nameserver = None
+        else:
+            self.to_ns_peer, self.to_ns_port = to_nameserver.split("@")
+            self.to_nameserver = self._addrinfo(self.to_ns_peer,
+                                                self.to_ns_port)
         self.try_send()
 
+    @staticmethod
+    def _addrinfo(peer, port):
+        if int(port) == 0:
+            port = 53
+        family, _, _, _, sockaddr = socket.getaddrinfo(peer, port)[0]
+        return (family, sockaddr)
+
     def try_send(self):
         if self.tries >= 3:
             return
         self.tries += 1
 
-        family, peer = resolvconf_random_nameserver()
+        if self.to_nameserver is None:
+            _, peer = resolvconf_random_nameserver()
+            port = 53
+        else:
+            peer = self.to_ns_peer
+            port = int(self.to_ns_port)
 
+        family, sockaddr = self._addrinfo(peer, port)
         sock = socket.socket(family, socket.SOCK_DGRAM)
         sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
-        sock.connect((peer, 53))
+        sock.connect(sockaddr)
 
         self.peers[sock] = peer
 
-        debug2('DNS: sending to %r (try %d)\n' % (peer, self.tries))
+        debug2('DNS: sending to %r:%d (try %d)\n' % (peer, port, self.tries))
         try:
             sock.send(self.request)
             self.socks.append(sock)
-        except socket.error as e:
+        except socket.error:
+            _, e = sys.exc_info()[:2]
             if e.args[0] in ssnet.NET_ERRS:
                 # might have been spurious; try again.
                 # Note: these errors sometimes are reported by recv(),
@@ -166,7 +222,8 @@ class DnsProxy(Handler):
 
         try:
             data = sock.recv(4096)
-        except socket.error as e:
+        except socket.error:
+            _, e = sys.exc_info()[:2]
             self.socks.remove(sock)
             del self.peers[sock]
 
@@ -201,22 +258,24 @@ class UdpProxy(Handler):
         debug2('UDP: sending to %r port %d\n' % dstip)
         try:
             self.sock.sendto(data, dstip)
-        except socket.error as e:
+        except socket.error:
+            _, e = sys.exc_info()[:2]
             log('UDP send to %r port %d: %s\n' % (dstip[0], dstip[1], e))
             return
 
     def callback(self, sock):
         try:
             data, peer = sock.recvfrom(4096)
-        except socket.error as e:
+        except socket.error:
+            _, e = sys.exc_info()[:2]
             log('UDP recv from %r port %d: %s\n' % (peer[0], peer[1], e))
             return
         debug2('UDP response: %d bytes\n' % len(data))
-        hdr = "%s,%r," % (peer[0], peer[1])
+        hdr = b("%s,%r," % (peer[0], peer[1]))
         self.mux.send(self.chan, ssnet.CMD_UDP_DATA, hdr + data)
 
 
-def main(latency_control):
+def main(latency_control, auto_hosts, to_nameserver, auto_nets):
     debug1('Starting server with Python version %s\n'
            % platform.python_version())
 
@@ -226,54 +285,63 @@ def main(latency_control):
         helpers.logprefix = 'server: '
     debug1('latency control setting = %r\n' % latency_control)
 
-    routes = list(list_routes())
-    debug1('available routes:\n')
-    for r in routes:
-        debug1('  %d/%s/%d\n' % r)
-
     # synchronization header
     sys.stdout.write('\0\0SSHUTTLE0001')
     sys.stdout.flush()
 
     handlers = []
-    mux = Mux(socket.fromfd(sys.stdin.fileno(),
-                            socket.AF_INET, socket.SOCK_STREAM),
-              socket.fromfd(sys.stdout.fileno(),
-                            socket.AF_INET, socket.SOCK_STREAM))
+    mux = Mux(sys.stdin, sys.stdout)
     handlers.append(mux)
-    routepkt = b''
+
+    debug1('auto-nets:' + str(auto_nets) + '\n')
+    if auto_nets:
+        routes = list(list_routes())
+        debug1('available routes:\n')
+        for r in routes:
+            debug1('  %d/%s/%d\n' % r)
+    else:
+        routes = []
+
+    routepkt = ''
     for r in routes:
-        routepkt += b'%d,%s,%d\n' % (r[0], r[1].encode("ASCII"), r[2])
-    mux.send(0, ssnet.CMD_ROUTES, routepkt)
+        routepkt += '%d,%s,%d\n' % r
+    mux.send(0, ssnet.CMD_ROUTES, b(routepkt))
 
     hw = Hostwatch()
-    hw.leftover = b''
+    hw.leftover = b('')
 
     def hostwatch_ready(sock):
         assert(hw.pid)
         content = hw.sock.recv(4096)
         if content:
-            lines = (hw.leftover + content).split(b'\n')
+            lines = (hw.leftover + content).split(b('\n'))
             if lines[-1]:
                 # no terminating newline: entry isn't complete yet!
                 hw.leftover = lines.pop()
-                lines.append(b'')
+                lines.append(b(''))
             else:
-                hw.leftover = b''
-            mux.send(0, ssnet.CMD_HOST_LIST, b'\n'.join(lines))
+                hw.leftover = b('')
+            mux.send(0, ssnet.CMD_HOST_LIST, b('\n').join(lines))
         else:
             raise Fatal('hostwatch process died')
 
     def got_host_req(data):
         if not hw.pid:
-            (hw.pid, hw.sock) = start_hostwatch(data.strip().split())
+            (hw.pid, hw.sock) = start_hostwatch(
+                    data.decode("ASCII").strip().split(), auto_hosts)
             handlers.append(Handler(socks=[hw.sock],
                                     callback=hostwatch_ready))
     mux.got_host_req = got_host_req
 
     def new_channel(channel, data):
-        (family, dstip, dstport) = data.split(b',', 2)
+        (family, dstip, dstport) = data.decode("ASCII").split(',', 2)
         family = int(family)
+        # AF_INET is the same constant on Linux and BSD but AF_INET6
+        # is different. As the client and server can be running on
+        # different platforms we can not just set the socket family
+        # to what comes in the wire.
+        if family != socket.AF_INET:
+            family = socket.AF_INET6
         dstport = int(dstport)
         outwrap = ssnet.connect_dst(family, dstip, dstport)
         handlers.append(Proxy(MuxWrapper(mux, channel), outwrap))
@@ -283,7 +351,7 @@ def main(latency_control):
 
     def dns_req(channel, data):
         debug2('Incoming DNS request channel=%d.\n' % channel)
-        h = DnsProxy(mux, channel, data)
+        h = DnsProxy(mux, channel, data, to_nameserver)
         handlers.append(h)
         dnshandlers[channel] = h
     mux.got_dns_req = dns_req
@@ -293,7 +361,7 @@ def main(latency_control):
     def udp_req(channel, cmd, data):
         debug2('Incoming UDP request channel=%d, cmd=%d\n' % (channel, cmd))
         if cmd == ssnet.CMD_UDP_DATA:
-            (dstip, dstport, data) = data.split(",", 2)
+            (dstip, dstport, data) = data.split(b(','), 2)
             dstport = int(dstport)
             debug2('is incoming UDP data. %r %d.\n' % (dstip, dstport))
             h = udphandlers[channel]

sshuttle/ssh.py

@@ -3,81 +3,94 @@ import os
 import re
 import socket
 import zlib
-import imp
+import importlib
+import importlib.util
 import subprocess as ssubprocess
+import shlex
+from shlex import quote
+import ipaddress
+from urllib.parse import urlparse
+
 import sshuttle.helpers as helpers
 from sshuttle.helpers import debug2
 
 
-def readfile(name):
-    tokens = name.split(".")
-    f = None
-
-    token = tokens[0]
-    token_name = [token]
-    token_str = ".".join(token_name)
-
-    try:
-        f, pathname, description = imp.find_module(token_str)
-
-        for token in tokens[1:]:
-            module = imp.load_module(token_str, f, pathname, description)
-            if f is not None:
-                f.close()
-
-            token_name.append(token)
-            token_str = ".".join(token_name)
-
-            f, pathname, description = imp.find_module(
-                token, module.__path__)
-
-        if f is not None:
-            contents = f.read()
-        else:
-            contents = ""
-
-    finally:
-        if f is not None:
-            f.close()
-
-    return contents.encode("UTF8")
+def get_module_source(name):
+    spec = importlib.util.find_spec(name)
+    with open(spec.origin, "rt") as f:
+        return f.read().encode("utf-8")
 
 
 def empackage(z, name, data=None):
     if not data:
-        data = readfile(name)
+        data = get_module_source(name)
     content = z.compress(data)
     content += z.flush(zlib.Z_SYNC_FLUSH)
 
     return b'%s\n%d\n%s' % (name.encode("ASCII"), len(content), content)
 
