Release version 1.0.5

Add an "is_supported()" function to the different methods so that each
method can include whatever logic they wish to indicate if they are
supported on a particular machine. Previously, methods/__init__.py
contained all of the logic for selecting individual methods. Now, it
iterates through a list of possible options and stops on the first
method that it finds that is_supported().

Currently, the decision is made based on the presence of programs in
the PATH. In the future, things such as the platform sshuttle is
running on could be considered.

.github/workflows/pythonpackage.yml

@@ -0,0 +1,37 @@
+# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Python package
+
+on:
+  push:
+    branches: [ master, tproxy_mark_param ]
+  pull_request:
+    branches: [ master, tproxy_mark_param ]
+  workflow_dispatch:
+    branches: [ tproxy_mark_param ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.6, 3.7, 3.8, 3.9]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements-tests.txt
+    - name: Lint with flake8
+      run: |
+        flake8 sshuttle tests --count --show-source --statistics
+    - name: Test with pytest
+      run: |
+        PYTHONPATH=$PWD pytest

.gitignore

@@ -13,3 +13,6 @@
 /.do_built
 /.do_built.dir
 /.redo
+/.pytest_cache/
+/.python-version
+.vscode/

.prospector.yml

@@ -0,0 +1,24 @@
+strictness: medium
+
+pylint:
+  disable:
+    - too-many-statements
+    - too-many-locals
+    - too-many-function-args
+    - too-many-arguments
+    - too-many-branches
+    - bare-except
+    - protected-access
+    - no-else-return
+    - unused-argument
+    - method-hidden
+    - arguments-differ
+    - wrong-import-position
+    - raising-bad-type
+
+pep8:
+  options:
+    max-line-length: 79
+
+mccabe:
+  run: false

.travis.yml

@@ -1,13 +0,0 @@
-language: python
-python:
-- 2.6
-- 2.7
-- 3.4
-- 3.5
-- pypy
-
-install:
-    - travis_retry pip install -q pytest mock
-
-script:
-  - PYTHONPATH=. py.test

CHANGES.rst

@@ -9,6 +9,205 @@ adheres to `Semantic Versioning`_.
 .. _`Semantic Versioning`: http://semver.org/
 
 
+1.0.5 - 2020-12-29
+------------------
+
+Added
+~~~~~
+* IPv6 support in nft method.
+* Intercept DNS requests sent by systemd-resolved.
+* Set default tmark.
+* Fix python2 server compatibility.
+* Python 3.9 support.
+
+Fixed
+~~~~~
+* Change license text to LGPL-2.1
+* Fix #494 sshuttle caught in infinite select() loop.
+* Include sshuttle version in verbose output.
+* Add psutil as dependency in setup.py
+* When subnets and excludes are specified with hostnames, use all IPs.
+* Update/document client's handling of IPv4 and IPv6.
+* Update sdnotify.py documentation.
+* Allow no remote to work.
+* Make prefixes in verbose output more consistent.
+* Make nat and nft rules consistent; improve rule ordering.
+* Make server and client handle resolv.conf differently.
+* Fix handling OSError in FirewallClient#__init__
+* Refactor automatic method selection.
+
+Removed
+~~~~~~~
+* Drop testing of Python 3.5
+
+
+1.0.4 - 2020-08-24
+------------------
+
+Fixed
+~~~~~
+* Allow Mux() flush/fill to work with python < 3.5
+* Fix parse_hostport to always return string for host.
+* Require -r/--remote parameter.
+* Add missing package in OpenWRT documentation.
+* Fix doc about --listen option.
+* README: add Ubuntu.
+* Increase IP4 ttl to 63 hops instead of 42.
+* Fix formatting in installation.rst
+
+
+1.0.3 - 2020-07-12
+------------------
+
+Fixed
+~~~~~
+* Ask setuptools to require Python 3.5 and above.
+* Add missing import.
+* Fix formatting typos in usage docs
+
+
+1.0.2 - 2020-06-18
+------------------
+
+Fixed
+~~~~~
+* Leave use of default port to ssh command.
+* Remove unwanted references to Python 2.7 in docs.
+* Replace usage of deprecated imp.
+* Fix connection with @ sign in username.
+
+
+1.0.1 - 2020-06-05
+------------------
+
+Fixed
+~~~~~
+* Errors in python long_documentation.
+
+
+1.0.0 - 2020-06-05
+------------------
+
+Added
+~~~~~
+* Python 3.8 support.
+* sshpass support.
+* Auto sudoers file (#269).
+* option for latency control buffer size.
+* Docs: FreeBSD'.
+* Docs: Nix'.
+* Docs: openwrt'.
+* Docs: install instructions for Fedora'.
+* Docs: install instructions for Arch Linux'.
+* Docs: 'My VPN broke and need a solution fast'.
+
+Removed
+~~~~~~~
+* Python 2.6 support.
+* Python 2.7 support.
+
+Fixed
+~~~~~
+* Remove debug message for getpeername failure.
+* Fix crash triggered by port scans closing socket.
+* Added "Running as a service" to docs.
+* Systemd integration.
+* Trap UnicodeError to handle cases where hostnames returned by DNS are invalid.
+* Formatting error in CHANGES.rst
+* Various errors in documentation.
+* Nftables based method.
+* Make hostwatch locale-independent (#379).
+* Add tproxy udp port mark filter that was missed in #144, fixes #367.
+* Capturing of local DNS servers.
+* Crashing on ECONNABORTED.
+* Size of pf_rule, which grew in OpenBSD 6.4.
+* Use prompt for sudo, not needed for doas.
+* Arch linux installation instructions.
+* tests for existing PR-312 (#337).
+* Hyphen in hostname.
+* Assembler import (#319).
+
+
+0.78.5 - 2019-01-28
+-------------------
+
+Added
+~~~~~
+* doas support as replacmeent for sudo on OpenBSD.
+* Added ChromeOS section to documentation (#262)
+* Add --no-sudo-pythonpath option
+
+Fixed
+~~~~~
+* Fix forwarding to a single port.
+* Various updates to documentation.
+* Don't crash if we can't look up peername
+* Fix missing string formatting argument
+* Moved sshuttle/tests into tests.
+* Updated bandit config.
+* Replace path /dev/null by os.devnull.
+* Added coverage report to tests.
+* Fixes support for OpenBSD (6.1+) (#282).
+* Close stdin, stdout, and stderr when using syslog or forking to daemon (#283).
+* Changes pf exclusion rules precedence.
+* Fix deadlock with iptables with large ruleset.
+* docs: document --ns-hosts --to-ns and update --dns.
+* Use subprocess.check_output instead of run.
+* Fix potential deadlock condition in nft_get_handle.
+* auto-nets: retrieve routes only if using auto-nets.
+
+
+0.78.4 - 2018-04-02
+-------------------
+
+Added
+~~~~~
+* Add homebrew instructions.
+* Route traffic by linux user.
+* Add nat-like method using nftables instead of iptables.
+
+Changed
+~~~~~~~
+* Talk to custom DNS server on pod, instead of the ones in /etc/resolv.conf.
+* Add new option for overriding destination DNS server.
+* Changed subnet parsing. Previously 10/8 become 10.0.0.0/8.  Now it gets
+  parsed as 0.0.0.10/8.
+* Make hostwatch find both fqdn and hostname.
+* Use versions of python3 greater than 3.5 when available (e.g. 3.6).
+
+Removed
+~~~~~~~
+* Remove Python 2.6 from automatic tests.
+
+Fixed
+~~~~~
+* Fix case where there is no --dns.
+* [pf] Avoid port forwarding from loopback address.
+* Use getaddrinfo to obtain a correct sockaddr.
+* Skip empty lines on incoming routes data.
+* Just skip empty lines of routes data instead of stopping processing.
+* [pf] Load pf kernel module when enabling pf.
+* [pf] Test double restore (ipv4, ipv6) disables only once; test kldload.
+* Fixes UDP and DNS proxies binding to the same socket address.
+* Mock socket bind to avoid depending on local IPs being available in test box.
+* Fix no value passed for argument auto_hosts in hw_main call.
+* Fixed incorrect license information in setup.py.
+* Preserve peer and port properly.
+* Make --to-dns and --ns-host work well together.
+* Remove test that fails under OSX.
+* Specify pip requirements for tests.
+* Use flake8 to find Python syntax errors or undefined names.
+* Fix compatibility with the sudoers file.
+* Stop using SO_REUSEADDR on sockets.
+* Declare 'verbosity' as global variable to placate linters.
+* Adds 'cd sshuttle' after 'git' to README and docs.
+* Documentation for loading options from configuration file.
+* Load options from a file.
+* Fix firewall.py.
+* Move sdnotify after setting up firewall rules.
+* Fix tests on Macos.
+
+
 0.78.3 - 2017-07-09
 -------------------
 The "I should have done a git pull" first release.

LICENSE

@@ -1,13 +1,14 @@
-                  GNU LIBRARY GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999
 
- Copyright (C) 1991 Free Software Foundation, Inc.
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
  51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-[This is the first released version of the library GPL.  It is
- numbered 2 because it goes with version 2 of the ordinary GPL.]
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
 
                             Preamble
 
@@ -16,97 +17,109 @@ freedom to share and change it.  By contrast, the GNU General Public
 Licenses are intended to guarantee your freedom to share and change
 free software--to make sure the software is free for all its users.
 
-  This license, the Library General Public License, applies to some
-specially designated Free Software Foundation software, and to any
-other libraries whose authors decide to use it.  You can use it for
-your libraries, too.
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
 
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
 
   To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if
-you distribute copies of the library, or if you modify it.
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
 
   For example, if you distribute copies of the library, whether gratis
 or for a fee, you must give the recipients all the rights that we gave
 you.  You must make sure that they, too, receive or can get the source
-code.  If you link a program with the library, you must provide
-complete object files to the recipients so that they can relink them
-with the library, after making changes to the library and recompiling
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
 it.  And you must show them these terms so they know their rights.
 
-  Our method of protecting your rights has two steps: (1) copyright
-the library, and (2) offer you this license which gives you legal
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
 permission to copy, distribute and/or modify the library.
 
-  Also, for each distributor's protection, we want to make certain
-that everyone understands that there is no warranty for this free
-library.  If the library is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original
-version, so that any problems introduced by others will not reflect on
-the original authors' reputations.
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
 
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that companies distributing free
-software will individually obtain patent licenses, thus in effect
-transforming the program into proprietary software.  To prevent this,
-we have made it clear that any patent must be licensed for everyone's
-free use or not licensed at all.
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
 
-  Most GNU software, including some libraries, is covered by the ordinary
-GNU General Public License, which was designed for utility programs.  This
-license, the GNU Library General Public License, applies to certain
-designated libraries.  This license is quite different from the ordinary
-one; be sure to read it in full, and don't assume that anything in it is
-the same as in the ordinary license.
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
 
-  The reason we have a separate public license for some libraries is that
-they blur the distinction we usually make between modifying or adding to a
-program and simply using it.  Linking a program with a library, without
-changing the library, is in some sense simply using the library, and is
-analogous to running a utility program or application program.  However, in
-a textual and legal sense, the linked executable is a combined work, a
-derivative of the original library, and the ordinary General Public License
-treats it as such.
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
 
-  Because of this blurred distinction, using the ordinary General
-Public License for libraries did not effectively promote software
-sharing, because most developers did not use the libraries.  We
-concluded that weaker conditions might promote sharing better.
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.
 
-  However, unrestricted linking of non-free programs would deprive the
-users of those programs of all benefit from the free status of the
-libraries themselves.  This Library General Public License is intended to
-permit developers of non-free programs to use free libraries, while
-preserving your freedom as a user of such programs to change the free
-libraries that are incorporated in them.  (We have not seen how to achieve
-this as regards changes in header files, but we have achieved it as regards
-changes in the actual functions of the Library.)  The hope is that this
-will lead to faster development of free libraries.
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard.  To achieve this, non-free programs must be
+allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
 
   The precise terms and conditions for copying, distribution and
 modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
-former contains code derived from the library, while the latter only
-works together with the library.
-
-  Note that it is possible for a library to be covered by the ordinary
-General Public License rather than by this special one.
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
 
-                  GNU LIBRARY GENERAL PUBLIC LICENSE
+                  GNU LESSER GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
-  0. This License Agreement applies to any software library which
-contains a notice placed by the copyright holder or other authorized
-party saying it may be distributed under the terms of this Library
-General Public License (also called "this License").  Each licensee is
-addressed as "you".
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
 
   A "library" means a collection of software functions and/or data
 prepared so as to be conveniently linked with application programs
@@ -255,7 +268,7 @@ distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
 
-  6. As an exception to the Sections above, you may also compile or
+  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
 under terms of your choice, provided that the terms permit
@@ -282,23 +295,31 @@ of these things:
     Library will not necessarily be able to recompile the application
     to use the modified definitions.)
 
-    b) Accompany the work with a written offer, valid for at
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at
     least three years, to give the same user the materials
     specified in Subsection 6a, above, for a charge no more
     than the cost of performing this distribution.
 
-    c) If distribution of the work is made by offering access to copy
+    d) If distribution of the work is made by offering access to copy
     from a designated place, offer equivalent access to copy the above
     specified materials from the same place.
 
-    d) Verify that the user has already received a copy of these
+    e) Verify that the user has already received a copy of these
     materials or that you have already sent this user a copy.
 
   For an executable, the required form of the "work that uses the
 Library" must include any data and utility programs needed for
 reproducing the executable from it.  However, as a special exception,
-the source code distributed need not include anything that is normally
-distributed (in either source or binary form) with the major
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
 components (compiler, kernel, and so on) of the operating system on
 which the executable runs, unless that component itself accompanies
 the executable.
@@ -347,7 +368,7 @@ Library), the recipient automatically receives a license from the
 original licensor to copy, distribute, link with or modify the Library
 subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
+You are not responsible for enforcing compliance by third parties with
 this License.
 
   11. If, as a consequence of a court judgment or allegation of patent
@@ -390,7 +411,7 @@ excluded.  In such case, this License incorporates the limitation as if
 written in the body of this License.
 
   13. The Free Software Foundation may publish revised and/or new
-versions of the Library General Public License from time to time.
+versions of the Lesser General Public License from time to time.
 Such new versions will be similar in spirit to the present version,
 but may differ in detail to address new problems or concerns.
 