 
+def parse_hostport(rhostport):
+    """
+    parses the given rhostport variable, looking like this:
+
+            [username[:password]@]host[:port]
+
+    if only host is given, can be a hostname, IPv4/v6 address or a ssh alias
+    from ~/.ssh/config
+
+    and returns a tuple (username, password, port, host)
+    """
+    # leave use of default port to ssh command to prevent overwriting
+    # ports configured in ~/.ssh/config when no port is given
+    port = None
+    username = None
+    password = None
+    host = rhostport
+
+    if "@" in host:
+        # split username (and possible password) from the host[:port]
+        username, host = host.rsplit("@", 1)
+        # Fix #410 bad username error detect
+        if ":" in username:
+            # this will even allow for the username to be empty
+            username, password = username.split(":")
+
+    if ":" in host:
+        # IPv6 address and/or got a port specified
+
+        # If it is an IPv6 adress with port specification,
+        # then it will look like: [::1]:22
+
+        try:
+            # try to parse host as an IP adress,
+            # if that works it is an IPv6 address
+            host = ipaddress.ip_address(host)
+        except ValueError:
+            # if that fails parse as URL to get the port
+            parsed = urlparse('//{}'.format(host))
+            try:
+                host = ipaddress.ip_address(parsed.hostname)
+            except ValueError:
+                # else if both fails, we have a hostname with port
+                host = parsed.hostname
+            port = parsed.port
+
+    if password is None or len(password) == 0:
+        password = None
+
+    return username, password, port, host
+
+
 def connect(ssh_cmd, rhostport, python, stderr, options):
-    portl = []
-
-    if (rhostport or '').count(':') > 1:
-        if rhostport.count(']') or rhostport.count('['):
-            result = rhostport.split(']')
-            rhost = result[0].strip('[')
-            if len(result) > 1:
-                result[1] = result[1].strip(':')
-                if result[1] is not '':
-                    portl = ['-p', str(int(result[1]))]
-        # can't disambiguate IPv6 colons and a port number. pass the hostname
-        # through.
-        else:
-            rhost = rhostport
-    else:  # IPv4
-        l = (rhostport or '').split(':', 1)
-        rhost = l[0]
-        if len(l) > 1:
-            portl = ['-p', str(int(l[1]))]
-
-    if rhost == '-':
-        rhost = None
+    username, password, port, host = parse_hostport(rhostport)
+    if username:
+        rhost = "{}@{}".format(username, host)
+    else:
+        rhost = host
 
     z = zlib.compressobj(1)
-    content = readfile('sshuttle.assembler')
+    content = get_module_source('sshuttle.assembler')
     optdata = ''.join("%s=%r\n" % (k, v) for (k, v) in list(options.items()))
     optdata = optdata.encode("UTF8")
     content2 = (empackage(z, 'sshuttle') +
@@ -89,30 +102,43 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
                 b"\n")
 
     pyscript = r"""
-                import sys;
+                import sys, os;
                 verbosity=%d;
-                stdin=getattr(sys.stdin,"buffer",sys.stdin);
-                exec(compile(stdin.read(%d), "assembler.py", "exec"))
+                sys.stdin = os.fdopen(0, "rb");
+                exec(compile(sys.stdin.read(%d), "assembler.py", "exec"))
                 """ % (helpers.verbose or 0, len(content))
     pyscript = re.sub(r'\s+', ' ', pyscript.strip())
 
     if not rhost:
         # ignore the --python argument when running locally; we already know
         # which python version works.
-        argv = [sys.argv[1], '-c', pyscript]
+        argv = [sys.executable, '-c', pyscript]
     else:
         if ssh_cmd:
-            sshl = ssh_cmd.split(' ')
+            sshl = shlex.split(ssh_cmd)
         else:
             sshl = ['ssh']
+        if port is not None:
+            portl = ["-p", str(port)]
+        else:
+            portl = []
         if python:
             pycmd = "'%s' -c '%s'" % (python, pyscript)
         else:
-            pycmd = ("P=python3.5; $P -V 2>/dev/null || P=python; "
-                     "exec \"$P\" -c '%s'") % pyscript
-        argv = (sshl +
-                portl +
-                [rhost, '--', pycmd])
+            pycmd = ("P=python3; $P -V 2>%s || P=python; "
+                     "exec \"$P\" -c %s") % (os.devnull, quote(pyscript))
+            pycmd = ("/bin/sh -c {}".format(quote(pycmd)))
+
+        if password is not None:
+            os.environ['SSHPASS'] = str(password)
+            argv = (["sshpass", "-e"] + sshl +
+                    portl +
+                    [rhost, '--', pycmd])
+
+        else:
+            argv = (sshl +
+                    portl +
+                    [rhost, '--', pycmd])
     (s1, s2) = socket.socketpair()
 
     def setup():

sshuttle/ssnet.py

@@ -1,21 +1,21 @@
+import sys
 import struct
 import socket
 import errno
 import select
 import os
-from sshuttle.helpers import log, debug1, debug2, debug3, Fatal
+
+from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal
 
 MAX_CHANNEL = 65535
+LATENCY_BUFFER_SIZE = 32768
 
-# these don't exist in the socket module in python 2.3!
 SHUT_RD = 0
 SHUT_WR = 1
 SHUT_RDWR = 2
 
-
 HDR_LEN = 8
 
-
 CMD_EXIT = 0x4200
 CMD_PING = 0x4201
 CMD_PONG = 0x4202
@@ -53,17 +53,19 @@ cmd_to_name = {
 
 NET_ERRS = [errno.ECONNREFUSED, errno.ETIMEDOUT,
             errno.EHOSTUNREACH, errno.ENETUNREACH,
-            errno.EHOSTDOWN, errno.ENETDOWN]
+            errno.EHOSTDOWN, errno.ENETDOWN,
+            errno.ENETUNREACH, errno.ECONNABORTED,
+            errno.ECONNRESET]
 
 
-def _add(l, elem):
-    if elem not in l:
-        l.append(elem)
+def _add(socks, elem):
+    if elem not in socks:
+        socks.append(elem)
 
 
-def _fds(l):
+def _fds(socks):
     out = []
-    for i in l:
+    for i in socks:
         try:
             out.append(i.fileno())
         except AttributeError:
@@ -75,7 +77,8 @@ def _fds(l):
 def _nb_clean(func, *args):
     try:
         return func(*args)
-    except OSError as e:
+    except OSError:
+        _, e = sys.exc_info()[:2]
         if e.errno not in (errno.EWOULDBLOCK, errno.EAGAIN):
             raise
         else:
@@ -88,9 +91,14 @@ def _try_peername(sock):
         pn = sock.getpeername()
         if pn:
             return '%s:%s' % (pn[0], pn[1])
-    except socket.error as e:
-        if e.args[0] not in (errno.ENOTCONN, errno.ENOTSOCK):
+    except socket.error:
+        _, e = sys.exc_info()[:2]
+        if e.args[0] == errno.EINVAL:
+            pass
+        elif e.args[0] not in (errno.ENOTCONN, errno.ENOTSOCK):
             raise
+    except AttributeError:
+        pass
     return 'unknown'
 
 
@@ -144,7 +152,8 @@ class SockWrapper:
             self.rsock.connect(self.connect_to)
             # connected successfully (Linux)
             self.connect_to = None
-        except socket.error as e:
+        except socket.error:
+            _, e = sys.exc_info()[:2]
             debug3('%r: connect result: %s\n' % (self, e))
             if e.args[0] == errno.EINVAL:
                 # this is what happens when you call connect() on a socket
@@ -191,10 +200,12 @@ class SockWrapper:
             self.shut_write = True
             try:
                 self.wsock.shutdown(SHUT_WR)
-            except socket.error as e:
+            except socket.error:
+                _, e = sys.exc_info()[:2]
                 self.seterr('nowrite: %s' % e)
 
-    def too_full(self):
+    @staticmethod
+    def too_full():
         return False  # fullness is determined by the socket's select() state
 
     def uwrite(self, buf):
@@ -203,7 +214,8 @@ class SockWrapper:
         self.wsock.setblocking(False)
         try:
             return _nb_clean(os.write, self.wsock.fileno(), buf)
-        except OSError as e:
+        except OSError:
+            _, e = sys.exc_info()[:2]
             if e.errno == errno.EPIPE:
                 debug1('%r: uwrite: got EPIPE\n' % self)
                 self.nowrite()
@@ -225,9 +237,10 @@ class SockWrapper:
         self.rsock.setblocking(False)
         try:
             return _nb_clean(os.read, self.rsock.fileno(), 65536)
-        except OSError as e:
+        except OSError:
+            _, e = sys.exc_info()[:2]
             self.seterr('uread: %s' % e)
-            return b''  # unexpected error... we'll call it EOF
+            return b('')  # unexpected error... we'll call it EOF
 
     def fill(self):
         if self.buf:
@@ -235,7 +248,7 @@ class SockWrapper:
         rb = self.uread()
         if rb:
             self.buf.append(rb)
-        if rb == b'':  # empty string means EOF; None means temporarily empty
+        if rb == b(''):  # empty string means EOF; None means temporarily empty
             self.noread()
 
     def copy_to(self, outwrap):
@@ -262,7 +275,7 @@ class Handler:
 
     def callback(self, sock):
         log('--no callback defined-- %r\n' % self)
-        (r, w, x) = select.select(self.socks, [], [], 0)
+        (r, _, _) = select.select(self.socks, [], [], 0)
         for s in r:
             v = s.recv(4096)
             if not v:
@@ -323,25 +336,25 @@ class Proxy(Handler):
 
 class Mux(Handler):
 
-    def __init__(self, rsock, wsock):
-        Handler.__init__(self, [rsock, wsock])
-        self.rsock = rsock
-        self.wsock = wsock
+    def __init__(self, rfile, wfile):
+        Handler.__init__(self, [rfile, wfile])
+        self.rfile = rfile
+        self.wfile = wfile
         self.new_channel = self.got_dns_req = self.got_routes = None
         self.got_udp_open = self.got_udp_data = self.got_udp_close = None
         self.got_host_req = self.got_host_list = None
         self.channels = {}
         self.chani = 0
         self.want = 0
-        self.inbuf = b''
+        self.inbuf = b('')
         self.outbuf = []
         self.fullness = 0
         self.too_full = False
-        self.send(0, CMD_PING, b'chicken')
+        self.send(0, CMD_PING, b('chicken'))
 
     def next_channel(self):
         # channel 0 is special, so we never allocate it
-        for timeout in range(1024):
+        for _ in range(1024):
             self.chani += 1
             if self.chani > MAX_CHANNEL:
                 self.chani = 1
@@ -350,14 +363,14 @@ class Mux(Handler):
 
     def amount_queued(self):
         total = 0
-        for b in self.outbuf:
-            total += len(b)
+        for byte in self.outbuf:
+            total += len(byte)
         return total
 
     def check_fullness(self):
-        if self.fullness > 32768:
+        if self.fullness > LATENCY_BUFFER_SIZE:
             if not self.too_full:
-                self.send(0, CMD_PING, b'rttest')
+                self.send(0, CMD_PING, b('rttest'))
             self.too_full = True
         # ob = []
         # for b in self.outbuf:
@@ -368,7 +381,8 @@ class Mux(Handler):
     def send(self, channel, cmd, data):
         assert isinstance(data, bytes)
         assert len(data) <= 65535
-        p = struct.pack('!ccHHH', b'S', b'S', channel, cmd, len(data)) + data
+        p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) \
+            + data
         self.outbuf.append(p)
         debug2(' > channel=%d cmd=%s len=%d (fullness=%d)\n'
                % (channel, cmd_to_name.get(cmd, hex(cmd)),
@@ -422,9 +436,9 @@ class Mux(Handler):
                 callback(cmd, data)
 
     def flush(self):
-        self.wsock.setblocking(False)
+        os.set_blocking(self.wfile.fileno(), False)
         if self.outbuf and self.outbuf[0]:
-            wrote = _nb_clean(os.write, self.wsock.fileno(), self.outbuf[0])
+            wrote = _nb_clean(os.write, self.wfile.fileno(), self.outbuf[0])
             debug2('mux wrote: %r/%d\n' % (wrote, len(self.outbuf[0])))
             if wrote:
                 self.outbuf[0] = self.outbuf[0][wrote:]
@@ -432,16 +446,17 @@ class Mux(Handler):
             self.outbuf[0:1] = []
 
     def fill(self):
-        self.rsock.setblocking(False)
+        os.set_blocking(self.rfile.fileno(), False)
         try:
-            b = _nb_clean(os.read, self.rsock.fileno(), 32768)
-        except OSError as e:
+            read = _nb_clean(os.read, self.rfile.fileno(), LATENCY_BUFFER_SIZE)
+        except OSError:
+            _, e = sys.exc_info()[:2]
             raise Fatal('other end: %r' % e)
         # log('<<< %r\n' % b)
-        if b == b'':  # EOF
+        if read == b(''):  # EOF
             self.ok = False
-        if b:
-            self.inbuf += b
+        if read:
+            self.inbuf += read
 
     def handle(self):
         self.fill()
@@ -451,8 +466,8 @@ class Mux(Handler):
             if len(self.inbuf) >= (self.want or HDR_LEN):
                 (s1, s2, channel, cmd, datalen) = \
                     struct.unpack('!ccHHH', self.inbuf[:HDR_LEN])
-                assert(s1 == b'S')
-                assert(s2 == b'S')
+                assert(s1 == b('S'))
+                assert(s2 == b('S'))
                 self.want = datalen + HDR_LEN
             if self.want and len(self.inbuf) >= self.want:
                 data = self.inbuf[HDR_LEN:self.want]
@@ -463,22 +478,22 @@ class Mux(Handler):
                 break
 
     def pre_select(self, r, w, x):
-        _add(r, self.rsock)
+        _add(r, self.rfile)
         if self.outbuf:
-            _add(w, self.wsock)
+            _add(w, self.wfile)
 
     def callback(self, sock):
-        (r, w, x) = select.select([self.rsock], [self.wsock], [], 0)
-        if self.rsock in r:
+        (r, w, _) = select.select([self.rfile], [self.wfile], [], 0)
+        if self.rfile in r:
             self.handle()
-        if self.outbuf and self.wsock in w:
+        if self.outbuf and self.wfile in w:
             self.flush()
 
 
 class MuxWrapper(SockWrapper):
 
     def __init__(self, mux, channel):
-        SockWrapper.__init__(self, mux.rsock, mux.wsock)
+        SockWrapper.__init__(self, mux.rfile, mux.wfile)
         self.mux = mux
         self.channel = channel
         self.mux.channels[channel] = self.got_packet
@@ -493,17 +508,25 @@ class MuxWrapper(SockWrapper):
         return 'SW%r:Mux#%d' % (self.peername, self.channel)
 
     def noread(self):
+        if not self.shut_read:
+            self.mux.send(self.channel, CMD_TCP_STOP_SENDING, b(''))
+            self.setnoread()
+
+    def setnoread(self):
         if not self.shut_read:
             debug2('%r: done reading\n' % self)
             self.shut_read = True
-            self.mux.send(self.channel, CMD_TCP_STOP_SENDING, b'')
             self.maybe_close()
 
     def nowrite(self):
+        if not self.shut_write:
+            self.mux.send(self.channel, CMD_TCP_EOF, b(''))
+            self.setnowrite()
+
+    def setnowrite(self):
         if not self.shut_write:
             debug2('%r: done writing\n' % self)
             self.shut_write = True
-            self.mux.send(self.channel, CMD_TCP_EOF, b'')
             self.maybe_close()
 
     def maybe_close(self):
@@ -526,15 +549,17 @@ class MuxWrapper(SockWrapper):
 
     def uread(self):
         if self.shut_read:
-            return b''  # EOF
+            return b('')  # EOF
         else:
             return None  # no data available right now
 
     def got_packet(self, cmd, data):
         if cmd == CMD_TCP_EOF:
-            self.noread()
+            # Remote side already knows the status - set flag but don't notify
+            self.setnoread()
         elif cmd == CMD_TCP_STOP_SENDING:
-            self.nowrite()
+            # Remote side already knows the status - set flag but don't notify
+            self.setnowrite()
         elif cmd == CMD_TCP_DATA:
             self.buf.append(data)
         else:
@@ -548,7 +573,7 @@ def connect_dst(family, ip, port):
     outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
     return SockWrapper(outsock, outsock,
                        connect_to=(ip, port),
-                       peername = '%s:%d' % (ip, port))
+                       peername='%s:%d' % (ip, port))
 
 
 def runonce(handlers, mux):

sshuttle/ssyslog.py

@@ -8,12 +8,24 @@ _p = None
 
 def start_syslog():
     global _p
-    _p = ssubprocess.Popen(['logger',
-                            '-p', 'daemon.notice',
-                            '-t', 'sshuttle'], stdin=ssubprocess.PIPE)
+    with open(os.devnull, 'w') as devnull:
+        _p = ssubprocess.Popen(
+            ['logger', '-p', 'daemon.notice', '-t', 'sshuttle'],
+            stdin=ssubprocess.PIPE,
+            stdout=devnull,
+            stderr=devnull
+        )
+
+
+def close_stdin():
+    sys.stdin.close()
+
+
+def stdout_to_syslog():
+    sys.stdout.flush()
+    os.dup2(_p.stdin.fileno(), sys.stdout.fileno())
 
 
 def stderr_to_syslog():
-    sys.stdout.flush()
     sys.stderr.flush()
-    os.dup2(_p.stdin.fileno(), 2)
+    os.dup2(_p.stdin.fileno(), sys.stderr.fileno())

sshuttle/sudoers.py

@@ -0,0 +1,64 @@
+import os
+import sys
+import getpass
+from uuid import uuid4
+from subprocess import Popen, PIPE
+from sshuttle.helpers import log, debug1
+from distutils import spawn
+
+path_to_sshuttle = sys.argv[0]
+path_to_dist_packages = os.path.dirname(os.path.abspath(__file__))[:-9]
+
+# randomize command alias to avoid collisions
+command_alias = 'SSHUTTLE%(num)s' % {'num': uuid4().hex[-3:].upper()}
+
+# Template for the sudoers file
+template = '''
+Cmnd_Alias %(ca)s = /usr/bin/env PYTHONPATH=%(dist_packages)s %(py)s %(path)s *
+
+%(user_name)s ALL=NOPASSWD: %(ca)s
+'''
+
+
+def build_config(user_name):
+    content = template % {
+        'ca': command_alias,
+        'dist_packages': path_to_dist_packages,
+        'py': sys.executable,
+        'path': path_to_sshuttle,
+        'user_name': user_name,
+    }
+
+    return content
+
+
+def save_config(content, file_name):
+    process = Popen([
+        '/usr/bin/sudo',
+        spawn.find_executable('sudoers-add'),
+        file_name,
+    ], stdout=PIPE, stdin=PIPE)
+
+    process.stdin.write(content.encode())
+
+    streamdata = process.communicate()[0]
+    returncode = process.returncode
+
+    if returncode:
+        log('Failed updating sudoers file.\n')
+        debug1(streamdata)
+        exit(returncode)
+    else:
+        log('Success, sudoers file update.\n')
+        exit(0)
+
+
+def sudoers(user_name=None, no_modify=None, file_name=None):
+    user_name = user_name or getpass.getuser()
+    content = build_config(user_name)
+
+    if no_modify:
+        sys.stdout.write(content)
+        exit(0)
+    else:
+        save_config(content, file_name)