@@ -453,16 +474,16 @@ convey the exclusion of warranty; and each file should have at least the
     Copyright (C) <year>  <name of author>
 
     This library is free software; you can redistribute it and/or
-    modify it under the terms of the GNU Library General Public
+    modify it under the terms of the GNU Lesser General Public
     License as published by the Free Software Foundation; either
-    version 2 of the License, or (at your option) any later version.
+    version 2.1 of the License, or (at your option) any later version.
 
     This library is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-    Library General Public License for more details.
+    Lesser General Public License for more details.
 
-    You should have received a copy of the GNU Library General Public
+    You should have received a copy of the GNU Lesser General Public
     License along with this library; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 

README.rst

@@ -23,16 +23,33 @@ common case:
 
 - You can't use openssh's PermitTunnel feature because
   it's disabled by default on openssh servers; plus it does
-  TCP-over-TCP, which has terrible performance (see below).
+  TCP-over-TCP, which has `terrible performance`_.
   
+.. _terrible performance: https://sshuttle.readthedocs.io/en/stable/how-it-works.html
 
 Obtaining sshuttle
 ------------------
 
+- Ubuntu 16.04 or later::
+
+      apt-get install sshuttle
+
 - Debian stretch or later::
 
       apt-get install sshuttle
       
+- Arch Linux::
+
+      pacman -S sshuttle
+
+- Fedora::
+
+      dnf install sshuttle
+
+- NixOS::
+
+      nix-env -iA nixos.sshuttle
+
 - From PyPI::
 
       sudo pip install sshuttle
@@ -40,8 +57,16 @@ Obtaining sshuttle
 - Clone::
 
       git clone https://github.com/sshuttle/sshuttle.git
+      cd sshuttle
       sudo ./setup.py install
 
+- FreeBSD::
+
+      # ports
+      cd /usr/ports/net/py-sshuttle && make install clean
+      # pkg
+      pkg install py36-sshuttle
+
 It is also possible to install into a virtualenv as a non-root user.
 
 - From PyPI::
@@ -55,12 +80,28 @@ It is also possible to install into a virtualenv as a non-root user.
       virtualenv -p python3 /tmp/sshuttle
       . /tmp/sshuttle/bin/activate
       git clone https://github.com/sshuttle/sshuttle.git
+      cd sshuttle
       ./setup.py install
 
+- Homebrew::
+
+      brew install sshuttle
+
+- Nix::
+
+      nix-env -iA nixpkgs.sshuttle
+
+
 Documentation
 -------------
 The documentation for the stable version is available at:
-http://sshuttle.readthedocs.org/
+https://sshuttle.readthedocs.org/
 
 The documentation for the latest development version is available at:
-http://sshuttle.readthedocs.org/en/latest/
+https://sshuttle.readthedocs.org/en/latest/
+
+
+Running as a service
+--------------------
+Sshuttle can also be run as a service and configured using a config management system: 
+https://medium.com/@mike.reider/using-sshuttle-as-a-service-bec2684a65fe

bandit.yml

@@ -0,0 +1,9 @@
+exclude_dirs:
+  - tests
+skips:
+  - B101
+  - B104
+  - B404
+  - B603
+  - B606
+  - B607

bin/sudoers-add

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# William Mantly <wmantly@gmail.com>
+# MIT License
+# https://github.com/wmantly/sudoers-add
+
+NEWLINE=$'\n'
+CONTENT=""
+ME="$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")"
+
+if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
+	echo "Usage: $ME [file_path] [sudoers-file-name]"
+	echo "Usage: [content] | $ME sudoers-file-name"
+	echo "This will take a sudoers config validate it and add it to /etc/sudoers.d/{sudoers-file-name}"
+	echo "The config can come from a file, first usage example or piped in second example."
+
+	exit 0
+fi
+
+if [ "$1" == "" ]; then
+	(>&2 echo "This command take at lest one argument. See $ME --help")
+
+	exit 1	
+fi
+
+if [ "$2" == "" ]; then
+	FILE_NAME=$1
+	shift
+else
+	FILE_NAME=$2
+fi
+
+if [[ $EUID -ne 0 ]]; then
+	echo "This script must be run as root"
+
+	exit 1
+fi
+
+while read -r line
+do
+	CONTENT+="${line}${NEWLINE}"
+done < "${1:-/dev/stdin}"
+
+if [ "$CONTENT" == "" ]; then
+	(>&2 echo "No config content specified. See $ME --help")
+	exit 1
+fi
+
+if [ "$FILE_NAME" == "" ]; then
+	(>&2 echo "No sudoers file name specified. See $ME --help")
+	exit 1
+fi
+
+# Make a temp file to hold the sudoers config
+umask 077
+TEMP_FILE=$(mktemp)
+echo "$CONTENT" > "$TEMP_FILE"
+
+# Make sure the content is valid
+visudo_STDOUT=$(visudo -c -f "$TEMP_FILE" 2>&1)
+visudo_code=$?
+# The temp file is no longer needed
+rm "$TEMP_FILE"
+
+if [ $visudo_code -eq 0 ]; then
+	echo "$CONTENT" > "/etc/sudoers.d/$FILE_NAME"
+	chmod 0440 "/etc/sudoers.d/$FILE_NAME"
+	echo "The sudoers file /etc/sudoers.d/$FILE_NAME has been successfully created!"
+
+	exit 0
+else
+	echo "Invalid sudoers config!"
+	echo "$visudo_STDOUT"
+
+	exit 1
+fi
+

conftest.py

@@ -1,10 +0,0 @@
-import sys
-
-if sys.version_info >= (3, 0):
-    good_python = sys.version_info >= (3, 5)
-else:
-    good_python = sys.version_info >= (2, 7)
-
-collect_ignore = []
-if not good_python:
-    collect_ignore.append("sshuttle/tests/client")

docs/chromeos.rst

@@ -0,0 +1,12 @@
+Google ChromeOS
+===============
+
+Currently there is no built in support for running sshuttle directly on
+Google ChromeOS/Chromebooks.
+
+What we can really do is to create a Linux VM with Crostini.  In the default
+stretch/Debian 9 VM, you can then install sshuttle as on any Linux box and
+it just works, as do xterms and ssvncviewer etc.
+
+https://www.reddit.com/r/Crostini/wiki/getstarted/crostini-setup-guide
+

docs/installation.rst

@@ -5,7 +5,20 @@ Installation
 
       pip install sshuttle
 
+- Debain package manager::
+
+      sudo apt install sshuttle
+
 - Clone::
 
       git clone https://github.com/sshuttle/sshuttle.git
+      cd sshuttle
       ./setup.py install
+
+
+Optionally after installation
+-----------------------------
+
+- Add to sudoers file::
+
+      sshuttle --sudoers

docs/manpage.rst

@@ -11,7 +11,7 @@ Description
 -----------
 :program:`sshuttle` allows you to create a VPN connection from your
 machine to any remote server that you can connect to via
-ssh, as long as that server has python 2.3 or higher.
+ssh, as long as that server has python 3.6 or higher.
 
 To work, you must have root access on the local machine,
 but you can have a normal account on the server.
@@ -28,7 +28,7 @@ Options
 -------
 .. program:: sshuttle
 
-.. option:: subnets
+.. option:: <subnets>
 
     A list of subnets to route over the VPN, in the form
     ``a.b.c.d[/width][port[-port]]``.  Valid examples are 1.2.3.4 (a
@@ -40,17 +40,21 @@ Options
     that has as the destination port 8000 of 1.2.3.4 and
     1.2.3.0/24:8000-9000 will tunnel traffic going to any port between
     8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet.
-    It is also possible to use a name in which case the first IP it resolves
-    to during startup will be routed over the VPN. Valid examples are
-    example.com, example.com:8000 and example.com:8000-9000.
+    A hostname can be provided instead of an IP address. If the
+    hostname resolves to multiple IPs, all of the IPs are included.
+    If a width is provided with a hostname that the width is applied
+    to all of the hostnames IPs (if they are all either IPv4 or IPv6).
+    Widths cannot be supplied to hostnames that resolve to both IPv4
+    and IPv6. Valid examples are example.com, example.com:8000,
+    example.com/24, example.com/24:8000 and example.com:8000-9000.
 
-.. option:: --method [auto|nat|tproxy|pf]
+.. option:: --method <auto|nat|nft|tproxy|pf|ipfw>
 
    Which firewall method should sshuttle use? For auto, sshuttle attempts to
    guess the appropriate method depending on what it can find in PATH. The
    default value is auto.
 
-.. option:: -l, --listen=[ip:]port
+.. option:: -l <[ip:]port>, --listen=<[ip:]port>
 
     Use this ip address and port number as the transparent
     proxy port.  By default :program:`sshuttle` finds an available
@@ -64,8 +68,9 @@ Options
     You can use any name resolving to an IP address of the machine running
     :program:`sshuttle`, e.g. ``--listen localhost``.
 
-    For the tproxy and pf methods this can be an IPv6 address. Use this option 
-    twice if required, to provide both IPv4 and IPv6 addresses.
+    For the nft, tproxy and pf methods this can be an IPv6 address. Use 
+    this option with comma separated values if required, to provide both 
+    IPv4 and IPv6 addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``.
 
 .. option:: -H, --auto-hosts
 
@@ -91,25 +96,54 @@ Options
     are taken automatically from the server's routing
     table.
 
+    This feature does not detect IPv6 routes. Specify IPv6 subnets
+    manually. For example, specify the ``::/0`` subnet on the command
+    line to route all IPv6 traffic.
+
 .. option:: --dns
 
     Capture local DNS requests and forward to the remote DNS
-    server.
+    server. All queries to any of the local system's DNS
+    servers (/etc/resolv.conf and, if it exists, 
+    /run/systemd/resolve/resolv.conf) will be intercepted and
+    resolved on the remote side of the tunnel instead, there
+    using the DNS specified via the :option:`--to-ns` option,
+    if specified. Only plain DNS traffic sent to these servers
+    on port 53 are captured.
+
+.. option:: --ns-hosts=<server1[,server2[,server3[...]]]>
+
+    Capture local DNS requests to the specified server(s)
+    and forward to the remote DNS server. Contrary to the
+    :option:`--dns` option, this flag allows to specify the
+    DNS server(s) the queries to which to intercept,
+    instead of intercepting all DNS traffic on the local
+    machine. This can be useful when only certain DNS
+    requests should be resolved on the remote side of the
+    tunnel, e.g. in combination with dnsmasq.
+
+.. option:: --to-ns=<server>
+
+    The DNS to forward requests to when remote DNS
+    resolution is enabled. If not given, sshuttle will
+    simply resolve using the system configured resolver on
+    the remote side (via /etc/resolv.conf on the remote
+    side).
 
 .. option:: --python
 
-    Specify the name/path of the remote python interpreter.
-    The default is just ``python``, which means to use the
-    default python interpreter on the remote system's PATH.
+    Specify the name/path of the remote python interpreter. The
+    default is to use ``python3`` (or ``python``, if ``python3``
+    fails) in the remote system's PATH.
 
-.. option:: -r, --remote=[username@]sshserver[:port]
+.. option:: -r <[username@]sshserver[:port]>, --remote=<[username@]sshserver[:port]>
 
     The remote hostname and optional username and ssh
     port number to use for connecting to the remote server.
     For example, example.com, testuser@example.com,
     testuser@example.com:2222, or example.com:2244.
 
-.. option:: -x, --exclude=subnet
+.. option:: -x <subnet>, --exclude=<subnet>
 
     Explicitly exclude this subnet from forwarding.  The
     format of this option is the same as the ``<subnets>``
@@ -118,7 +152,7 @@ Options
     ``0/0 -x 1.2.3.0/24`` to forward everything except the
     local subnet over the VPN, for example.
 
-.. option:: -X, --exclude-from=file
+.. option:: -X <file>, --exclude-from=<file>
 
     Exclude the subnets specified in a file, one subnet per
     line. Useful when you have lots of subnets to exclude.
@@ -166,18 +200,30 @@ Options
     control feature, maximizing bandwidth usage.  Use at
     your own risk.
 
+.. option:: --latency-buffer-size
+
+    Set the size of the buffer used in latency control. The
+    default is ``32768``. Changing this option allows a compromise
+    to be made between latency and bandwidth without completely
+    disabling latency control (with :option:`--no-latency-control`).
+
 .. option:: -D, --daemon
 
     Automatically fork into the background after connecting
     to the remote server.  Implies :option:`--syslog`.
 
+.. option:: -s <file>, --subnets=<file>
+
+    Include the subnets specified in a file instead of on the
+    command line. One subnet per line.
+
 .. option:: --syslog
 
     after connecting, send all log messages to the
     :manpage:`syslog(3)` service instead of stderr.  This is
     implicit if you use :option:`--daemon`.
 
-.. option:: --pidfile=pidfilename
+.. option:: --pidfile=<pidfilename>
 
     when using :option:`--daemon`, save :program:`sshuttle`'s pid to
     *pidfilename*.  The default is ``sshuttle.pid`` in the
@@ -185,7 +231,8 @@ Options
 
 .. option:: --disable-ipv6
 
-    If using tproxy or pf methods, this will disable IPv6 support.
+    Disable IPv6 support for methods that support it (nft, tproxy, and
+    pf).
 
 .. option:: --firewall
 
@@ -204,6 +251,60 @@ Options
     makes it a lot easier to debug and test the :option:`--auto-hosts`
     feature.
 
+.. option:: --sudoers
+
+    sshuttle will auto generate the proper sudoers.d config file and add it.
+    Once this is completed, sshuttle will exit and tell the user if
+    it succeed or not. Do not call this options with sudo, it may generate a
+    incorrect config file.
+
+.. option:: --sudoers-no-modify
+
+    sshuttle will auto generate the proper sudoers.d config and print it to
+    stdout. The option will not modify the system at all.
+
+.. option:: --sudoers-user
+
+    Set the user name or group with %group_name for passwordless operation.
+    Default is the current user.set ALL for all users. Only works with
+    --sudoers or --sudoers-no-modify option.
+
+.. option:: --sudoers-filename
+
+    Set the file name for the sudoers.d file to be added. Default is
+    "sshuttle_auto". Only works with --sudoers.
+
+.. option:: -t, --tmark
+
+    Transproxy optional traffic mark with provided MARK value.
+
+.. option:: --version
+
+    Print program version.
+
+
+Configuration File
+------------------
+All the options described above can optionally be specified in a configuration
+file.
+
+To run :program:`sshuttle` with options defined in, e.g., `/etc/sshuttle.conf`
+just pass the path to the file preceded by the `@` character, e.g.
+`@/etc/sshuttle.conf`.
+
+When running :program:`sshuttle` with options defined in a configuration file,
+options can still be passed via the command line in addition to what is
+defined in the file. If a given option is defined both in the file and in
+the command line, the value in the command line will take precedence.
+
+Arguments read from a file must be one per line, as shown below::
+
+    value
+    --option1
+    value1
+    --option2
+    value2
+
 
 Examples
 --------
@@ -253,6 +354,24 @@ and subnet guessing::
     c : Keyboard interrupt: exiting.
     c : SW#6:192.168.42.121:60554: deleting
 
+Run :program:`sshuttle` with a `/etc/sshuttle.conf` configuration file::
+
+    $ sshuttle @/etc/sshuttle.conf
+
+Use the options defined in `/etc/sshuttle.conf` but be more verbose::
+
+    $ sshuttle @/etc/sshuttle.conf -vvv
+
+Override the remote server defined in `/etc/sshuttle.conf`::
+
+    $ sshuttle @/etc/sshuttle.conf -r otheruser@test.example.com
+
+Example configuration file::
+
+    192.168.0.0/16
+    --remote
+    user@example.com
+
 
 Discussion
 ----------

docs/openwrt.rst

@@ -0,0 +1,8 @@
+OpenWRT
+========
+
+Run::
+
+    opkg install python3 python3-pip iptables-mod-extra iptables-mod-nat-extra iptables-mod-ipopt
+    python3 /usr/bin/pip3 install sshuttle
+    sshuttle -l 0.0.0.0 -r <IP> -x 192.168.1.1 0/0

docs/platform.rst

@@ -6,5 +6,7 @@ Contents:
 .. toctree::
    :maxdepth: 2
 
+   chromeos
    tproxy
    windows
+   openwrt

docs/requirements.rst

@@ -6,7 +6,7 @@ Client side Requirements
 
 - sudo, or root access on your client machine.
   (The server doesn't need admin access.)
-- Python 2.7 or Python 3.5.
+- Python 3.6 or greater.
 
 
 Linux with NAT method
@@ -20,6 +20,18 @@ Requires:
 
 * iptables DNAT, REDIRECT, and ttl modules.
 
+Linux with nft method
+~~~~~~~~~~~~~~~~~~~~~
+Supports
+
+* IPv4 TCP
+* IPv4 DNS
+* IPv6 TCP
+* IPv6 DNS
+
+Requires:
+
+* nftables
 
 Linux with TPROXY method
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -32,14 +44,6 @@ Supports:
 * IPv6 UDP (requires ``recvmsg`` - see below)
 * IPv6 DNS (requires ``recvmsg`` - see below)
 
-.. _PyXAPI: http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
-
-Full UDP or DNS support with the TPROXY method requires the ``recvmsg()``
-syscall. This is not available in Python 2, however it is in Python 3.5 and
-later. Under Python 2 you might find it sufficient to install PyXAPI_ in
-order to get the ``recvmsg()`` function. See :doc:`tproxy` for more
-information.
-
 
 MacOS / FreeBSD / OpenBSD / pfSense
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -65,16 +69,13 @@ cmd.exe with Administrator access. See :doc:`windows` for more information.
 
 Server side Requirements
 ------------------------
-The server can run in any version of Python between 2.4 and 3.6.
-However it is recommended that you use Python 2.7, Python 3.5 or later whenever
-possible as support for older versions might be dropped in the future.
+
+- Python 3.6 or greater.
 
 
 Additional Suggested Software
 -----------------------------
 
-- You may want to use autossh, available in various package management
-  systems.
 - If you are using systemd, sshuttle can notify it when the connection to
   the remote end is established and the firewall rules are installed. For
   this feature to work you must configure the process start-up type for the

docs/tproxy.rst

@@ -8,9 +8,11 @@ There are some things you need to consider for TPROXY to work:
   done once after booting up::
 
       ip route add local default dev lo table 100
-      ip rule add fwmark 1 lookup 100
+      ip rule add fwmark {TMARK} lookup 100
       ip -6 route add local default dev lo table 100
-      ip -6 rule add fwmark 1 lookup 100
+      ip -6 rule add fwmark {TMARK} lookup 100
+  
+  where {TMARK} is the identifier mark passed with -t or --tmark flag (default value is 1).
 
 - The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
   routes manually. e.g. by adding ``'::/0'`` to the end of the command line.

docs/usage.rst

@@ -20,6 +20,11 @@ Forward all traffic::
 
       sshuttle -r username@sshserver 0/0
 
+
+- For 'My VPN broke and need a temporary solution FAST to access local IPv4 addresses'::
+
+      sshuttle --dns -NHr username@sshserver 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+
 If you would also like your DNS queries to be proxied
 through the DNS server of the server you are connect to::
 
@@ -60,3 +65,46 @@ the data back and forth through ssh.
 Fun, right?  A poor man's instant VPN, and you don't even have to have
 admin access on the server.
 
+Sudoers File
+------------
+sshuttle can auto-generate the proper sudoers.d file using the current user 
+for Linux and OSX. Doing this will allow sshuttle to run without asking for
+the local sudo password and to give users who do not have sudo access
+ability to run sshuttle::
+
+  sshuttle --sudoers
+
+DO NOT run this command with sudo, it will ask for your sudo password when
+it is needed.
+
+A costume user or group can be set with the :
+option:`sshuttle --sudoers --sudoers-username {user_descriptor}` option. Valid
+values for this vary based on how your system is configured. Values such as 
+usernames, groups pre-pended with `%` and sudoers user aliases will work. See
+the sudoers manual for more information on valid user specif actions.
+The options must be used with `--sudoers`::
+
+  sshuttle --sudoers --sudoers-user mike
+  sshuttle --sudoers --sudoers-user %sudo
+
+The name of the file to be added to sudoers.d can be configured as well. This
+is mostly not necessary but can be useful for giving more than one user
+access to sshuttle. The default is `sshuttle_auto`::
+
+  sshuttle --sudoer --sudoers-filename sshuttle_auto_mike
+  sshuttle --sudoer --sudoers-filename sshuttle_auto_tommy
+
+You can also see what configuration will be added to your system without
+modifying anything. This can be helpfull is the auto feature does not work, or
+you want more control. This option also works with `--sudoers-username`.
+`--sudoers-filename` has no effect with this option::
+
+  sshuttle --sudoers-no-modify
+
+This will simply sprint the generated configuration to STDOUT. Example::
+
+  08:40 PM william$ sshuttle --sudoers-no-modify
+
+  Cmnd_Alias SSHUTTLE304 = /usr/bin/env PYTHONPATH=/usr/local/lib/python2.7/dist-packages/sshuttle-0.78.5.dev30+gba5e6b5.d20180909-py2.7.egg /usr/bin/python /usr/local/bin/sshuttle --method auto --firewall
+
+  william ALL=NOPASSWD: SSHUTTLE304

requirements-tests.txt

@@ -0,0 +1,7 @@
+-r requirements.txt
+attrs==20.3.0
+pytest==6.2.1
+pytest-cov==2.10.1
+mock==4.0.3
+flake8==3.8.4
+pyflakes==2.2.0

requirements.txt

@@ -1 +1,2 @@
-setuptools-scm==1.15.6
+setuptools-scm==5.0.1
+psutil

run

@@ -1,11 +1,15 @@
-#!/bin/sh
-source_dir="$(dirname $0)"
-(cd "$source_dir" && "$source_dir/setup.py" --version > /dev/null)
-export PYTHONPATH="$source_dir:$PYTHONPATH"
-if python3.5 -V >/dev/null 2>&1; then
-	exec python3.5 -m "sshuttle" "$@"
-elif python2.7 -V >/dev/null 2>&1; then
-	exec python2.7 -m "sshuttle" "$@"
-else
-	exec python -m "sshuttle" "$@"
-fi
+#!/usr/bin/env sh
+set -e
+export PYTHONPATH="$(dirname $0):$PYTHONPATH"
+export PATH="$(dirname $0)/bin:$PATH"
+
+python_best_version() {
+  if [ -x "$(command -v python3)" ] &&
+      python3 -c "import sys; sys.exit(not sys.version_info > (3, 5))"; then
+    exec python3 "$@"
+  else
+    exec python "$@"
+  fi
+}
+
+python_best_version -m "sshuttle" "$@"

setup.cfg

@@ -7,3 +7,11 @@ universal = 1
 [upload]
 sign=true
 identity=0x1784577F811F6EAC
+
+[flake8]
+count=true
+show-source=true
+statistics=true
+
+[tool:pytest]
+addopts = --cov=sshuttle --cov-branch --cov-report=term-missing

setup.py

@@ -2,20 +2,20 @@
 
 # Copyright 2012-2014 Brian May
 #
-# This file is part of python-tldap.
+# This file is part of sshuttle.
 #
-# python-tldap is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
+# sshuttle is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2.1 of
+# the License, or (at your option) any later version.
 #
-# python-tldap is distributed in the hope that it will be useful,
+# sshuttle is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with python-tldap  If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with sshuttle; If not, see <http://www.gnu.org/licenses/>.
 
 from setuptools import setup, find_packages
 
@@ -39,24 +39,38 @@ setup(
     author_email='brian@linuxpenguins.xyz',
     description='Full-featured" VPN over an SSH tunnel',
     packages=find_packages(),
-    license="GPL2+",
+    license="LGPL2.1+",
     long_description=open('README.rst').read(),
+    long_description_content_type="text/x-rst",
     classifiers=[
         "Development Status :: 5 - Production/Stable",
         "Intended Audience :: Developers",
         "Intended Audience :: End Users/Desktop",
         "License :: OSI Approved :: "
-            "GNU General Public License v2 or later (GPLv2+)",
+            "GNU Lesser General Public License v2 or later (LGPLv2+)",
         "Operating System :: OS Independent",
-        "Programming Language :: Python :: 2.7",
-        "Programming Language :: Python :: 3.5",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: 3.9",
         "Topic :: System :: Networking",
     ],
+    scripts=['bin/sudoers-add'],
     entry_points={
         'console_scripts': [
             'sshuttle = sshuttle.cmdline:main',
         ],
     },
-    tests_require=['pytest', 'pytest-runner', 'mock'],
+    python_requires='>=3.6',
+    install_requires=[
+        'psutil',
+    ],
+    tests_require=[
+        'pytest',
+        'pytest-cov',
+        'pytest-runner',
+        'mock',
+        'flake8',
+    ],
     keywords="ssh vpn",
 )

sshuttle/assembler.py

@@ -1,27 +1,31 @@
 import sys
 import zlib
-import imp
+import types
 
+verbosity = verbosity  # noqa: F821 must be a previously defined global
 z = zlib.decompressobj()
 while 1:
     name = sys.stdin.readline().strip()
     if name:
-        name = name.decode("ASCII")
-
+        # python2 compat: in python2 sys.stdin.readline().strip() -> str
+        #                 in python3 sys.stdin.readline().strip() -> bytes
+        # (see #481)
+        if sys.version_info >= (3, 0):
+            name = name.decode("ASCII")
         nbytes = int(sys.stdin.readline())
         if verbosity >= 2:
-            sys.stderr.write('server: assembling %r (%d bytes)\n'
+            sys.stderr.write(' s: assembling %r (%d bytes)\n'
                              % (name, nbytes))
         content = z.decompress(sys.stdin.read(nbytes))
 
-        module = imp.new_module(name)
+        module = types.ModuleType(name)
         parents = name.rsplit(".", 1)
         if len(parents) == 2:
             parent, parent_name = parents
             setattr(sys.modules[parent], parent_name, module)
 
         code = compile(content, name, "exec")
-        exec(code, module.__dict__)
+        exec(code, module.__dict__)  # nosec
         sys.modules[name] = module
     else:
         break
@@ -29,9 +33,12 @@ while 1:
 sys.stderr.flush()
 sys.stdout.flush()
 
-import sshuttle.helpers
+# import can only happen once the code has been transferred to
+# the server. 'noqa: E402' excludes these lines from QA checks.
+import sshuttle.helpers  # noqa: E402
 sshuttle.helpers.verbose = verbosity
 
-import sshuttle.cmdline_options as options
-from sshuttle.server import main
-main(options.latency_control, options.auto_hosts)
+import sshuttle.cmdline_options as options  # noqa: E402
+from sshuttle.server import main  # noqa: E402
+main(options.latency_control, options.auto_hosts, options.to_nameserver,
+     options.auto_nets)

sshuttle/client.py

@@ -3,18 +3,25 @@ import re
 import signal
 import time
 import subprocess as ssubprocess
-import sshuttle.helpers as helpers
 import os
+import sys
+import platform
+import psutil
+
+import sshuttle.helpers as helpers
 import sshuttle.ssnet as ssnet
 import sshuttle.ssh as ssh
 import sshuttle.ssyslog as ssyslog
 import sshuttle.sdnotify as sdnotify
-import sys
-import platform
 from sshuttle.ssnet import SockWrapper, Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, islocal, \
-    resolvconf_nameservers
+    resolvconf_nameservers, which
 from sshuttle.methods import get_method, Features
+from sshuttle import __version__
+try:
+    from pwd import getpwnam
+except ImportError:
+    getpwnam = None
 
 try:
     # try getting recvmsg from python
@@ -30,7 +37,7 @@ except AttributeError:
     except ImportError:
         import socket
 
-_extra_fd = os.open('/dev/null', os.O_RDONLY)
+_extra_fd = os.open(os.devnull, os.O_RDONLY)
 
 
 def got_signal(signum, frame):
@@ -50,7 +57,7 @@ def check_daemon(pidfile):
         if e.errno == errno.ENOENT:
             return  # no pidfile, ok
         else:
-            raise Fatal("can't read %s: %s" % (_pidname, e))
+            raise Fatal("c : can't read %s: %s" % (_pidname, e))
     if not oldpid:
         os.unlink(_pidname)
         return  # invalid pidfile, ok
@@ -90,7 +97,7 @@ def daemonize():
     # be deleted.
     signal.signal(signal.SIGTERM, got_signal)
 
-    si = open('/dev/null', 'r+')
+    si = open(os.devnull, 'r+')
     os.dup2(si.fileno(), 0)
     os.dup2(si.fileno(), 1)
     si.close()
@@ -108,8 +115,8 @@ def daemon_cleanup():
 
 class MultiListener:
 