sshuttle/tests/test_methods_tproxy.py

@@ -1,283 +0,0 @@
-from mock import Mock, patch, call
-
-from sshuttle.methods import get_method
-
-
-@patch("sshuttle.methods.tproxy.recvmsg")
-def test_get_supported_features_recvmsg(mock_recvmsg):
-    method = get_method('tproxy')
-    features = method.get_supported_features()
-    assert features.ipv6
-    assert features.udp
-    assert features.dns
-
-
-@patch("sshuttle.methods.tproxy.recvmsg", None)
-def test_get_supported_features_norecvmsg():
-    method = get_method('tproxy')
-    features = method.get_supported_features()
-    assert features.ipv6
-    assert not features.udp
-    assert not features.dns
-
-
-def test_get_tcp_dstip():
-    sock = Mock()
-    sock.getsockname.return_value = ('127.0.0.1', 1024)
-    method = get_method('tproxy')
-    assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
-    assert sock.mock_calls == [call.getsockname()]
-
-
-@patch("sshuttle.methods.tproxy.recv_udp")
-def test_recv_udp(mock_recv_udp):
-    mock_recv_udp.return_value = ("127.0.0.1", "127.0.0.2", "11111")
-
-    sock = Mock()
-    method = get_method('tproxy')
-    result = method.recv_udp(sock, 1024)
-    assert sock.mock_calls == []
-    assert mock_recv_udp.mock_calls == [call(sock, 1024)]
-    assert result == ("127.0.0.1", "127.0.0.2", "11111")
-
-
-@patch("sshuttle.methods.socket.socket")
-def test_send_udp(mock_socket):
-    sock = Mock()
-    method = get_method('tproxy')
-    method.send_udp(sock, "127.0.0.2", "127.0.0.1", "2222222")
-    assert sock.mock_calls == []
-    assert mock_socket.mock_calls == [
-        call(sock.family, 2),
-        call().setsockopt(1, 2, 1),
-        call().setsockopt(0, 19, 1),
-        call().bind('127.0.0.2'),
-        call().sendto("2222222", '127.0.0.1'),
-        call().close()
-    ]
-
-
-def test_setup_tcp_listener():
-    listener = Mock()
-    method = get_method('tproxy')
-    method.setup_tcp_listener(listener)
-    assert listener.mock_calls == [
-        call.setsockopt(0, 19, 1)
-    ]
-
-
-def test_setup_udp_listener():
-    listener = Mock()
-    method = get_method('tproxy')
-    method.setup_udp_listener(listener)
-    assert listener.mock_calls == [
-        call.setsockopt(0, 19, 1),
-        call.v4.setsockopt(0, 20, 1),
-        call.v6.setsockopt(41, 74, 1)
-    ]
-
-
-def test_assert_features():
-    method = get_method('tproxy')
-    features = method.get_supported_features()
-    method.assert_features(features)
-
-
-def test_firewall_command():
-    method = get_method('tproxy')
-    assert not method.firewall_command("somthing")
-
-
-@patch('sshuttle.methods.tproxy.ipt')
-@patch('sshuttle.methods.tproxy.ipt_ttl')
-@patch('sshuttle.methods.tproxy.ipt_chain_exists')
-def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
-    mock_ipt_chain_exists.return_value = True
-    method = get_method('tproxy')
-    assert method.name == 'tproxy'
-
-    # IPV6
-
-    method.setup_firewall(
-        1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
-        10,
-        [(10, 64, False, u'2404:6800:4004:80c::'),
-            (10, 128, True, u'2404:6800:4004:80c::101f')],
-        True)
-    assert mock_ipt_chain_exists.mock_calls == [
-        call(10, 'mangle', 'sshuttle-m-1024'),
-        call(10, 'mangle', 'sshuttle-t-1024'),
-        call(10, 'mangle', 'sshuttle-d-1024')
-    ]
-    assert mock_ipt_ttl.mock_calls == []
-    assert mock_ipt.mock_calls == [
-        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
-             '--set-mark', '1'),
-        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
-             '-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
-             '-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::33/32',
-             '-m', 'udp', '-p', 'udp', '--dport', '53'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1',
-             '--dest', u'2404:6800:4004:80c::33/32',
-             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
-             '--dest', u'2404:6800:4004:80c::101f/128',
-             '-m', 'tcp', '-p', 'tcp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
-             '--dest', u'2404:6800:4004:80c::101f/128',
-             '-m', 'tcp', '-p', 'tcp'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
-             '--dest', u'2404:6800:4004:80c::101f/128',
-             '-m', 'udp', '-p', 'udp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
-             '--dest', u'2404:6800:4004:80c::101f/128',
-             '-m', 'udp', '-p', 'udp'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
-             '-m', 'tcp', '-p', 'tcp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
-             '-m', 'tcp', '-p', 'tcp', '--on-port', '1024'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
-             '-m', 'udp', '-p', 'udp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
-             '-m', 'udp', '-p', 'udp', '--on-port', '1024')
-    ]
-    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
-    mock_ipt.reset_mock()
-
-    method.restore_firewall(1025, 10, True)
-    assert mock_ipt_chain_exists.mock_calls == [
-        call(10, 'mangle', 'sshuttle-m-1025'),
-        call(10, 'mangle', 'sshuttle-t-1025'),
-        call(10, 'mangle', 'sshuttle-d-1025')
-    ]
-    assert mock_ipt_ttl.mock_calls == []
-    assert mock_ipt.mock_calls == [
-        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-d-1025')
-    ]
-    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
-    mock_ipt.reset_mock()
-
-    # IPV4
-
-    method.setup_firewall(
-        1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-        True)
-    assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'mangle', 'sshuttle-m-1025'),
-        call(2, 'mangle', 'sshuttle-t-1025'),
-        call(2, 'mangle', 'sshuttle-d-1025')
-    ]
-    assert mock_ipt_ttl.mock_calls == []
-    assert mock_ipt.mock_calls == [
-        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-A', 'sshuttle-d-1025',
-             '-j', 'MARK', '--set-mark', '1'),
-        call(2, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
-             '-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
-             '-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.33/32',
-             '-m', 'udp', '-p', 'udp', '--dport', '53'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.33/32',
-             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
-             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
-             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
-             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
-             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.0/24',
-             '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
-             '-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.0/24',
-             '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
-             '-m', 'udp', '-p', 'udp', '--on-port', '1025')
-    ]
-    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
-    mock_ipt.reset_mock()
-
-    method.restore_firewall(1025, 2, True)
-    assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'mangle', 'sshuttle-m-1025'),
-        call(2, 'mangle', 'sshuttle-t-1025'),
-        call(2, 'mangle', 'sshuttle-d-1025')
-    ]
-    assert mock_ipt_ttl.mock_calls == []
-    assert mock_ipt.mock_calls == [
-        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-d-1025')
-    ]
-    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
-    mock_ipt.reset_mock()

tests/client/test_firewall.py

@@ -1,22 +1,23 @@
-from mock import Mock, patch, call
 import io
+from socket import AF_INET, AF_INET6
 
+from mock import Mock, patch, call
 import sshuttle.firewall
 
 
 def setup_daemon():
     stdin = io.StringIO(u"""ROUTES
-2,24,0,1.2.3.0
-2,32,1,1.2.3.66
-10,64,0,2404:6800:4004:80c::
-10,128,1,2404:6800:4004:80c::101f
+{inet},24,0,1.2.3.0,8000,9000
+{inet},32,1,1.2.3.66,8080,8080
+{inet6},64,0,2404:6800:4004:80c::,0,0
+{inet6},128,1,2404:6800:4004:80c::101f,80,80
 NSLIST
-2,1.2.3.33
-10,2404:6800:4004:80c::33
+{inet},1.2.3.33
+{inet6},2404:6800:4004:80c::33
 PORTS 1024,1025,1026,1027
-GO 1
+GO 1 -
 HOST 1.2.3.3,existing
-""")
+""".format(inet=AF_INET, inet6=AF_INET6))
     stdout = Mock()
     return stdin, stdout
 
@@ -58,6 +59,37 @@ def test_rewrite_etc_hosts(tmpdir):
     assert orig_hosts.computehash() == new_hosts.computehash()
 