-    def __init__(self, type=socket.SOCK_STREAM, proto=0):
-        self.type = type
+    def __init__(self, kind=socket.SOCK_STREAM, proto=0):
+        self.type = kind
         self.proto = proto
         self.v6 = None
         self.v4 = None
@@ -157,13 +164,11 @@ class MultiListener:
         self.bind_called = True
         if address_v6 is not None:
             self.v6 = socket.socket(socket.AF_INET6, self.type, self.proto)
-            self.v6.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
             self.v6.bind(address_v6)
         else:
             self.v6 = None
         if address_v4 is not None:
             self.v4 = socket.socket(socket.AF_INET, self.type, self.proto)
-            self.v4.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
             self.v4.bind(address_v4)
         else:
             self.v4 = None
@@ -182,7 +187,7 @@ class MultiListener:
 
 class FirewallClient:
 
-    def __init__(self, method_name):
+    def __init__(self, method_name, sudo_pythonpath):
         self.auto_nets = []
         python_path = os.path.dirname(os.path.dirname(__file__))
         argvbase = ([sys.executable, sys.argv[0]] +
@@ -191,11 +196,23 @@ class FirewallClient:
                     ['--firewall'])
         if ssyslog._p:
             argvbase += ['--syslog']
-        argv_tries = [
-            ['sudo', '-p', '[local sudo] Password: ',
-                ('PYTHONPATH=%s' % python_path), '--'] + argvbase,
-            argvbase
-        ]
+
+        # Determine how to prefix the command in order to elevate privileges.
+        if platform.platform().startswith('OpenBSD'):
+            elev_prefix = ['doas']  # OpenBSD uses built in `doas`
+        else:
+            elev_prefix = ['sudo', '-p', '[local sudo] Password: ']
+
+        # Look for binary and switch to absolute path if we can find
+        # it.
+        path = which(elev_prefix[0])
+        if path:
+            elev_prefix[0] = path
+
+        if sudo_pythonpath:
+            elev_prefix += ['/usr/bin/env',
+                            'PYTHONPATH=%s' % python_path]
+        argv_tries = [elev_prefix + argvbase, argvbase]
 
         # we can't use stdin/stdout=subprocess.PIPE here, as we normally would,
         # because stupid Linux 'su' requires that stdin be attached to a tty.
@@ -206,7 +223,6 @@ class FirewallClient:
         def setup():
             # run in the child process
             s2.close()
-        e = None
         if os.getuid() == 0:
             argv_tries = argv_tries[-1:]  # last entry only
         for argv in argv_tries:
@@ -214,21 +230,14 @@ class FirewallClient:
                 if argv[0] == 'su':
                     sys.stderr.write('[local su] ')
                 self.p = ssubprocess.Popen(argv, stdout=s1, preexec_fn=setup)
-                e = None
+                # No env: Talking to `FirewallClient.start`, which has no i18n.
                 break
             except OSError as e:
-                pass
+                log('Spawning firewall manager: %r\n' % argv)
+                raise Fatal(e)
         self.argv = argv
         s1.close()
-        if sys.version_info < (3, 0):
-            # python 2.7
-            self.pfile = s2.makefile('wb+')
-        else:
-            # python 3.5
-            self.pfile = s2.makefile('rwb')
-        if e:
-            log('Spawning firewall manager: %r\n' % self.argv)
-            raise Fatal(e)
+        self.pfile = s2.makefile('rwb')
         line = self.pfile.readline()
         self.check()
         if line[0:5] != b'READY':
@@ -238,7 +247,8 @@ class FirewallClient:
         self.method.set_firewall(self)
 
     def setup(self, subnets_include, subnets_exclude, nslist,
-              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp):
+              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp,
+              user, tmark):
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.nslist = nslist
@@ -247,6 +257,8 @@ class FirewallClient:
         self.dnsport_v6 = dnsport_v6
         self.dnsport_v4 = dnsport_v4
         self.udp = udp
+        self.user = user
+        self.tmark = tmark
 
     def check(self):
         rv = self.p.poll()
@@ -257,11 +269,13 @@ class FirewallClient:
         self.pfile.write(b'ROUTES\n')
         for (family, ip, width, fport, lport) \
                 in self.subnets_include + self.auto_nets:
-            self.pfile.write(b'%d,%d,0,%s,%d,%d\n'
-                    % (family, width, ip.encode("ASCII"), fport, lport))
+            self.pfile.write(b'%d,%d,0,%s,%d,%d\n' % (family, width,
+                                                      ip.encode("ASCII"),
+                                                      fport, lport))
         for (family, ip, width, fport, lport) in self.subnets_exclude:
-            self.pfile.write(b'%d,%d,1,%s,%d,%d\n'
-                    % (family, width, ip.encode("ASCII"), fport, lport))
+            self.pfile.write(b'%d,%d,1,%s,%d,%d\n' % (family, width,
+                                                      ip.encode("ASCII"),
+                                                      fport, lport))
 
         self.pfile.write(b'NSLIST\n')
         for (family, ip) in self.nslist:
@@ -276,8 +290,14 @@ class FirewallClient:
         udp = 0
         if self.udp:
             udp = 1
+        if self.user is None:
+            user = b'-'
+        elif isinstance(self.user, str):
+            user = bytes(self.user, 'utf-8')
+        else:
+            user = b'%d' % self.user
 
-        self.pfile.write(b'GO %d\n' % udp)
+        self.pfile.write(b'GO %d %s\n' % (udp, user))
         self.pfile.flush()
 
         line = self.pfile.readline()
@@ -286,8 +306,8 @@ class FirewallClient:
             raise Fatal('%r expected STARTED, got %r' % (self.argv, line))
 
     def sethostip(self, hostname, ip):
-        assert(not re.search(b'[^-\w]', hostname))
-        assert(not re.search(b'[^0-9.]', ip))
+        assert(not re.search(br'[^-\w\.]', hostname))
+        assert(not re.search(br'[^0-9.]', ip))
         self.pfile.write(b'HOST %s,%s\n' % (hostname, ip))
         self.pfile.flush()
 
@@ -338,7 +358,7 @@ def onaccept_tcp(listener, method, mux, handlers):
                 sock, srcip = listener.accept()
                 sock.close()
             finally:
-                _extra_fd = os.open('/dev/null', os.O_RDONLY)
+                _extra_fd = os.open(os.devnull, os.O_RDONLY)
             return
         else:
             raise
@@ -377,7 +397,7 @@ def onaccept_udp(listener, method, mux, handlers):
     srcip, dstip, data = t
     debug1('Accept UDP: %r -> %r.\n' % (srcip, dstip,))
     if srcip in udp_by_src:
-        chan, timeout = udp_by_src[srcip]
+        chan, _ = udp_by_src[srcip]
     else:
         chan = mux.next_channel()
         mux.channels[chan] = lambda cmd, data: udp_done(
@@ -404,7 +424,13 @@ def ondns(listener, method, mux, handlers):
     if t is None:
         return
     srcip, dstip, data = t
-    debug1('DNS request from %r to %r: %d bytes\n' % (srcip, dstip, len(data)))
+    # dstip is None if we are using a method where we can't determine
+    # the destination IP of the DNS request that we captured from the client.
+    if dstip is None:
+        debug1('DNS request from %r: %d bytes\n' % (srcip, len(data)))
+    else:
+        debug1('DNS request from %r to %r: %d bytes\n' %
+               (srcip, dstip, len(data)))
     chan = mux.next_channel()
     dnsreqs[chan] = now + 30
     mux.send(chan, ssnet.CMD_DNS_REQ, data)
@@ -415,32 +441,32 @@ def ondns(listener, method, mux, handlers):
 
 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
           python, latency_control,
-          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon):
+          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon,
+          to_nameserver):
 
+    helpers.logprefix = 'c : '
     debug1('Starting client with Python version %s\n'
            % platform.python_version())
 
     method = fw.method
 
     handlers = []
-    if helpers.verbose >= 1:
-        helpers.logprefix = 'c : '
-    else:
-        helpers.logprefix = 'client: '
-    debug1('connecting to server...\n')
+    debug1('Connecting to server...\n')
 
     try:
         (serverproc, serversock) = ssh.connect(
             ssh_cmd, remotename, python,
             stderr=ssyslog._p and ssyslog._p.stdin,
             options=dict(latency_control=latency_control,
-                auto_hosts=auto_hosts))
+                         auto_hosts=auto_hosts,
+                         to_nameserver=to_nameserver,
+                         auto_nets=auto_nets))
     except socket.error as e:
         if e.args[0] == errno.EPIPE:
-            raise Fatal("failed to establish ssh session (1)")
+            raise Fatal("c : failed to establish ssh session (1)")
         else:
             raise
-    mux = Mux(serversock, serversock)
+    mux = Mux(serversock.makefile("rb"), serversock.makefile("wb"))
     handlers.append(mux)
 
     expected = b'SSHUTTLE0001'
@@ -455,18 +481,18 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
         initstring = serversock.recv(len(expected))
     except socket.error as e:
         if e.args[0] == errno.ECONNRESET:
-            raise Fatal("failed to establish ssh session (2)")
+            raise Fatal("c : failed to establish ssh session (2)")
         else:
             raise
 
     rv = serverproc.poll()
     if rv:
-        raise Fatal('server died with error code %d' % rv)
+        raise Fatal('c : server died with error code %d' % rv)
 
     if initstring != expected:
-        raise Fatal('expected server init string %r; got %r'
+        raise Fatal('c : expected server init string %r; got %r'
                     % (expected, initstring))
-    log('Connected.\n')
+    log('Connected to server.\n')
     sys.stdout.flush()
     if daemon:
         daemonize()
@@ -475,6 +501,8 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
     def onroutes(routestr):
         if auto_nets:
             for line in routestr.strip().split(b'\n'):
+                if not line:
+                    continue
                 (family, ip, width) = line.split(b',', 2)
                 family = int(family)
                 width = int(width)
@@ -495,9 +523,14 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
         # set --auto-nets, we might as well wait for the message first, then
         # ignore its contents.
         mux.got_routes = None
-        fw.start()
+        serverready()
+
     mux.got_routes = onroutes
 
+    def serverready():
+        fw.start()
+        sdnotify.send(sdnotify.ready(), sdnotify.status('Connected'))
+
     def onhostlist(hostlist):
         debug2('got host list: %r\n' % hostlist)
         for line in hostlist.strip().split():
@@ -518,14 +551,23 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
         debug1('seed_hosts: %r\n' % seed_hosts)
         mux.send(0, ssnet.CMD_HOST_REQ, str.encode('\n'.join(seed_hosts)))
 
-    sdnotify.send(sdnotify.ready(),
-                  sdnotify.status('Connected to %s.' % remotename))
+    def check_ssh_alive():
+        if daemon:
+            # poll() won't tell us when process exited since the
+            # process is no longer our child (it returns 0 all the
+            # time).
+            if not psutil.pid_exists(serverproc.pid):
+                raise Fatal('ssh connection to server (pid %d) exited.' %
+                            serverproc.pid)
+        else:
+            rv = serverproc.poll()
+            # poll returns None if process hasn't exited.
+            if rv is not None:
+                raise Fatal('ssh connection to server (pid %d) exited '
+                            'with returncode %d' % (serverproc.pid, rv))
 
     while 1:
-        rv = serverproc.poll()
-        if rv:
-            raise Fatal('server died with error code %d' % rv)
-
+        check_ssh_alive()
         ssnet.runonce(handlers, mux)
         if latency_control:
             mux.check_fullness()
@@ -534,7 +576,13 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
 def main(listenip_v6, listenip_v4,
          ssh_cmd, remotename, python, latency_control, dns, nslist,
          method_name, seed_hosts, auto_hosts, auto_nets,
-         subnets_include, subnets_exclude, daemon, pidfile):
+         subnets_include, subnets_exclude, daemon, to_nameserver, pidfile,
+         user, sudo_pythonpath, tmark):
+
+    if not remotename:
+        print("WARNING: You must specify -r/--remote to securely route "
+              "traffic to a remote machine. Running without -r/--remote "
+              "is only recommended for testing.")
 
     if daemon:
         try:
@@ -542,54 +590,148 @@ def main(listenip_v6, listenip_v4,
         except Fatal as e:
             log("%s\n" % e)
             return 5
-    debug1('Starting sshuttle proxy.\n')
+    debug1('Starting sshuttle proxy (version %s).\n' % __version__)
+    helpers.logprefix = 'c : '
 
-    fw = FirewallClient(method_name)
+    fw = FirewallClient(method_name, sudo_pythonpath)
 
-    # Get family specific subnet lists
+    # If --dns is used, store the IP addresses that the client
+    # normally uses for DNS lookups in nslist. The firewall needs to
+    # redirect packets outgoing to this server to the remote host
+    # instead.
     if dns:
-        nslist += resolvconf_nameservers()
+        nslist += resolvconf_nameservers(True)
+        if to_nameserver is not None:
+            to_nameserver = "%s@%s" % tuple(to_nameserver[1:])
+    else:
+        # option doesn't make sense if we aren't proxying dns
+        if to_nameserver and len(to_nameserver) > 0:
+            print("WARNING: --to-ns option is ignored because --dns was not "
+                  "used.")
+        to_nameserver = None
 
-    subnets = subnets_include + subnets_exclude  # we don't care here
-    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
-    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
-    subnets_v4 = [i for i in subnets if i[0] == socket.AF_INET]
+    # Get family specific subnet lists. Also, the user may not specify
+    # any subnets if they use --auto-nets. In this case, our subnets
+    # list will be empty and the forwarded subnets will be determined
+    # later by the server.
+    subnets_v4 = [i for i in subnets_include if i[0] == socket.AF_INET]
+    subnets_v6 = [i for i in subnets_include if i[0] == socket.AF_INET6]
     nslist_v4 = [i for i in nslist if i[0] == socket.AF_INET]
+    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
 
-    # Check features available
+    # Get available features from the firewall method
     avail = fw.method.get_supported_features()
+
+    # A feature is "required" if the user supplies us parameters which
+    # implies that the feature is needed.
     required = Features()
 
-    if listenip_v6 == "auto":
-        if avail.ipv6:
-            listenip_v6 = ('::1', 0)
-        else:
-            listenip_v6 = None
+    # Select the default addresses to bind to / listen to.
 