 
+def test_subnet_weight():
+    subnets = [
+        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
+        (AF_INET, 24, 0, '192.168.69.0', 0, 0),
+        (AF_INET, 32, 0, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 1, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 1, '192.168.69.70', 80, 80),
+        (AF_INET, 0, 1, '0.0.0.0', 0, 0),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
+        (AF_INET, 0, 1, '0.0.0.0', 400, 450)
+    ]
+    subnets_sorted = [
+        (AF_INET, 32, 1, '192.168.69.70', 80, 80),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
+        (AF_INET, 0, 1, '0.0.0.0', 400, 450),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
+        (AF_INET, 32, 1, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 0, '192.168.69.70', 0, 0),
+        (AF_INET, 24, 0, '192.168.69.0', 0, 0),
+        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
+        (AF_INET, 0, 1, '0.0.0.0', 0, 0)
+    ]
+
+    assert subnets_sorted == sorted(subnets,
+                                    key=sshuttle.firewall.subnet_weight,
+                                    reverse=True)
+
+
 @patch('sshuttle.firewall.rewrite_etc_hosts')
 @patch('sshuttle.firewall.setup_daemon')
 @patch('sshuttle.firewall.get_method')
@@ -86,17 +118,20 @@ def test_main(mock_get_method, mock_setup_daemon, mock_rewrite_etc_hosts):
         call('not_auto'),
         call().setup_firewall(
             1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True),
+            [(AF_INET6, u'2404:6800:4004:80c::33')],
+            AF_INET6,
+            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
+                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+            True,
+            None),
         call().setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-            True),
-        call().restore_firewall(1024, 10, True),
-        call().restore_firewall(1025, 2, True),
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
+                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
+            True,
+            None),
+        call().restore_firewall(1024, AF_INET6, True, None),
+        call().restore_firewall(1025, AF_INET, True, None),
     ]

tests/client/test_helpers.py

@@ -1,8 +1,9 @@
-from mock import patch, call
-import sys
 import io
 import socket
+from socket import AF_INET, AF_INET6
+import errno
 
+from mock import patch, call
 import sshuttle.helpers
 
 
@@ -132,10 +133,12 @@ nameserver 2404:6800:4004:80c::4
 
     ns = sshuttle.helpers.resolvconf_nameservers()
     assert ns == [
-        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
-        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
-        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
-        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
+        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
+        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
+        (AF_INET6, u'2404:6800:4004:80c::1'),
+        (AF_INET6, u'2404:6800:4004:80c::2'),
+        (AF_INET6, u'2404:6800:4004:80c::3'),
+        (AF_INET6, u'2404:6800:4004:80c::4')
     ]
 
 
@@ -155,37 +158,39 @@ nameserver 2404:6800:4004:80c::4
 """)
     ns = sshuttle.helpers.resolvconf_random_nameserver()
     assert ns in [
-        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
-        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
-        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
-        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
+        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
+        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
+        (AF_INET6, u'2404:6800:4004:80c::1'),
+        (AF_INET6, u'2404:6800:4004:80c::2'),
+        (AF_INET6, u'2404:6800:4004:80c::3'),
+        (AF_INET6, u'2404:6800:4004:80c::4')
     ]
 
 
-def test_islocal():
-    assert sshuttle.helpers.islocal("127.0.0.1", socket.AF_INET)
-    assert not sshuttle.helpers.islocal("192.0.2.1", socket.AF_INET)
-    assert sshuttle.helpers.islocal("::1", socket.AF_INET6)
-    assert not sshuttle.helpers.islocal("2001:db8::1", socket.AF_INET6)
+@patch('sshuttle.helpers.socket.socket.bind')
+def test_islocal(mock_bind):
+    bind_error = socket.error(errno.EADDRNOTAVAIL)
+    mock_bind.side_effect = [None, bind_error, None, bind_error]
+
+    assert sshuttle.helpers.islocal("127.0.0.1", AF_INET)
+    assert not sshuttle.helpers.islocal("192.0.2.1", AF_INET)
+    assert sshuttle.helpers.islocal("::1", AF_INET6)
+    assert not sshuttle.helpers.islocal("2001:db8::1", AF_INET6)
 
 
 def test_family_ip_tuple():
     assert sshuttle.helpers.family_ip_tuple("127.0.0.1") \
-        == (socket.AF_INET, "127.0.0.1")
+        == (AF_INET, "127.0.0.1")
     assert sshuttle.helpers.family_ip_tuple("192.168.2.6") \
-        == (socket.AF_INET, "192.168.2.6")
+        == (AF_INET, "192.168.2.6")
     assert sshuttle.helpers.family_ip_tuple("::1") \
-        == (socket.AF_INET6, "::1")
+        == (AF_INET6, "::1")
     assert sshuttle.helpers.family_ip_tuple("2404:6800:4004:80c::1") \
-        == (socket.AF_INET6, "2404:6800:4004:80c::1")
+        == (AF_INET6, "2404:6800:4004:80c::1")
 
 
 def test_family_to_string():
-    assert sshuttle.helpers.family_to_string(socket.AF_INET) == "AF_INET"
-    assert sshuttle.helpers.family_to_string(socket.AF_INET6) == "AF_INET6"
-    if sys.version_info < (3, 0):
-        expected = "1"
-        assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == "1"
-    else:
-        expected = 'AddressFamily.AF_UNIX'
+    assert sshuttle.helpers.family_to_string(AF_INET) == "AF_INET"
+    assert sshuttle.helpers.family_to_string(AF_INET6) == "AF_INET6"
+    expected = 'AddressFamily.AF_UNIX'
     assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == expected

tests/client/test_methods_nat.py

@@ -1,8 +1,9 @@
-import pytest
-from mock import Mock, patch, call
 import socket
+from socket import AF_INET, AF_INET6
 import struct
 
+import pytest
+from mock import Mock, patch, call
 from sshuttle.helpers import Fatal
 from sshuttle.methods import get_method
 
@@ -18,7 +19,7 @@ def test_get_supported_features():
 def test_get_tcp_dstip():
     sock = Mock()
     sock.getsockopt.return_value = struct.pack(
-        '!HHBBBB', socket.ntohs(socket.AF_INET), 1024, 127, 0, 0, 1)
+        '!HHBBBB', socket.ntohs(AF_INET), 1024, 127, 0, 0, 1)
     method = get_method('nat')
     assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
     assert sock.mock_calls == [call.getsockopt(0, 80, 16)]
@@ -84,11 +85,12 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True)
+            [(AF_INET6, u'2404:6800:4004:80c::33')],
+            AF_INET6,
+            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
+                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+            True,
+            None)
     assert str(excinfo.value) \
         == 'Address family "AF_INET6" unsupported by nat method_name'
     assert mock_ipt_chain_exists.mock_calls == []
@@ -98,10 +100,12 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-            True)
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
+                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
+            True,
+            None)
     assert str(excinfo.value) == 'UDP not supported by nat method_name'
     assert mock_ipt_chain_exists.mock_calls == []
     assert mock_ipt_ttl.mock_calls == []
@@ -109,46 +113,55 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-        False)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
+            (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
+        False,
+        None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'nat', 'sshuttle-1025')
+        call(AF_INET, 'nat', 'sshuttle-1025')
     ]
     assert mock_ipt_ttl.mock_calls == [
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
-             '--dest', u'1.2.3.0/24', '-p', 'tcp', '--to-ports', '1025'),
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+             '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
+             '--to-ports', '1025'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
              '--dest', u'1.2.3.33/32', '-p', 'udp',
              '--dport', '53', '--to-ports', '1027')
     ]
     assert mock_ipt.mock_calls == [
-        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-X', 'sshuttle-1025'),
-        call(2, 'nat', '-N', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
-             '--dest', u'1.2.3.66/32', '-p', 'tcp')
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-X', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-N', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL',
+             '!', '-p', 'udp'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL',
+             '-p', 'udp', '!', '--dport', '53'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
+             '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080')
     ]
     mock_ipt_chain_exists.reset_mock()
     mock_ipt_ttl.reset_mock()
     mock_ipt.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'nat', 'sshuttle-1025')
+        call(AF_INET, 'nat', 'sshuttle-1025')
     ]
     assert mock_ipt_ttl.mock_calls == []
     assert mock_ipt.mock_calls == [
-        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-X', 'sshuttle-1025')
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-X', 'sshuttle-1025')
     ]
     mock_ipt_chain_exists.reset_mock()
     mock_ipt_ttl.reset_mock()

tests/client/test_methods_pf.py

@@ -1,7 +1,8 @@
+import socket
+from socket import AF_INET, AF_INET6
+
 import pytest
 from mock import Mock, patch, call, ANY
-import socket
-
 from sshuttle.methods import get_method
 from sshuttle.helpers import Fatal
 from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd
@@ -10,7 +11,7 @@ from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd
 def test_get_supported_features():
     method = get_method('pf')
     features = method.get_supported_features()
-    assert not features.ipv6
+    assert features.ipv6
     assert not features.udp
     assert features.dns
 
@@ -20,7 +21,7 @@ def test_get_tcp_dstip():
     sock = Mock()
     sock.getpeername.return_value = ("127.0.0.1", 1024)
     sock.getsockname.return_value = ("127.0.0.2", 1025)
-    sock.family = socket.AF_INET
+    sock.family = AF_INET
 
     firewall = Mock()
     firewall.pfile.readline.return_value = \
@@ -94,7 +95,7 @@ def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
     assert not method.firewall_command("somthing")
 
     command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
         "127.0.0.1", 1025, "127.0.0.2", 1024)
     assert method.firewall_command(command)
 
@@ -117,7 +118,7 @@ def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
     assert not method.firewall_command("somthing")
 
     command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
         "127.0.0.1", 1025, "127.0.0.2", 1024)
     assert method.firewall_command(command)
 
@@ -140,7 +141,7 @@ def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
     assert not method.firewall_command("somthing")
 
     command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
         "127.0.0.1", 1025, "127.0.0.2", 1024)
     assert method.firewall_command(command)
 
@@ -155,6 +156,8 @@ def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
 
 
 def pfctl(args, stdin=None):
+    if args == '-s Interfaces -i lo -v':
+        return (b'lo0 (skip)',)
     if args == '-s all':
         return (b'INFO:\nStatus: Disabled\nanother mary had a little lamb\n',
                 b'little lamb\n')
@@ -174,38 +177,16 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     method = get_method('pf')
     assert method.name == 'pf'
 
-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by pf method_name'
-    assert mock_pf_get_dev.mock_calls == []
-    assert mock_ioctl.mock_calls == []
-    assert mock_pfctl.mock_calls == []
-
-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-            True)
-    assert str(excinfo.value) == 'UDP not supported by pf method_name'
-    assert mock_pf_get_dev.mock_calls == []
-    assert mock_ioctl.mock_calls == []
-    assert mock_pfctl.mock_calls == []
+    # IPV6
 
     method.setup_firewall(
-        1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-        False)
+        1024, 1026,
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        False,
+        None)
     assert mock_ioctl.mock_calls == [
         call(mock_pf_get_dev(), 0xC4704433, ANY),
         call(mock_pf_get_dev(), 0xCC20441A, ANY),
@@ -215,17 +196,69 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
         call(mock_pf_get_dev(), 0xCC20441A, ANY),
     ]
     assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
         call('-f /dev/stdin', b'pass on lo\n'),
         call('-s all'),
-        call('-a sshuttle -f /dev/stdin',
-             b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'
+        call('-a sshuttle6-1024 -f /dev/stdin',
+             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
+             b'rdr pass on lo0 inet6 proto tcp from ! ::1 to '
+             b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n'
+             b'rdr pass on lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 -> ::1 port 1026\n'
+             b'pass out route-to lo0 inet6 proto tcp to '
+             b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
+             b'pass out inet6 proto tcp to '
+             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
+             b'pass out route-to lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 keep state\n'),
+        call('-E'),
+    ]
+    mock_pf_get_dev.reset_mock()
+    mock_ioctl.reset_mock()
+    mock_pfctl.reset_mock()
+
+    with pytest.raises(Exception) as excinfo:
+        method.setup_firewall(
+            1025, 1027,
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+            True,
+            None)
+    assert str(excinfo.value) == 'UDP not supported by pf method_name'
+    assert mock_pf_get_dev.mock_calls == []
+    assert mock_ioctl.mock_calls == []
+    assert mock_pfctl.mock_calls == []
+
+    method.setup_firewall(
+        1025, 1027,
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        False,
+        None)
+    assert mock_ioctl.mock_calls == [
+        call(mock_pf_get_dev(), 0xC4704433, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+        call(mock_pf_get_dev(), 0xC4704433, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+        call(mock_pf_get_dev(), 0xCC20441A, ANY),
+    ]
+    assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
+        call('-f /dev/stdin', b'pass on lo\n'),
+        call('-s all'),
+        call('-a sshuttle-1025 -f /dev/stdin',
              b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 proto tcp '
-             b'to <forward_subnets> -> 127.0.0.1 port 1025\n'
-             b'rdr pass on lo0 proto udp '
+             b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 to 1.2.3.0/24 '
+             b'-> 127.0.0.1 port 1025\n'
+             b'rdr pass on lo0 inet proto udp '
              b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
-             b'pass out route-to lo0 inet proto tcp '
-             b'to <forward_subnets> keep state\n'
+             b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
+             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out route-to lo0 inet proto udp '
              b'to <dns_servers> port 53 keep state\n'),
         call('-E'),
@@ -234,10 +267,10 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     mock_ioctl.reset_mock()
     mock_pfctl.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
     assert mock_ioctl.mock_calls == []
     assert mock_pfctl.mock_calls == [
-        call('-a sshuttle -F all'),
+        call('-a sshuttle-1025 -F all'),
         call("-X abcdefg"),
     ]
     mock_pf_get_dev.reset_mock()
@@ -247,36 +280,56 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
 @patch('sshuttle.helpers.verbose', new=3)
 @patch('sshuttle.methods.pf.pf', FreeBsd())
+@patch('subprocess.call')
 @patch('sshuttle.methods.pf.pfctl')
 @patch('sshuttle.methods.pf.ioctl')
 @patch('sshuttle.methods.pf.pf_get_dev')
-def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
+def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
+                                mock_subprocess_call):
     mock_pfctl.side_effect = pfctl
 
     method = get_method('pf')
     assert method.name == 'pf'
 
-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by pf method_name'
-    assert mock_pf_get_dev.mock_calls == []
-    assert mock_ioctl.mock_calls == []
-    assert mock_pfctl.mock_calls == []
+    method.setup_firewall(
+        1024, 1026,
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        False,
+        None)
+
+    assert mock_pfctl.mock_calls == [
+        call('-s all'),
+        call('-a sshuttle6-1024 -f /dev/stdin',
+             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
+             b'rdr pass on lo0 inet6 proto tcp from ! ::1 to '
+             b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n'
+             b'rdr pass on lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 -> ::1 port 1026\n'
+             b'pass out route-to lo0 inet6 proto tcp to '
+             b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
+             b'pass out inet6 proto tcp to '
+             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
+             b'pass out route-to lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 keep state\n'),
+        call('-e'),
+    ]
+    assert call(['kldload', 'pf']) in mock_subprocess_call.mock_calls
+    mock_pf_get_dev.reset_mock()
+    mock_ioctl.reset_mock()
+    mock_pfctl.reset_mock()
 
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-            True)
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+            True,
+            None)
     assert str(excinfo.value) == 'UDP not supported by pf method_name'
     assert mock_pf_get_dev.mock_calls == []
     assert mock_ioctl.mock_calls == []
@@ -284,10 +337,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-        False)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        False,
+        None)
     assert mock_ioctl.mock_calls == [
         call(mock_pf_get_dev(), 0xC4704433, ANY),
         call(mock_pf_get_dev(), 0xCBE0441A, ANY),
@@ -298,15 +353,14 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     ]
     assert mock_pfctl.mock_calls == [
         call('-s all'),
-        call('-a sshuttle -f /dev/stdin',
-             b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'
+        call('-a sshuttle-1025 -f /dev/stdin',
              b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 proto tcp '
-             b'to <forward_subnets> -> 127.0.0.1 port 1025\n'
-             b'rdr pass on lo0 proto udp '
+             b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 '
+             b'to 1.2.3.0/24 -> 127.0.0.1 port 1025\n'
+             b'rdr pass on lo0 inet proto udp '
              b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
-             b'pass out route-to lo0 inet proto tcp '
-             b'to <forward_subnets> keep state\n'
+             b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
+             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out route-to lo0 inet proto udp '
              b'to <dns_servers> port 53 keep state\n'),
         call('-e'),
@@ -315,10 +369,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     mock_ioctl.reset_mock()
     mock_pfctl.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
+    method.restore_firewall(1024, AF_INET6, False, None)
     assert mock_ioctl.mock_calls == []
     assert mock_pfctl.mock_calls == [
-        call('-a sshuttle -F all'),
+        call('-a sshuttle-1025 -F all'),
+        call('-a sshuttle6-1024 -F all'),
         call("-d"),
     ]
     mock_pf_get_dev.reset_mock()
@@ -337,27 +393,50 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     method = get_method('pf')
     assert method.name == 'pf'
 
-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::'),
-                (10, 128, True, u'2404:6800:4004:80c::101f')],
-            True)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by pf method_name'
-    assert mock_pf_get_dev.mock_calls == []
-    assert mock_ioctl.mock_calls == []
-    assert mock_pfctl.mock_calls == []
+    method.setup_firewall(
+        1024, 1026,
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        False,
+        None)
+
+    assert mock_ioctl.mock_calls == [
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
+    ]
+    assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
+        call('-f /dev/stdin', b'match on lo\n'),
+        call('-s all'),
+        call('-a sshuttle6-1024 -f /dev/stdin',
+             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
+             b'pass in on lo0 inet6 proto tcp to 2404:6800:4004:80c::/64 '
+             b'port 8000:9000 divert-to ::1 port 1024\n'
+             b'pass in on lo0 inet6 proto udp '
+             b'to <dns_servers> port 53 rdr-to ::1 port 1026\n'
+             b'pass out inet6 proto tcp to 2404:6800:4004:80c::/64 '
+             b'port 8000:9000 route-to lo0 keep state\n'
+             b'pass out inet6 proto tcp to '
+             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
+             b'pass out inet6 proto udp to '
+             b'<dns_servers> port 53 route-to lo0 keep state\n'),
+        call('-e'),
+    ]
+    mock_pf_get_dev.reset_mock()
+    mock_ioctl.reset_mock()
+    mock_pfctl.reset_mock()
 