-    required.ipv6 = len(subnets_v6) > 0 or listenip_v6 is not None
-    required.ipv4 = len(subnets_v4) > 0 or listenip_v4 is not None
-    required.udp = avail.udp
-    required.dns = len(nslist) > 0
+    # Assume IPv4 is always available and should always be enabled. If
+    # a method doesn't provide IPv4 support or if we wish to run
+    # ipv6-only, changes to this code are required.
+    assert avail.ipv4
+    required.ipv4 = True
 
-    # if IPv6 not supported, ignore IPv6 DNS servers
-    if not required.ipv6:
-        nslist_v6 = []
-        nslist = nslist_v4
-
-    fw.method.assert_features(required)
-
-    if required.ipv6 and listenip_v6 is None:
-        raise Fatal("IPv6 required but not listening.")
-
-    # display features enabled
-    debug1("IPv6 enabled: %r\n" % required.ipv6)
-    debug1("UDP enabled: %r\n" % required.udp)
-    debug1("DNS enabled: %r\n" % required.dns)
-
-    # bind to required ports
+    # listenip_v4 contains user specified value or it is set to "auto".
     if listenip_v4 == "auto":
         listenip_v4 = ('127.0.0.1', 0)
 
+    # listenip_v6 is...
+    #    None when IPv6 is disabled.
+    #    "auto" when listen address is unspecified.
+    #    The user specified address if provided by user
+    if listenip_v6 is None:
+        debug1("IPv6 disabled by --disable-ipv6\n")
+    if listenip_v6 == "auto":
+        if avail.ipv6:
+            debug1("IPv6 enabled: Using default IPv6 listen address ::1\n")
+            listenip_v6 = ('::1', 0)
+        else:
+            debug1("IPv6 disabled since it isn't supported by method "
+                   "%s.\n" % fw.method.name)
+            listenip_v6 = None
+
+    # Make final decision about enabling IPv6:
+    required.ipv6 = False
+    if listenip_v6:
+        required.ipv6 = True
+
+    # If we get here, it is possible that listenip_v6 was user
+    # specified but not supported by the current method.
+    if required.ipv6 and not avail.ipv6:
+        raise Fatal("An IPv6 listen address was supplied, but IPv6 is "
+                    "disabled at your request or is unsupported by the %s "
+                    "method." % fw.method.name)
+
+    if user is not None:
+        if getpwnam is None:
+            raise Fatal("Routing by user not available on this system.")
+        try:
+            user = getpwnam(user).pw_uid
+        except KeyError:
+            raise Fatal("User %s does not exist." % user)
+    required.user = False if user is None else True
+
+    if not required.ipv6 and len(subnets_v6) > 0:
+        print("WARNING: IPv6 subnets were ignored because IPv6 is disabled "
+              "in sshuttle.")
+        subnets_v6 = []
+        subnets_include = subnets_v4
+
+    required.udp = avail.udp  # automatically enable UDP if it is available
+    required.dns = len(nslist) > 0
+
+    # Remove DNS servers using IPv6.
+    if required.dns:
+        if not required.ipv6 and len(nslist_v6) > 0:
+            print("WARNING: Your system is configured to use an IPv6 DNS "
+                  "server but sshuttle is not using IPv6. Therefore DNS "
+                  "traffic your system sends to the IPv6 DNS server won't "
+                  "be redirected via sshuttle to the remote machine.")
+            nslist_v6 = []
+            nslist = nslist_v4
+
+        if len(nslist) == 0:
+            raise Fatal("Can't redirect DNS traffic since IPv6 is not "
+                        "enabled in sshuttle and all of the system DNS "
+                        "servers are IPv6.")
+
+    # If we aren't using IPv6, we can safely ignore excluded IPv6 subnets.
+    if not required.ipv6:
+        orig_len = len(subnets_exclude)
+        subnets_exclude = [i for i in subnets_exclude
+                           if i[0] == socket.AF_INET]
+        if len(subnets_exclude) < orig_len:
+            print("WARNING: Ignoring one or more excluded IPv6 subnets "
+                  "because IPv6 is not enabled.")
+
+    # This will print error messages if we required a feature that
+    # isn't available by the current method.
+    fw.method.assert_features(required)
+
+    # display features enabled
+    def feature_status(label, enabled, available):
+        msg = label + ": "
+        if enabled:
+            msg += "on"
+        else:
+            msg += "off "
+            if available:
+                msg += "(available)"
+            else:
+                msg += "(not available with %s method)" % fw.method.name
+        debug1(msg + "\n")
+
+    debug1("Method: %s\n" % fw.method.name)
+    feature_status("IPv4", required.ipv4, avail.ipv4)
+    feature_status("IPv6", required.ipv6, avail.ipv6)
+    feature_status("UDP ", required.udp, avail.udp)
+    feature_status("DNS ", required.dns, avail.dns)
+    feature_status("User", required.user, avail.user)
+
+    # Exclude traffic destined to our listen addresses.
     if required.ipv4 and \
             not any(listenip_v4[0] == sex[1] for sex in subnets_v4):
         subnets_exclude.append((socket.AF_INET, listenip_v4[0], 32, 0, 0))
@@ -598,21 +740,42 @@ def main(listenip_v6, listenip_v4,
             not any(listenip_v6[0] == sex[1] for sex in subnets_v6):
         subnets_exclude.append((socket.AF_INET6, listenip_v6[0], 128, 0, 0))
 
+    # We don't print the IP+port of where we are listening here
+    # because we do that below when we have identified the ports to
+    # listen on.
+    debug1("Subnets to forward through remote host (type, IP, cidr mask "
+           "width, startPort, endPort):\n")
+    for i in subnets_include:
+        debug1("  "+str(i)+"\n")
+    if auto_nets:
+        debug1("NOTE: Additional subnets to forward may be added below by "
+               "--auto-nets.\n")
+    debug1("Subnets to exclude from forwarding:\n")
+    for i in subnets_exclude:
+        debug1("  "+str(i)+"\n")
+    if required.dns:
+        debug1("DNS requests normally directed at these servers will be "
+               "redirected to remote:\n")
+        for i in nslist:
+            debug1("  "+str(i)+"\n")
+
     if listenip_v6 and listenip_v6[1] and listenip_v4 and listenip_v4[1]:
         # if both ports given, no need to search for a spare port
         ports = [0, ]
     else:
         # if at least one port missing, we have to search
         ports = range(12300, 9000, -1)
+        # keep track of failed bindings and used ports to avoid trying to
+        # bind to the same socket address twice in different listeners
+        used_ports = []
 
     # search for free ports and try to bind
     last_e = None
     redirectport_v6 = 0
     redirectport_v4 = 0
     bound = False
-    debug2('Binding redirector:')
     for port in ports:
-        debug2(' %d' % port)
+        debug2('Trying to bind redirector on port %d\n' % port)
         tcp_listener = MultiListener()
 
         if required.udp:
@@ -645,14 +808,15 @@ def main(listenip_v6, listenip_v4,
             if udp_listener:
                 udp_listener.bind(lv6, lv4)
             bound = True
+            used_ports.append(port)
             break
         except socket.error as e:
             if e.errno == errno.EADDRINUSE:
                 last_e = e
+                used_ports.append(port)
             else:
                 raise e
 
-    debug2('\n')
     if not bound:
         assert(last_e)
         raise last_e
@@ -664,10 +828,12 @@ def main(listenip_v6, listenip_v4,
     bound = False
     if required.dns:
         # search for spare port for DNS
-        debug2('Binding DNS:')
         ports = range(12300, 9000, -1)
         for port in ports:
-            debug2(' %d' % port)
+            debug2('Trying to bind DNS redirector on port %d\n' % port)
+            if port in used_ports:
+                continue
+
             dns_listener = MultiListener(socket.SOCK_DGRAM)
 
             if listenip_v6:
@@ -687,13 +853,15 @@ def main(listenip_v6, listenip_v4,
             try:
                 dns_listener.bind(lv6, lv4)
                 bound = True
+                used_ports.append(port)
                 break
             except socket.error as e:
                 if e.errno == errno.EADDRINUSE:
                     last_e = e
+                    used_ports.append(port)
                 else:
                     raise e
-        debug2('\n')
+
         dns_listener.print_listening("DNS")
         if not bound:
             assert(last_e)
@@ -706,22 +874,22 @@ def main(listenip_v6, listenip_v4,
     # Last minute sanity checks.
     # These should never fail.
     # If these do fail, something is broken above.
-    if len(subnets_v6) > 0:
+    if subnets_v6:
         assert required.ipv6
         if redirectport_v6 == 0:
             raise Fatal("IPv6 subnets defined but not listening")
 
-    if len(nslist_v6) > 0:
+    if nslist_v6:
         assert required.dns
         assert required.ipv6
         if dnsport_v6 == 0:
             raise Fatal("IPv6 ns servers defined but not listening")
 
-    if len(subnets_v4) > 0:
+    if subnets_v4:
         if redirectport_v4 == 0:
             raise Fatal("IPv4 subnets defined but not listening")
 
-    if len(nslist_v4) > 0:
+    if nslist_v4:
         if dnsport_v4 == 0:
             raise Fatal("IPv4 ns servers defined but not listening")
 
@@ -735,19 +903,21 @@ def main(listenip_v6, listenip_v4,
     # start the firewall
     fw.setup(subnets_include, subnets_exclude, nslist,
              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4,
-             required.udp)
+             required.udp, user, tmark)
 
     # start the client process
     try:
         return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                      python, latency_control, dns_listener,
-                     seed_hosts, auto_hosts, auto_nets, daemon)
+                     seed_hosts, auto_hosts, auto_nets, daemon, to_nameserver)
     finally:
         try:
             if daemon:
                 # it's not our child anymore; can't waitpid
                 fw.p.returncode = 0
             fw.done()
+            sdnotify.send(sdnotify.stop())
+
         finally:
             if daemon:
                 daemon_cleanup()

sshuttle/cmdline.py

@@ -1,5 +1,6 @@
 import re
 import socket
+import platform
 import sshuttle.helpers as helpers
 import sshuttle.client as client
 import sshuttle.firewall as firewall
@@ -7,16 +8,35 @@ import sshuttle.hostwatch as hostwatch
 import sshuttle.ssyslog as ssyslog
 from sshuttle.options import parser, parse_ipport
 from sshuttle.helpers import family_ip_tuple, log, Fatal
+from sshuttle.sudoers import sudoers
 
 
 def main():
     opt = parser.parse_args()
 
+    if opt.sudoers or opt.sudoers_no_modify:
+        if platform.platform().startswith('OpenBSD'):
+            log('Automatic sudoers does not work on BSD')
+            exit(1)
+
+        if not opt.sudoers_filename:
+            log('--sudoers-file must be set or omited.')
+            exit(1)
+
+        sudoers(
+            user_name=opt.sudoers_user,
+            no_modify=opt.sudoers_no_modify,
+            file_name=opt.sudoers_filename
+        )
+
     if opt.daemon:
         opt.syslog = 1
     if opt.wrap:
         import sshuttle.ssnet as ssnet
         ssnet.MAX_CHANNEL = opt.wrap
+    if opt.latency_buffer_size:
+        import sshuttle.ssnet as ssnet
+        ssnet.LATENCY_BUFFER_SIZE = opt.latency_buffer_size
     helpers.verbose = opt.verbose
 
     try:
@@ -25,10 +45,18 @@ def main():
                 parser.error('exactly zero arguments expected')
             return firewall.main(opt.method, opt.syslog)
         elif opt.hostwatch:
-            return hostwatch.hw_main(opt.subnets)
+            return hostwatch.hw_main(opt.subnets, opt.auto_hosts)
         else:
-            includes = opt.subnets + opt.subnets_file
-            excludes = opt.exclude
+            # parse_subnetports() is used to create a list of includes
+            # and excludes. It is called once for each parameter and
+            # returns a list of one or more items for each subnet (it
+            # can return more than one item when a hostname in the
+            # parameter resolves to multiple IP addresses. Here, we
+            # flatten these lists.
+            includes = [item for sublist in opt.subnets+opt.subnets_file
+                        for item in sublist]
+            excludes = [item for sublist in opt.exclude for item in sublist]
+
             if not includes and not opt.auto_nets:
                 parser.error('at least one subnet, subnet file, '
                              'or -N expected')
@@ -45,8 +73,8 @@ def main():
             if opt.listen:
                 ipport_v6 = None
                 ipport_v4 = None
-                list = opt.listen.split(",")
-                for ip in list:
+                lst = opt.listen.split(",")
+                for ip in lst:
                     family, ip, port = parse_ipport(ip)
                     if family == socket.AF_INET6:
                         ipport_v6 = (ip, port)
@@ -59,6 +87,8 @@ def main():
                 ipport_v6 = "auto" if not opt.disable_ipv6 else None
             if opt.syslog:
                 ssyslog.start_syslog()
+                ssyslog.close_stdin()
+                ssyslog.stdout_to_syslog()
                 ssyslog.stderr_to_syslog()
             return_code = client.main(ipport_v6, ipport_v4,
                                       opt.ssh_cmd,
@@ -73,12 +103,17 @@ def main():
                                       opt.auto_nets,
                                       includes,
                                       excludes,
-                                      opt.daemon, opt.pidfile)
+                                      opt.daemon,
+                                      opt.to_ns,
+                                      opt.pidfile,
+                                      opt.user,
+                                      opt.sudo_pythonpath,
+                                      opt.tmark)
 
             if return_code == 0:
                 log('Normal exit code, exiting...')
             else:
-                log('Abnormal exit code detected, failing...' % return_code)
+                log('Abnormal exit code %d detected, failing...' % return_code)
             return return_code
 
     except Fatal as e:

sshuttle/firewall.py

@@ -1,11 +1,13 @@
 import errno
 import socket
 import signal
-import sshuttle.ssyslog as ssyslog
 import sys
 import os
 import platform
 import traceback
+
+import sshuttle.ssyslog as ssyslog
+import sshuttle.helpers as helpers
 from sshuttle.helpers import debug1, debug2, Fatal
 from sshuttle.methods import get_auto_method, get_method
 
@@ -46,14 +48,18 @@ def rewrite_etc_hosts(hostmap, port):
     os.rename(tmpname, HOSTSFILE)
 
 
-def restore_etc_hosts(port):
-    rewrite_etc_hosts({}, port)
+def restore_etc_hosts(hostmap, port):
+    # Only restore if we added hosts to /etc/hosts previously.
+    if len(hostmap) > 0:
+        debug2('undoing /etc/hosts changes.\n')
+        rewrite_etc_hosts({}, port)
 
 
 # Isolate function that needs to be replaced for tests
 def setup_daemon():
     if os.getuid() != 0:
-        raise Fatal('you must be root (or enable su/sudo) to set the firewall')
+        raise Fatal('fw: '
+                    'You must be root (or enable su/sudo) to set the firewall')
 
     # don't disappear if our controlling terminal or stdout/stderr
     # disappears; we still have to clean up.
@@ -95,8 +101,8 @@ def subnet_weight(s):
 def main(method_name, syslog):
     stdin, stdout = setup_daemon()
     hostmap = {}
-
-    debug1('firewall manager: Starting firewall with Python version %s\n'
+    helpers.logprefix = 'fw: '
+    debug1('Starting firewall with Python version %s\n'
            % platform.python_version())
 
     if method_name == "auto":
@@ -108,7 +114,12 @@ def main(method_name, syslog):
         ssyslog.start_syslog()
         ssyslog.stderr_to_syslog()
 
-    debug1('firewall manager: ready method name %s.\n' % method.name)
+    if not method.is_supported():
+        raise Fatal("The %s method is not supported on this machine. "
+                    "Check that the appropriate programs are in your "
+                    "PATH." % method_name)
+
+    debug1('ready method name %s.\n' % method.name)
     stdout.write('READY %s\n' % method.name)
     stdout.flush()
 
@@ -121,18 +132,18 @@ def main(method_name, syslog):
 
     subnets = []
     if line != 'ROUTES\n':
-        raise Fatal('firewall: expected ROUTES but got %r' % line)
+        raise Fatal('expected ROUTES but got %r' % line)
     while 1:
         line = stdin.readline(128)
         if not line:
-            raise Fatal('firewall: expected route but got %r' % line)
+            raise Fatal('fw: expected route but got %r' % line)
         elif line.startswith("NSLIST\n"):
             break
         try:
             (family, width, exclude, ip, fport, lport) = \
                     line.strip().split(',', 5)
-        except:
-            raise Fatal('firewall: expected route or NSLIST but got %r' % line)
+        except BaseException:
+            raise Fatal('fw: expected route or NSLIST but got %r' % line)
         subnets.append((
             int(family),
             int(width),
@@ -140,31 +151,31 @@ def main(method_name, syslog):
             ip,
             int(fport),
             int(lport)))
-    debug2('firewall manager: Got subnets: %r\n' % subnets)
+    debug2('Got subnets: %r\n' % subnets)
 
     nslist = []
     if line != 'NSLIST\n':
-        raise Fatal('firewall: expected NSLIST but got %r' % line)
+        raise Fatal('fw: expected NSLIST but got %r' % line)
     while 1:
         line = stdin.readline(128)
         if not line:
-            raise Fatal('firewall: expected nslist but got %r' % line)
+            raise Fatal('fw: expected nslist but got %r' % line)
         elif line.startswith("PORTS "):
             break
         try:
             (family, ip) = line.strip().split(',', 1)
-        except:
-            raise Fatal('firewall: expected nslist or PORTS but got %r' % line)
+        except BaseException:
+            raise Fatal('fw: expected nslist or PORTS but got %r' % line)
         nslist.append((int(family), ip))
-        debug2('firewall manager: Got partial nslist: %r\n' % nslist)
-    debug2('firewall manager: Got nslist: %r\n' % nslist)
+        debug2('Got partial nslist: %r\n' % nslist)
+    debug2('Got nslist: %r\n' % nslist)
 
     if not line.startswith('PORTS '):
-        raise Fatal('firewall: expected PORTS but got %r' % line)
+        raise Fatal('fw: expected PORTS but got %r' % line)
     _, _, ports = line.partition(" ")
     ports = ports.split(",")
     if len(ports) != 4:
-        raise Fatal('firewall: expected 4 ports but got %n' % len(ports))
+        raise Fatal('fw: expected 4 ports but got %d' % len(ports))
     port_v6 = int(ports[0])
     port_v4 = int(ports[1])
     dnsport_v6 = int(ports[2])
@@ -179,18 +190,21 @@ def main(method_name, syslog):
     assert(dnsport_v4 >= 0)
     assert(dnsport_v4 <= 65535)
 
-    debug2('firewall manager: Got ports: %d,%d,%d,%d\n'
+    debug2('Got ports: %d,%d,%d,%d\n'
            % (port_v6, port_v4, dnsport_v6, dnsport_v4))
 
     line = stdin.readline(128)
     if not line:
-        raise Fatal('firewall: expected GO but got %r' % line)
+        raise Fatal('fw: expected GO but got %r' % line)
     elif not line.startswith("GO "):
-        raise Fatal('firewall: expected GO but got %r' % line)
+        raise Fatal('fw: expected GO but got %r' % line)
 
-    _, _, udp = line.partition(" ")
+    _, _, args = line.partition(" ")
+    udp, user = args.strip().split(" ", 1)
     udp = bool(int(udp))
-    debug2('firewall manager: Got udp: %r\n' % udp)
+    if user == '-':
+        user = None
+    debug2('Got udp: %r, user: %r\n' % (udp, user))
 
     subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
     nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
@@ -198,19 +212,21 @@ def main(method_name, syslog):
     nslist_v4 = [i for i in nslist if i[0] == socket.AF_INET]
 
     try:
-        debug1('firewall manager: setting up.\n')
+        debug1('setting up.\n')
 
-        if len(subnets_v6) > 0 or len(nslist_v6) > 0:
-            debug2('firewall manager: setting up IPv6.\n')
+        if subnets_v6 or nslist_v6:
+            debug2('setting up IPv6.\n')
             method.setup_firewall(
                 port_v6, dnsport_v6, nslist_v6,
-                socket.AF_INET6, subnets_v6, udp)
+                socket.AF_INET6, subnets_v6, udp,
+                user)
 
-        if len(subnets_v4) > 0 or len(nslist_v4) > 0:
-            debug2('firewall manager: setting up IPv4.\n')
+        if subnets_v4 or nslist_v4:
+            debug2('setting up IPv4.\n')
             method.setup_firewall(
                 port_v4, dnsport_v4, nslist_v4,
-                socket.AF_INET, subnets_v4, udp)
+                socket.AF_INET, subnets_v4, udp,
+                user)
 
         stdout.write('STARTED\n')
 
@@ -229,54 +245,50 @@ def main(method_name, syslog):
             if line.startswith('HOST '):
                 (name, ip) = line[5:].strip().split(',', 1)
                 hostmap[name] = ip
-                debug2('firewall manager: setting up /etc/hosts.\n')
+                debug2('setting up /etc/hosts.\n')
                 rewrite_etc_hosts(hostmap, port_v6 or port_v4)
             elif line:
                 if not method.firewall_command(line):
-                    raise Fatal('firewall: expected command, got %r' % line)
+                    raise Fatal('fw: expected command, got %r' % line)
             else:
                 break
     finally:
         try:
-            sdnotify.send(sdnotify.stop())
-            debug1('firewall manager: undoing changes.\n')
-        except:
-            pass
+            debug1('undoing changes.\n')
+        except BaseException:
+            debug2('An error occurred, ignoring it.')
 
         try:
-            if len(subnets_v6) > 0 or len(nslist_v6) > 0:
-                debug2('firewall manager: undoing IPv6 changes.\n')
-                method.restore_firewall(port_v6, socket.AF_INET6, udp)
-        except:
+            if subnets_v6 or nslist_v6:
+                debug2('undoing IPv6 changes.\n')
+                method.restore_firewall(port_v6, socket.AF_INET6, udp, user)
+        except BaseException:
             try:
-                debug1("firewall manager: "
-                       "Error trying to undo IPv6 firewall.\n")
+                debug1("Error trying to undo IPv6 firewall.\n")
                 for line in traceback.format_exc().splitlines():
                     debug1("---> %s\n" % line)
-            except:
-                pass
+            except BaseException:
+                debug2('An error occurred, ignoring it.')
 
         try:
-            if len(subnets_v4) > 0 or len(nslist_v4) > 0:
-                debug2('firewall manager: undoing IPv4 changes.\n')
-                method.restore_firewall(port_v4, socket.AF_INET, udp)
-        except:
+            if subnets_v4 or nslist_v4:
+                debug2('undoing IPv4 changes.\n')
+                method.restore_firewall(port_v4, socket.AF_INET, udp, user)
+        except BaseException:
             try:
-                debug1("firewall manager: "
-                       "Error trying to undo IPv4 firewall.\n")
+                debug1("Error trying to undo IPv4 firewall.\n")
                 for line in traceback.format_exc().splitlines():
-                    debug1("firewall manager: ---> %s\n" % line)
-            except:
-                pass
+                    debug1("---> %s\n" % line)
+            except BaseException:
+                debug2('An error occurred, ignoring it.')
 
         try:
-            debug2('firewall manager: undoing /etc/hosts changes.\n')
-            restore_etc_hosts(port_v6 or port_v4)
-        except:
+            # debug2() message printed in restore_etc_hosts() function.
+            restore_etc_hosts(hostmap, port_v6 or port_v4)
+        except BaseException:
             try:
-                debug1("firewall manager: "
-                       "Error trying to undo /etc/hosts changes.\n")
+                debug1("Error trying to undo /etc/hosts changes.\n")
                 for line in traceback.format_exc().splitlines():
-                    debug1("firewall manager: ---> %s\n" % line)
-            except:
-                pass
+                    debug1("---> %s\n" % line)
+            except BaseException:
+                debug2('An error occurred, ignoring it.')

sshuttle/helpers.py

@@ -1,20 +1,14 @@
 import sys
 import socket
 import errno
+import os
 
 logprefix = ''
 verbose = 0
 
-if sys.version_info[0] == 3:
-    binary_type = bytes
 
-    def b(s):
-        return s.encode("ASCII")
-else:
-    binary_type = str
-
-    def b(s):
-        return s
+def b(s):
+    return s.encode("ASCII")
 
 
 def log(s):
@@ -55,23 +49,70 @@ class Fatal(Exception):
     pass
 
 
-def resolvconf_nameservers():
-    l = []
-    for line in open('/etc/resolv.conf'):
-        words = line.lower().split()
-        if len(words) >= 2 and words[0] == 'nameserver':
-            l.append(family_ip_tuple(words[1]))
-    return l
+def resolvconf_nameservers(systemd_resolved):
+    """Retrieves a list of tuples (address type, address as a string) of
+    the DNS servers used by the system to resolve hostnames.
+
+    If parameter is False, DNS servers are retrieved from only
+    /etc/resolv.conf. This behavior makes sense for the sshuttle
+    server.
+
+    If parameter is True, we retrieve information from both
+    /etc/resolv.conf and /run/systemd/resolve/resolv.conf (if it
+    exists). This behavior makes sense for the sshuttle client.
+
+    """
+
+    # Historically, we just needed to read /etc/resolv.conf.
+    #
+    # If systemd-resolved is active, /etc/resolv.conf will point to
+    # localhost and the actual DNS servers that systemd-resolved uses
+    # are stored in /run/systemd/resolve/resolv.conf. For programs
+    # that use the localhost DNS server, having sshuttle read
+    # /etc/resolv.conf is sufficient. However, resolved provides other
+    # ways of resolving hostnames (such as via dbus) that may not
+    # route requests through localhost. So, we retrieve a list of DNS
+    # servers that resolved uses so we can intercept those as well.
+    #
+    # For more information about systemd-resolved, see:
+    # https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
+    #
+    # On machines without systemd-resolved, we expect opening the
+    # second file will fail.
+    files = ['/etc/resolv.conf']
+    if systemd_resolved:
+        files += ['/run/systemd/resolve/resolv.conf']
+
+    nsservers = []
+    for f in files:
+        this_file_nsservers = []
+        try:
+            for line in open(f):
+                words = line.lower().split()
+                if len(words) >= 2 and words[0] == 'nameserver':
+                    this_file_nsservers.append(family_ip_tuple(words[1]))
+            debug2("Found DNS servers in %s: %s\n" %
+                   (f, [n[1] for n in this_file_nsservers]))
+            nsservers += this_file_nsservers
+        except OSError as e:
+            debug3("Failed to read %s when looking for DNS servers: %s\n" %
+                   (f, e.strerror))
+
+    return nsservers
 
 
-def resolvconf_random_nameserver():
-    l = resolvconf_nameservers()
-    if l:
-        if len(l) > 1:
+def resolvconf_random_nameserver(systemd_resolved):
+    """Return a random nameserver selected from servers produced by
+    resolvconf_nameservers(). See documentation for
+    resolvconf_nameservers() for a description of the parameter.
+    """
+    lines = resolvconf_nameservers(systemd_resolved)
+    if lines:
+        if len(lines) > 1:
             # don't import this unless we really need it
             import random
-            random.shuffle(l)
-        return l[0]
+            random.shuffle(lines)
+        return lines[0]
     else:
         return (socket.AF_INET, '127.0.0.1')
 