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-            True)
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+            True,
+            None)
     assert str(excinfo.value) == 'UDP not supported by pf method_name'
     assert mock_pf_get_dev.mock_calls == []
     assert mock_ioctl.mock_calls == []
@@ -365,25 +444,28 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0'), (2, 32, True, u'1.2.3.66')],
-        False)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        False,
+        None)
     assert mock_ioctl.mock_calls == [
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
     ]
     assert mock_pfctl.mock_calls == [
+        call('-s Interfaces -i lo -v'),
         call('-f /dev/stdin', b'match on lo\n'),
         call('-s all'),
-        call('-a sshuttle -f /dev/stdin',
-             b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'
+        call('-a sshuttle-1025 -f /dev/stdin',
              b'table <dns_servers> {1.2.3.33}\n'
-             b'pass in on lo0 inet proto tcp divert-to 127.0.0.1 port 1025\n'
+             b'pass in on lo0 inet proto tcp to 1.2.3.0/24 divert-to '
+             b'127.0.0.1 port 1025\n'
              b'pass in on lo0 inet proto udp to '
-             b'<dns_servers>port 53 rdr-to 127.0.0.1 port 1027\n'
-             b'pass out inet proto tcp to '
-             b'<forward_subnets> route-to lo0 keep state\n'
+             b'<dns_servers> port 53 rdr-to 127.0.0.1 port 1027\n'
+             b'pass out inet proto tcp to 1.2.3.0/24 route-to lo0 keep state\n'
+             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out inet proto udp to '
              b'<dns_servers> port 53 route-to lo0 keep state\n'),
         call('-e'),
@@ -392,11 +474,13 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     mock_ioctl.reset_mock()
     mock_pfctl.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
+    method.restore_firewall(1024, AF_INET6, False, None)
     assert mock_ioctl.mock_calls == []
     assert mock_pfctl.mock_calls == [
-        call('-a sshuttle -F all'),
-        call("-d"),
+        call('-a sshuttle-1025 -F all'),
+        call('-a sshuttle6-1024 -F all'),
+        call('-d'),
     ]
     mock_pf_get_dev.reset_mock()
     mock_pfctl.reset_mock()

tests/client/test_methods_tproxy.py

@@ -0,0 +1,297 @@
+import socket
+from socket import AF_INET, AF_INET6
+
+from mock import Mock, patch, call
+
+from sshuttle.methods import get_method
+
+
+@patch("sshuttle.methods.tproxy.recvmsg")
+def test_get_supported_features_recvmsg(mock_recvmsg):
+    method = get_method('tproxy')
+    features = method.get_supported_features()
+    assert features.ipv6
+    assert features.udp
+    assert features.dns
+
+
+@patch("sshuttle.methods.tproxy.recvmsg", None)
+def test_get_supported_features_norecvmsg():
+    method = get_method('tproxy')
+    features = method.get_supported_features()
+    assert features.ipv6
+    assert not features.udp
+    assert not features.dns
+
+
+def test_get_tcp_dstip():
+    sock = Mock()
+    sock.getsockname.return_value = ('127.0.0.1', 1024)
+    method = get_method('tproxy')
+    assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
+    assert sock.mock_calls == [call.getsockname()]
+
+
+@patch("sshuttle.methods.tproxy.recv_udp")
+def test_recv_udp(mock_recv_udp):
+    mock_recv_udp.return_value = ("127.0.0.1", "127.0.0.2", "11111")
+
+    sock = Mock()
+    method = get_method('tproxy')
+    result = method.recv_udp(sock, 1024)
+    assert sock.mock_calls == []
+    assert mock_recv_udp.mock_calls == [call(sock, 1024)]
+    assert result == ("127.0.0.1", "127.0.0.2", "11111")
+
+
+@patch("sshuttle.methods.socket.socket")
+def test_send_udp(mock_socket):
+    sock = Mock()
+    method = get_method('tproxy')
+    method.send_udp(sock, "127.0.0.2", "127.0.0.1", "2222222")
+    assert sock.mock_calls == []
+    assert mock_socket.mock_calls == [
+        call(sock.family, 2),
+        call().setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1),
+        call().setsockopt(0, 19, 1),
+        call().bind('127.0.0.2'),
+        call().sendto("2222222", '127.0.0.1'),
+        call().close()
+    ]
+
+
+def test_setup_tcp_listener():
+    listener = Mock()
+    method = get_method('tproxy')
+    method.setup_tcp_listener(listener)
+    assert listener.mock_calls == [
+        call.setsockopt(0, 19, 1)
+    ]
+
+
+def test_setup_udp_listener():
+    listener = Mock()
+    method = get_method('tproxy')
+    method.setup_udp_listener(listener)
+    assert listener.mock_calls == [
+        call.setsockopt(0, 19, 1),
+        call.v4.setsockopt(0, 20, 1),
+        call.v6.setsockopt(41, 74, 1)
+    ]
+
+
+def test_assert_features():
+    method = get_method('tproxy')
+    features = method.get_supported_features()
+    method.assert_features(features)
+
+
+def test_firewall_command():
+    method = get_method('tproxy')
+    assert not method.firewall_command("somthing")
+
+
+@patch('sshuttle.methods.tproxy.ipt')
+@patch('sshuttle.methods.tproxy.ipt_ttl')
+@patch('sshuttle.methods.tproxy.ipt_chain_exists')
+def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
+    mock_ipt_chain_exists.return_value = True
+    method = get_method('tproxy')
+    assert method.name == 'tproxy'
+
+    # IPV6
+
+    method.setup_firewall(
+        1024, 1026,
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        True,
+        None)
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET6, 'mangle', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', 'sshuttle-d-1024')
+    ]
+    assert mock_ipt_ttl.mock_calls == []
+    assert mock_ipt.mock_calls == [
+        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
+             'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
+             '--set-mark', '1'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
+             '-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
+             '-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::33/32',
+             '-m', 'udp', '-p', 'udp', '--dport', '53'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+             '--tproxy-mark', '0x1/0x1',
+             '--dest', u'2404:6800:4004:80c::33/32',
+             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+             '--dest', u'2404:6800:4004:80c::101f/128',
+             '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+             '--dest', u'2404:6800:4004:80c::101f/128',
+             '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+             '--dest', u'2404:6800:4004:80c::101f/128',
+             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+             '--dest', u'2404:6800:4004:80c::101f/128',
+             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
+             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
+             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000',
+             '--on-port', '1024'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
+             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
+             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000',
+             '--on-port', '1024')
+    ]
+    mock_ipt_chain_exists.reset_mock()
+    mock_ipt_ttl.reset_mock()
+    mock_ipt.reset_mock()
+
+    method.restore_firewall(1025, AF_INET6, True, None)
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET6, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', 'sshuttle-d-1025')
+    ]
+    assert mock_ipt_ttl.mock_calls == []
+    assert mock_ipt.mock_calls == [
+        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1025')
+    ]
+    mock_ipt_chain_exists.reset_mock()
+    mock_ipt_ttl.reset_mock()
+    mock_ipt.reset_mock()
+
+    # IPV4
+
+    method.setup_firewall(
+        1025, 1027,
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        True,
+        None)
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-d-1025')
+    ]
+    assert mock_ipt_ttl.mock_calls == []
+    assert mock_ipt.mock_calls == [
+        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
+             'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
+             '-j', 'MARK', '--set-mark', '1'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
+             '-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
+             '-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+             '--set-mark', '1', '--dest', u'1.2.3.33/32',
+             '-m', 'udp', '-p', 'udp', '--dport', '53'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.33/32',
+             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
+             '--dport', '80:80'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
+             '--dport', '80:80'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
+             '--dport', '80:80'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
+             '--dport', '80:80'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+             '--set-mark', '1', '--dest', u'1.2.3.0/24',
+             '-m', 'tcp', '-p', 'tcp'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
+             '-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+             '--set-mark', '1', '--dest', u'1.2.3.0/24',
+             '-m', 'udp', '-p', 'udp'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
+             '-m', 'udp', '-p', 'udp', '--on-port', '1025')
+    ]
+    mock_ipt_chain_exists.reset_mock()
+    mock_ipt_ttl.reset_mock()
+    mock_ipt.reset_mock()
+
+    method.restore_firewall(1025, AF_INET, True, None)
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-d-1025')
+    ]
+    assert mock_ipt_ttl.mock_calls == []
+    assert mock_ipt.mock_calls == [
+        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025')
+    ]
+    mock_ipt_chain_exists.reset_mock()
+    mock_ipt_ttl.reset_mock()
+    mock_ipt.reset_mock()