@@ -106,3 +147,75 @@ def family_to_string(family):
         return "AF_INET"
     else:
         return str(family)
+
+
+def get_env():
+    """An environment for sshuttle subprocesses. See get_path()."""
+    env = {
+        'PATH': get_path(),
+        'LC_ALL': "C",
+    }
+    return env
+
+
+def get_path():
+    """Returns a string of paths separated by os.pathsep.
+
+    Users might not have all of the programs sshuttle needs in their
+    PATH variable (i.e., some programs might be in /sbin). Use PATH
+    and a hardcoded set of paths to search through. This function is
+    used by our which() and get_env() functions. If which() and the
+    subprocess environments differ, programs that which() finds might
+    not be found at run time (or vice versa).
+    """
+    path = []
+    if "PATH" in os.environ:
+        path += os.environ["PATH"].split(os.pathsep)
+    # Python default paths.
+    path += os.defpath.split(os.pathsep)
+    # /sbin, etc are not in os.defpath and may not be in PATH either.
+    # /bin/ and /usr/bin below are probably redundant.
+    path += ['/bin', '/usr/bin', '/sbin', '/usr/sbin']
+
+    # Remove duplicates. Not strictly necessary.
+    path_dedup = []
+    for i in path:
+        if i not in path_dedup:
+            path_dedup.append(i)
+
+    return os.pathsep.join(path_dedup)
+
+
+if sys.version_info >= (3, 3):
+    from shutil import which as _which
+else:
+    # Although sshuttle does not officially support older versions of
+    # Python, some still run the sshuttle server on remote machines
+    # with old versions of python.
+    def _which(file, mode=os.F_OK | os.X_OK, path=None):
+        if path is not None:
+            search_paths = path.split(os.pathsep)
+        elif "PATH" in os.environ:
+            search_paths = os.environ["PATH"].split(os.pathsep)
+        else:
+            search_paths = os.defpath.split(os.pathsep)
+
+        for p in search_paths:
+            filepath = os.path.join(p, file)
+            if os.path.exists(filepath) and os.access(filepath, mode):
+                return filepath
+        return None
+
+
+def which(file, mode=os.F_OK | os.X_OK):
+    """A wrapper around shutil.which() that searches a predictable set of
+    paths and is more verbose about what is happening. See get_path()
+    for more information.
+    """
+    path = get_path()
+    rv = _which(file, mode, path)
+    if rv:
+        debug2("which() found '%s' at %s\n" % (file, rv))
+    else:
+        debug2("which() could not find '%s' in %s\n" % (file, path))
+    return rv

sshuttle/hostwatch.py

@@ -9,7 +9,7 @@ import platform
 
 import subprocess as ssubprocess
 import sshuttle.helpers as helpers
-from sshuttle.helpers import log, debug1, debug2, debug3
+from sshuttle.helpers import log, debug1, debug2, debug3, get_env
 
 POLL_TIME = 60 * 15
 NETSTAT_POLL_TIME = 30
@@ -21,7 +21,7 @@ _smb_ok = True
 hostnames = {}
 queue = {}
 try:
-    null = open('/dev/null', 'wb')
+    null = open(os.devnull, 'wb')
 except IOError:
     _, e = sys.exc_info()[:2]
     log('warning: %s\n' % e)
@@ -44,7 +44,7 @@ def write_host_cache():
     finally:
         try:
             os.unlink(tmpname)
-        except:
+        except BaseException:
             pass
 
 
@@ -61,23 +61,27 @@ def read_host_cache():
         words = line.strip().split(',')
         if len(words) == 2:
             (name, ip) = words
-            name = re.sub(r'[^-\w]', '-', name).strip()
+            name = re.sub(r'[^-\w\.]', '-', name).strip()
             ip = re.sub(r'[^0-9.]', '', ip).strip()
             if name and ip:
                 found_host(name, ip)
 
 
-def found_host(hostname, ip):
-    hostname = re.sub(r'\..*', '', hostname)
-    hostname = re.sub(r'[^-\w]', '_', hostname)
+def found_host(name, ip):
+    hostname = re.sub(r'\..*', '', name)
+    hostname = re.sub(r'[^-\w\.]', '_', hostname)
     if (ip.startswith('127.') or ip.startswith('255.') or
             hostname == 'localhost'):
         return
-    oldip = hostnames.get(hostname)
+
+    if hostname != name:
+        found_host(hostname, ip)
+
+    oldip = hostnames.get(name)
     if oldip != ip:
-        hostnames[hostname] = ip
-        debug1('Found: %s: %s\n' % (hostname, ip))
-        sys.stdout.write('%s,%s\n' % (hostname, ip))
+        hostnames[name] = ip
+        debug1('Found: %s: %s\n' % (name, ip))
+        sys.stdout.write('%s,%s\n' % (name, ip))
         write_host_cache()
 
 
@@ -104,7 +108,7 @@ def _check_revdns(ip):
         debug3('<    %s\n' % r[0])
         check_host(r[0])
         found_host(r[0], ip)
-    except socket.herror:
+    except (socket.herror, UnicodeError):
         pass
 
 
@@ -115,7 +119,7 @@ def _check_dns(hostname):
         debug3('<    %s\n' % ip)
         check_host(ip)
         found_host(hostname, ip)
-    except socket.gaierror:
+    except (socket.gaierror, UnicodeError):
         pass
 
 
@@ -123,7 +127,8 @@ def _check_netstat():
     debug2(' > netstat\n')
     argv = ['netstat', '-n']
     try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
+                              env=get_env())
         content = p.stdout.read().decode("ASCII")
         p.wait()
     except OSError:
@@ -141,10 +146,11 @@ def _check_smb(hostname):
     global _smb_ok
     if not _smb_ok:
         return
-    argv = ['smbclient', '-U', '%', '-L', hostname]
     debug2(' > smb: %s\n' % hostname)
+    argv = ['smbclient', '-U', '%', '-L', hostname]
     try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
+                              env=get_env())
         lines = p.stdout.readlines()
         p.wait()
     except OSError:
@@ -199,10 +205,11 @@ def _check_nmb(hostname, is_workgroup, is_master):
     global _nmb_ok
     if not _nmb_ok:
         return
-    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
     debug2(' > n%d%d: %s\n' % (is_workgroup, is_master, hostname))
+    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
     try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
+                              env=get_env)
         lines = p.stdout.readlines()
         rv = p.wait()
     except OSError:
@@ -247,7 +254,7 @@ def _enqueue(op, *args):
 
 
 def _stdin_still_ok(timeout):
-    r, w, x = select.select([sys.stdin.fileno()], [], [], timeout)
+    r, _, _ = select.select([sys.stdin.fileno()], [], [], timeout)
     if r:
         b = os.read(sys.stdin.fileno(), 4096)
         if not b:

sshuttle/linux.py

@@ -1,14 +1,13 @@
-import os
 import socket
 import subprocess as ssubprocess
-from sshuttle.helpers import log, debug1, Fatal, family_to_string
+from sshuttle.helpers import log, debug1, Fatal, family_to_string, get_env
 
 
 def nonfatal(func, *args):
     try:
         func(*args)
     except Fatal as e:
-        log('error: %s\n' % e)
+        log('fw: error: %s\n' % e)
 
 
 def ipt_chain_exists(family, table, name):
@@ -19,17 +18,13 @@ def ipt_chain_exists(family, table, name):
     else:
         raise Exception('Unsupported family "%s"' % family_to_string(family))
     argv = [cmd, '-t', table, '-nL']
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
-    for line in p.stdout:
-        if line.startswith(b'Chain %s ' % name.encode("ASCII")):
-            return True
-    rv = p.wait()
-    if rv:
-        raise Fatal('%r returned %d' % (argv, rv))
+    try:
+        output = ssubprocess.check_output(argv, env=get_env())
+        for line in output.decode('ASCII').split('\n'):
+            if line.startswith('Chain %s ' % name):
+                return True
+    except ssubprocess.CalledProcessError as e:
+        raise Fatal('fw: %r returned %d' % (argv, e.returncode))
 
 
 def ipt(family, table, *args):
@@ -39,14 +34,21 @@ def ipt(family, table, *args):
         argv = ['iptables', '-t', table] + list(args)
     else:
         raise Exception('Unsupported family "%s"' % family_to_string(family))
-    debug1('>> %s\n' % ' '.join(argv))
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    rv = ssubprocess.call(argv, env=env)
+    debug1('%s\n' % ' '.join(argv))
+    rv = ssubprocess.call(argv, env=get_env())
     if rv:
-        raise Fatal('%r returned %d' % (argv, rv))
+        raise Fatal('fw: %r returned %d' % (argv, rv))
+
+
+def nft(family, table, action, *args):
+    if family in (socket.AF_INET, socket.AF_INET6):
+        argv = ['nft', action, 'inet', table] + list(args)
+    else:
+        raise Exception('Unsupported family "%s"' % family_to_string(family))
+    debug1('%s\n' % ' '.join(argv))
+    rv = ssubprocess.call(argv, env=get_env())
+    if rv:
+        raise Fatal('fw: %r returned %d' % (argv, rv))
 
 
 _no_ttl_module = False
@@ -56,15 +58,15 @@ def ipt_ttl(family, *args):
     global _no_ttl_module
     if not _no_ttl_module:
         # we avoid infinite loops by generating server-side connections
-        # with ttl 42.  This makes the client side not recapture those
+        # with ttl 63.  This makes the client side not recapture those
         # connections, in case client == server.
         try:
-            argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '42']
+            argsplus = list(args)
             ipt(family, *argsplus)
         except Fatal:
             ipt(family, *args)
             # we only get here if the non-ttl attempt succeeds
-            log('sshuttle: warning: your iptables is missing '
+            log('fw: WARNING: your iptables is missing '
                 'the ttl module.\n')
             _no_ttl_module = True
     else:

sshuttle/methods/__init__.py

@@ -1,26 +1,35 @@
-import os
 import importlib
 import socket
 import struct
 import errno
+import ipaddress
 from sshuttle.helpers import Fatal, debug3
 
 
 def original_dst(sock):
+    ip = "0.0.0.0"
+    port = -1
     try:
+        family = sock.family
         SO_ORIGINAL_DST = 80
-        SOCKADDR_MIN = 16
-        sockaddr_in = sock.getsockopt(socket.SOL_IP,
-                                      SO_ORIGINAL_DST, SOCKADDR_MIN)
-        (proto, port, a, b, c, d) = struct.unpack('!HHBBBB', sockaddr_in[:8])
-        # FIXME: decoding is IPv4 only.
-        assert(socket.htons(proto) == socket.AF_INET)
-        ip = '%d.%d.%d.%d' % (a, b, c, d)
-        return (ip, port)
+
+        if family == socket.AF_INET:
+            SOCKADDR_MIN = 16
+            sockaddr_in = sock.getsockopt(socket.SOL_IP,
+                                          SO_ORIGINAL_DST, SOCKADDR_MIN)
+            port, raw_ip = struct.unpack_from('!2xH4s', sockaddr_in[:8])
+            ip = str(ipaddress.IPv4Address(raw_ip))
+        elif family == socket.AF_INET6:
+            sockaddr_in = sock.getsockopt(41, SO_ORIGINAL_DST, 64)
+            port, raw_ip = struct.unpack_from("!2xH4x16s", sockaddr_in)
+            ip = str(ipaddress.IPv6Address(raw_ip))
+        else:
+            raise Fatal("fw: Unknown family type.")
     except socket.error as e:
         if e.args[0] == errno.ENOPROTOOPT:
             return sock.getsockname()
         raise
+    return (ip, port)
 
 
 class Features(object):
@@ -35,17 +44,28 @@ class BaseMethod(object):
     def set_firewall(self, firewall):
         self.firewall = firewall
 
-    def get_supported_features(self):
+    @staticmethod
+    def get_supported_features():
         result = Features()
+        result.ipv4 = True
         result.ipv6 = False
         result.udp = False
         result.dns = True
+        result.user = False
         return result
 
-    def get_tcp_dstip(self, sock):
+    @staticmethod
+    def is_supported():
+        """Returns true if it appears that this method will work on this
+        machine."""
+        return False
+
+    @staticmethod
+    def get_tcp_dstip(sock):
         return original_dst(sock)
 
-    def recv_udp(self, udp_listener, bufsize):
+    @staticmethod
+    def recv_udp(udp_listener, bufsize):
         debug3('Accept UDP using recvfrom.\n')
         data, srcip = udp_listener.recvfrom(bufsize)
         return (srcip, None, data)
@@ -64,44 +84,39 @@ class BaseMethod(object):
 
     def assert_features(self, features):
         avail = self.get_supported_features()
-        for key in ["udp", "dns", "ipv6"]:
+        for key in ["udp", "dns", "ipv6", "ipv4", "user"]:
             if getattr(features, key) and not getattr(avail, key):
                 raise Fatal(
                     "Feature %s not supported with method %s.\n" %
                     (key, self.name))
 
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
         raise NotImplementedError()
 
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         raise NotImplementedError()
 
-    def firewall_command(self, line):
+    @staticmethod
+    def firewall_command(line):
         return False
 
 
-def _program_exists(name):
-    paths = (os.getenv('PATH') or os.defpath).split(os.pathsep)
-    for p in paths:
-        fn = '%s/%s' % (p, name)
-        if os.path.exists(fn):
-            return not os.path.isdir(fn) and os.access(fn, os.X_OK)
-
-
 def get_method(method_name):
     module = importlib.import_module("sshuttle.methods.%s" % method_name)
     return module.Method(method_name)
 
 
 def get_auto_method():
-    if _program_exists('iptables'):
-        method_name = "nat"
-    elif _program_exists('pfctl'):
-        method_name = "pf"
-    elif _program_exists('ipfw'):
-        method_name = "ipfw"
-    else:
-        raise Fatal(
-            "can't find either iptables or pfctl; check your PATH")
+    debug3("Selecting a method automatically...\n")
+    # Try these methods, in order:
+    methods_to_try = ["nat", "nft", "pf", "ipfw"]
+    for m in methods_to_try:
+        method = get_method(m)
+        if method.is_supported():
+            debug3("Method '%s' was automatically selected.\n" % m)
+            return method
 
-    return get_method(method_name)
+    raise Fatal("Unable to automatically find a supported method. Check that "
+                "the appropriate programs are in your PATH. We tried "
+                "methods: %s" % str(methods_to_try))

sshuttle/methods/ipfw.py

@@ -1,10 +1,8 @@
 import os
-import sys
-import struct
 import subprocess as ssubprocess
 from sshuttle.methods import BaseMethod
-from sshuttle.helpers import log, debug1, debug3, \
-    Fatal, family_to_string
+from sshuttle.helpers import log, debug1, debug2, debug3, \
+    Fatal, family_to_string, get_env, which
 
 recvmsg = None
 try:
@@ -31,9 +29,9 @@ IPV6_RECVDSTADDR = 74
 if recvmsg == "python":
     def recv_udp(listener, bufsize):
         debug3('Accept UDP python using recvmsg.\n')
-        data, ancdata, msg_flags, srcip = listener.recvmsg(4096, socket.CMSG_SPACE(4))
+        data, ancdata, _, srcip = listener.recvmsg(4096,
+                                                   socket.CMSG_SPACE(4))
         dstip = None
-        family = None
         for cmsg_level, cmsg_type, cmsg_data in ancdata:
             if cmsg_level == socket.SOL_IP and cmsg_type == IP_RECVDSTADDR:
                 port = 53
@@ -44,13 +42,13 @@ if recvmsg == "python":
 elif recvmsg == "socket_ext":
     def recv_udp(listener, bufsize):
         debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, flags = listener.recvmsg((bufsize,), socket.CMSG_SPACE(4))
+        srcip, data, adata, _ = listener.recvmsg((bufsize,),
+                                                 socket.CMSG_SPACE(4))
         dstip = None
-        family = None
         for a in adata:
             if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_RECVDSTADDR:
                 port = 53
-                ip = socket.inet_ntop(socket.AF_INET, cmsg_data[0:4])
+                ip = socket.inet_ntop(socket.AF_INET, a.cmsg_data[0:4])
                 dstip = (ip, port)
                 break
         return (srcip, dstip, data[0])
@@ -63,19 +61,15 @@ else:
 
 def ipfw_rule_exists(n):
     argv = ['ipfw', 'list']
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
 
     found = False
     for line in p.stdout:
         if line.startswith(b'%05d ' % n):
-            if not ('ipttl 42' in line or 'check-state' in line):
+            if not ('ipttl 63' in line or 'check-state' in line):
                 log('non-sshuttle ipfw rule: %r\n' % line.strip())
                 raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
-                found = True
+            found = True
     rv = p.wait()
     if rv:
         raise Fatal('%r returned %d' % (argv, rv))
@@ -87,11 +81,7 @@ _oldctls = {}
 
 def _fill_oldctls(prefix):
     argv = ['sysctl', prefix]
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
     for line in p.stdout:
         line = line.decode()
         assert(line[-1] == '\n')
@@ -107,7 +97,8 @@ def _fill_oldctls(prefix):
 def _sysctl_set(name, val):
     argv = ['sysctl', '-w', '%s=%s' % (name, val)]
     debug1('>> %s\n' % ' '.join(argv))
-    return ssubprocess.call(argv, stdout=open('/dev/null', 'w'))
+    return ssubprocess.call(argv, stdout=open(os.devnull, 'w'), env=get_env())
+    # No env: No output. (Or error that won't be parsed.)
 