tests/client/test_options.py

@@ -0,0 +1,101 @@
+import socket
+from argparse import ArgumentTypeError as Fatal
+
+import pytest
+
+import sshuttle.options
+
+_ip4_reprs = {
+        '0.0.0.0': '0.0.0.0',
+        '255.255.255.255': '255.255.255.255',
+        '10.0': '10.0.0.0',
+        '184.172.10.74': '184.172.10.74',
+        '3098282570': '184.172.10.74',
+        '0xb8.0xac.0x0a.0x4a': '184.172.10.74',
+        '0270.0254.0012.0112': '184.172.10.74',
+        'localhost': '127.0.0.1'
+}
+
+_ip4_swidths = (1, 8, 22, 27, 32)
+
+_ip6_reprs = {
+        '::': '::',
+        '::1': '::1',
+        'fc00::': 'fc00::',
+        '2a01:7e00:e000:188::1': '2a01:7e00:e000:188::1'
+}
+
+_ip6_swidths = (48, 64, 96, 115, 128)
+
+
+def test_parse_subnetport_ip4():
+    for ip_repr, ip in _ip4_reprs.items():
+        assert sshuttle.options.parse_subnetport(ip_repr) \
+                == (socket.AF_INET, ip, 32, 0, 0)
+    with pytest.raises(Fatal) as excinfo:
+        sshuttle.options.parse_subnetport('10.256.0.0')
+    assert str(excinfo.value) == 'Unable to resolve address: 10.256.0.0'
+
+
+def test_parse_subnetport_ip4_with_mask():
+    for ip_repr, ip in _ip4_reprs.items():
+        for swidth in _ip4_swidths:
+            assert sshuttle.options.parse_subnetport(
+                    '/'.join((ip_repr, str(swidth)))
+                    ) == (socket.AF_INET, ip, swidth, 0, 0)
+    assert sshuttle.options.parse_subnetport('0/0') \
+        == (socket.AF_INET, '0.0.0.0', 0, 0, 0)
+    with pytest.raises(Fatal) as excinfo:
+        sshuttle.options.parse_subnetport('10.0.0.0/33')
+    assert str(excinfo.value) == 'width 33 is not between 0 and 32'
+
+
+def test_parse_subnetport_ip4_with_port():
+    for ip_repr, ip in _ip4_reprs.items():
+        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80'))) \
+            == (socket.AF_INET, ip, 32, 80, 80)
+        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80-90')))\
+            == (socket.AF_INET, ip, 32, 80, 90)
+
+
+def test_parse_subnetport_ip4_with_mask_and_port():
+    for ip_repr, ip in _ip4_reprs.items():
+        assert sshuttle.options.parse_subnetport(ip_repr + '/32:80') \
+            == (socket.AF_INET, ip, 32, 80, 80)
+        assert sshuttle.options.parse_subnetport(ip_repr + '/16:80-90') \
+            == (socket.AF_INET, ip, 16, 80, 90)
+
+
+def test_parse_subnetport_ip6():
+    for ip_repr, ip in _ip6_reprs.items():
+        assert sshuttle.options.parse_subnetport(ip_repr) \
+                == (socket.AF_INET6, ip, 128, 0, 0)
+
+
+def test_parse_subnetport_ip6_with_mask():
+    for ip_repr, ip in _ip6_reprs.items():
+        for swidth in _ip4_swidths + _ip6_swidths:
+            assert sshuttle.options.parse_subnetport(
+                    '/'.join((ip_repr, str(swidth)))
+                    ) == (socket.AF_INET6, ip, swidth, 0, 0)
+    assert sshuttle.options.parse_subnetport('::/0') \
+        == (socket.AF_INET6, '::', 0, 0, 0)
+    with pytest.raises(Fatal) as excinfo:
+        sshuttle.options.parse_subnetport('fc00::/129')
+    assert str(excinfo.value) == 'width 129 is not between 0 and 128'
+
+
+def test_parse_subnetport_ip6_with_port():
+    for ip_repr, ip in _ip6_reprs.items():
+        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80') \
+            == (socket.AF_INET6, ip, 128, 80, 80)
+        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80-90') \
+            == (socket.AF_INET6, ip, 128, 80, 90)
+
+
+def test_parse_subnetport_ip6_with_mask_and_port():
+    for ip_repr, ip in _ip6_reprs.items():
+        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/128]:80') \
+            == (socket.AF_INET6, ip, 128, 80, 80)
+        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90')\
+            == (socket.AF_INET6, ip, 16, 80, 90)

tests/client/test_sdnotify.py

@@ -0,0 +1,65 @@
+import socket
+
+from mock import Mock, patch, call
+
+import sshuttle.sdnotify
+
+
+@patch('sshuttle.sdnotify.os.environ.get')
+def test_notify_invalid_socket_path(mock_get):
+    mock_get.return_value = 'invalid_path'
+    assert not sshuttle.sdnotify.send(sshuttle.sdnotify.ready())
+
+
+@patch('sshuttle.sdnotify.os.environ.get')
+def test_notify_socket_not_there(mock_get):
+    mock_get.return_value = '/run/valid_nonexistent_path'
+    assert not sshuttle.sdnotify.send(sshuttle.sdnotify.ready())
+
+
+@patch('sshuttle.sdnotify.os.environ.get')
+def test_notify_no_message(mock_get):
+    mock_get.return_value = '/run/valid_path'
+    assert not sshuttle.sdnotify.send()
+
+
+@patch('sshuttle.sdnotify.socket.socket')
+@patch('sshuttle.sdnotify.os.environ.get')
+def test_notify_socket_error(mock_get, mock_socket):
+    mock_get.return_value = '/run/valid_path'
+    mock_socket.side_effect = socket.error('test error')
+    assert not sshuttle.sdnotify.send(sshuttle.sdnotify.ready())
+
+
+@patch('sshuttle.sdnotify.socket.socket')
+@patch('sshuttle.sdnotify.os.environ.get')
+def test_notify_sendto_error(mock_get, mock_socket):
+    message = sshuttle.sdnotify.ready()
+    socket_path = '/run/valid_path'
+
+    sock = Mock()
+    sock.sendto.side_effect = socket.error('test error')
+    mock_get.return_value = '/run/valid_path'
+    mock_socket.return_value = sock
+
+    assert not sshuttle.sdnotify.send(message)
+    assert sock.sendto.mock_calls == [
+        call(message, socket_path),
+    ]
+
+
+@patch('sshuttle.sdnotify.socket.socket')
+@patch('sshuttle.sdnotify.os.environ.get')
+def test_notify(mock_get, mock_socket):
+    messages = [sshuttle.sdnotify.ready(), sshuttle.sdnotify.status('Running')]
+    socket_path = '/run/valid_path'
+
+    sock = Mock()
+    sock.sendto.return_value = 1
+    mock_get.return_value = '/run/valid_path'
+    mock_socket.return_value = sock
+
+    assert sshuttle.sdnotify.send(*messages)
+    assert sock.sendto.mock_calls == [
+        call(b'\n'.join(messages), socket_path),
+    ]

tests/server/test_server.py

@@ -0,0 +1,60 @@
+import io
+import socket
+
+from mock import patch, Mock
+
+import sshuttle.server
+
+
+def test__ipmatch():
+    assert sshuttle.server._ipmatch("1.2.3.4") is not None
+    assert sshuttle.server._ipmatch("::1") is None   # ipv6 not supported
+    assert sshuttle.server._ipmatch("42 Example Street, Melbourne") is None
+
+
+def test__ipstr():
+    assert sshuttle.server._ipstr("1.2.3.4", 24) == "1.2.3.4/24"
+    assert sshuttle.server._ipstr("1.2.3.4", 32) == "1.2.3.4"
+
+
+def test__maskbits():
+    netmask = sshuttle.server._ipmatch("255.255.255.0")
+    sshuttle.server._maskbits(netmask)
+
+
+@patch('sshuttle.server.which', side_effect=lambda x: x == 'netstat')
+@patch('sshuttle.server.ssubprocess.Popen')
+def test_listroutes_netstat(mock_popen, mock_which):
+    mock_pobj = Mock()
+    mock_pobj.stdout = io.BytesIO(b"""
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0
+192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0
+""")
+    mock_pobj.wait.return_value = 0
+    mock_popen.return_value = mock_pobj
+
+    routes = sshuttle.server.list_routes()
+
+    assert list(routes) == [
+        (socket.AF_INET, '192.168.1.0', 24)
+    ]
+
+
+@patch('sshuttle.server.which', side_effect=lambda x: x == 'ip')
+@patch('sshuttle.server.ssubprocess.Popen')
+def test_listroutes_iproute(mock_popen, mock_which):
+    mock_pobj = Mock()
+    mock_pobj.stdout = io.BytesIO(b"""
+default via 192.168.1.1 dev wlan0  proto static
+192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.1
+""")
+    mock_pobj.wait.return_value = 0
+    mock_popen.return_value = mock_pobj
+
+    routes = sshuttle.server.list_routes()
+
+    assert list(routes) == [
+        (socket.AF_INET, '192.168.1.0', 24)
+    ]

tox.ini

@@ -1,16 +1,22 @@
 [tox]
 downloadcache = {toxworkdir}/cache/
 envlist =
-    py27,
     py35,
+    py36,
+    py37,
+    py38,
 
 [testenv]
 basepython =
-    py27: python2.7
-    py35: python3.5
+    py36: python3.6
+    py37: python3.7
+    py38: python3.8
 commands =
-    py.test
-deps =
+    pip install -e .
+    # actual flake8 test
+    flake8 sshuttle tests
+    # flake8 complexity warnings
+    flake8 sshuttle tests --exit-zero --max-complexity=10
     pytest
-    mock
-    setuptools>=17.1
+deps =
+    -rrequirements-tests.txt