 
 _changedctls = []
@@ -136,10 +127,12 @@ def sysctl_set(name, val, permanent=False):
             _changedctls.append(name)
         return True
 
+
 def ipfw(*args):
     argv = ['ipfw', '-q'] + list(args)
     debug1('>> %s\n' % ' '.join(argv))
-    rv = ssubprocess.call(argv)
+    rv = ssubprocess.call(argv, env=get_env())
+    # No env: No output. (Or error that won't be parsed.)
     if rv:
         raise Fatal('%r returned %d' % (argv, rv))
 
@@ -147,14 +140,16 @@ def ipfw(*args):
 def ipfw_noexit(*args):
     argv = ['ipfw', '-q'] + list(args)
     debug1('>> %s\n' % ' '.join(argv))
-    ssubprocess.call(argv)
+    ssubprocess.call(argv, env=get_env())
+    # No env: No output. (Or error that won't be parsed.)
+
 
 class Method(BaseMethod):
 
     def get_supported_features(self):
         result = super(Method, self).get_supported_features()
         result.ipv6 = False
-        result.udp = False #NOTE: Almost there, kernel patch needed
+        result.udp = False  # NOTE: Almost there, kernel patch needed
         result.dns = True
         return result
 
@@ -177,30 +172,31 @@ class Method(BaseMethod):
                "couldn't determine source IP address\n" % (dstip,))
             return
 
-        #debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
+        # debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
         sender = socket.socket(sock.family, socket.SOCK_DGRAM)
         sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
         sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
         sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
         sender.bind(srcip)
-        sender.sendto(data,dstip)
+        sender.sendto(data, dstip)
         sender.close()
 
     def setup_udp_listener(self, udp_listener):
         if udp_listener.v4 is not None:
             udp_listener.v4.setsockopt(socket.SOL_IP, IP_RECVDSTADDR, 1)
-        #if udp_listener.v6 is not None:
-        #    udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
+        # if udp_listener.v6 is not None:
+        #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
 
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
         # IPv6 not supported
-        if family not in [socket.AF_INET ]:
+        if family not in [socket.AF_INET]:
             raise Exception(
                 'Address family "%s" unsupported by ipfw method_name'
                 % family_to_string(family))
 
-        #XXX: Any risk from this?
+        # XXX: Any risk from this?
         ipfw_noexit('delete', '1')
 
         while _changedctls:
@@ -220,42 +216,34 @@ class Method(BaseMethod):
         ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
              'tcp',
              'from', 'any', 'to', 'table(126)',
-             'not', 'ipttl', '42', 'keep-state', 'setup')
+             'not', 'ipttl', '63', 'keep-state', 'setup')
 
         ipfw_noexit('table', '124', 'flush')
         dnscount = 0
-        for f, ip in [i for i in nslist if i[0] == family]:
+        for _, ip in [i for i in nslist if i[0] == family]:
             ipfw('table', '124', 'add', '%s' % (ip))
             dnscount += 1
         if dnscount > 0:
             ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
                  'udp',
                  'from', 'any', 'to', 'table(124)',
-                 'not', 'ipttl', '42')
-        """if udp:
-            ipfw('add', '1', 'skipto', '2',
-                 'udp',
-                 'from', 'any', 'to', 'table(125)')
-            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
-                 'udp',
-                 'from', 'any', 'to', 'table(126)',
-                 'not', 'ipttl', '42')
-        """
+                 'not', 'ipttl', '63')
         ipfw('add', '1', 'allow',
              'udp',
              'from', 'any', 'to', 'any',
-             'ipttl', '42')
+             'ipttl', '63')
 
         if subnets:
             # create new subnet entries
-            for f, swidth, sexclude, snet \
-                in sorted(subnets, key=lambda s: s[1], reverse=True):
+            for _, swidth, sexclude, snet in sorted(subnets,
+                                                    key=lambda s: s[1],
+                                                    reverse=True):
                 if sexclude:
                     ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
             else:
                 ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))
 
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         if family not in [socket.AF_INET]:
             raise Exception(
                 'Address family "%s" unsupported by tproxy method'
@@ -266,3 +254,9 @@ class Method(BaseMethod):
         ipfw_noexit('table', '125', 'flush')
         ipfw_noexit('table', '126', 'flush')
 
+    def is_supported(self):
+        if which("ipfw"):
+            return True
+        debug2("ipfw method not supported because 'ipfw' command is "
+               "missing.\n")
+        return False

sshuttle/methods/nat.py

@@ -1,6 +1,6 @@
 import socket
 from sshuttle.firewall import subnet_weight
-from sshuttle.helpers import family_to_string
+from sshuttle.helpers import family_to_string, which, debug2
 from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists, nonfatal
 from sshuttle.methods import BaseMethod
 
@@ -12,7 +12,8 @@ class Method(BaseMethod):
     # the multiple copies shouldn't have overlapping subnets, or only the most-
     # recently-started one will win (because we use "-I OUTPUT 1" instead of
     # "-A OUTPUT").
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
         # only ipv4 supported with NAT
         if family != socket.AF_INET:
             raise Exception(
@@ -29,18 +30,47 @@ class Method(BaseMethod):
         def _ipt_ttl(*args):
             return ipt_ttl(family, table, *args)
 
+        def _ipm(*args):
+            return ipt(family, "mangle", *args)
+
         chain = 'sshuttle-%s' % port
 
         # basic cleanup/setup of chains
-        self.restore_firewall(port, family, udp)
+        self.restore_firewall(port, family, udp, user)
 
         _ipt('-N', chain)
         _ipt('-F', chain)
-        _ipt('-I', 'OUTPUT', '1', '-j', chain)
-        _ipt('-I', 'PREROUTING', '1', '-j', chain)
+        if user is not None:
+            _ipm('-I', 'OUTPUT', '1', '-m', 'owner', '--uid-owner', str(user),
+                 '-j', 'MARK', '--set-mark', str(port))
+            args = '-m', 'mark', '--mark', str(port), '-j', chain
+        else:
+            args = '-j', chain
+
+        _ipt('-I', 'OUTPUT', '1', *args)
+        _ipt('-I', 'PREROUTING', '1', *args)
+
+        # This TTL hack allows the client and server to run on the
+        # same host. The connections the sshuttle server makes will
+        # have TTL set to 63.
+        _ipt_ttl('-A', chain, '-j', 'RETURN',  '-m', 'ttl', '--ttl', '63')
+
+        # Redirect DNS traffic as requested. This includes routing traffic
+        # to localhost DNS servers through sshuttle.
+        for _, ip in [i for i in nslist if i[0] == family]:
+            _ipt('-A', chain, '-j', 'REDIRECT',
+                 '--dest', '%s/32' % ip,
+                 '-p', 'udp',
+                 '--dport', '53',
+                 '--to-ports', str(dnsport))
+
+        # Don't route any remaining local traffic through sshuttle.
+        _ipt('-A', chain, '-j', 'RETURN',
+             '-m', 'addrtype',
+             '--dst-type', 'LOCAL')
 
         # create new subnet entries.
-        for f, swidth, sexclude, snet, fport, lport \
+        for _, swidth, sexclude, snet, fport, lport \
                 in sorted(subnets, key=subnet_weight, reverse=True):
             tcp_ports = ('-p', 'tcp')
             if fport:
@@ -51,18 +81,11 @@ class Method(BaseMethod):
                      '--dest', '%s/%s' % (snet, swidth),
                      *tcp_ports)
             else:
-                _ipt_ttl('-A', chain, '-j', 'REDIRECT',
-                         '--dest', '%s/%s' % (snet, swidth),
-                         *(tcp_ports + ('--to-ports', str(port))))
+                _ipt('-A', chain, '-j', 'REDIRECT',
+                     '--dest', '%s/%s' % (snet, swidth),
+                     *(tcp_ports + ('--to-ports', str(port))))
 
-        for f, ip in [i for i in nslist if i[0] == family]:
-            _ipt_ttl('-A', chain, '-j', 'REDIRECT',
-                     '--dest', '%s/32' % ip,
-                     '-p', 'udp',
-                     '--dport', '53',
-                     '--to-ports', str(dnsport))
-
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         # only ipv4 supported with NAT
         if family != socket.AF_INET:
             raise Exception(
@@ -79,11 +102,32 @@ class Method(BaseMethod):
         def _ipt_ttl(*args):
             return ipt_ttl(family, table, *args)
 
+        def _ipm(*args):
+            return ipt(family, "mangle", *args)
+
         chain = 'sshuttle-%s' % port
 
         # basic cleanup/setup of chains
         if ipt_chain_exists(family, table, chain):
-            nonfatal(_ipt, '-D', 'OUTPUT', '-j', chain)
-            nonfatal(_ipt, '-D', 'PREROUTING', '-j', chain)
+            if user is not None:
+                nonfatal(_ipm, '-D', 'OUTPUT', '-m', 'owner', '--uid-owner',
+                         str(user), '-j', 'MARK', '--set-mark', str(port))
+                args = '-m', 'mark', '--mark', str(port), '-j', chain
+            else:
+                args = '-j', chain
+            nonfatal(_ipt, '-D', 'OUTPUT', *args)
+            nonfatal(_ipt, '-D', 'PREROUTING', *args)
             nonfatal(_ipt, '-F', chain)
             _ipt('-X', chain)
+
+    def get_supported_features(self):
+        result = super(Method, self).get_supported_features()
+        result.user = True
+        return result
+
+    def is_supported(self):
+        if which("iptables"):
+            return True
+        debug2("nat method not supported because 'iptables' command "
+               "is missing.\n")
+        return False

sshuttle/methods/nft.py

@@ -0,0 +1,122 @@
+import socket
+from sshuttle.firewall import subnet_weight
+from sshuttle.linux import nft, nonfatal
+from sshuttle.methods import BaseMethod
+from sshuttle.helpers import debug2, which
+
+
+class Method(BaseMethod):
+
+    # We name the chain based on the transproxy port number so that it's
+    # possible to run multiple copies of sshuttle at the same time.  Of course,
+    # the multiple copies shouldn't have overlapping subnets, or only the most-
+    # recently-started one will win (because we use "-I OUTPUT 1" instead of
+    # "-A OUTPUT").
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
+        if udp:
+            raise Exception("UDP not supported by nft")
+
+        if family == socket.AF_INET:
+            table = 'sshuttle-ipv4-%s' % port
+        if family == socket.AF_INET6:
+            table = 'sshuttle-ipv6-%s' % port
+
+        def _nft(action, *args):
+            return nft(family, table, action, *args)
+
+        chain = table
+
+        # basic cleanup/setup of chains
+        _nft('add table', '')
+        _nft('add chain', 'prerouting',
+             '{ type nat hook prerouting priority -100; policy accept; }')
+        _nft('add chain', 'output',
+             '{ type nat hook output priority -100; policy accept; }')
+        _nft('add chain', chain)
+        _nft('flush chain', chain)
+        _nft('add rule', 'output jump %s' % chain)
+        _nft('add rule', 'prerouting jump %s' % chain)
+
+        # setup_firewall() gets called separately for ipv4 and ipv6. Make sure
+        # we only handle the version that we expect to.
+        if family == socket.AF_INET:
+            _nft('add rule', chain, 'meta', 'nfproto', '!=', 'ipv4', 'return')
+        else:
+            _nft('add rule', chain, 'meta', 'nfproto', '!=', 'ipv6', 'return')
+
+        # This TTL hack allows the client and server to run on the
+        # same host. The connections the sshuttle server makes will
+        # have TTL set to 63.
+        if family == socket.AF_INET:
+            _nft('add rule', chain, 'ip ttl == 63 return')
+        elif family == socket.AF_INET6:
+            _nft('add rule', chain, 'ip6 hoplimit == 63 return')
+
+        # Strings to use below to simplify our code
+        if family == socket.AF_INET:
+            ip_version_l = 'ipv4'
+            ip_version = 'ip'
+        elif family == socket.AF_INET6:
+            ip_version_l = 'ipv6'
+            ip_version = 'ip6'
+
+        # Redirect DNS traffic as requested. This includes routing traffic
+        # to localhost DNS servers through sshuttle.
+        for _, ip in [i for i in nslist if i[0] == family]:
+            _nft('add rule', chain, ip_version,
+                 'daddr %s' % ip, 'udp dport 53',
+                 ('redirect to :' + str(dnsport)))
+
+        # Don't route any remaining local traffic through sshuttle
+        _nft('add rule', chain, 'fib daddr type local return')
+
+        # create new subnet entries.
+        for _, swidth, sexclude, snet, fport, lport \
+                in sorted(subnets, key=subnet_weight, reverse=True):
+
+            # match using nfproto as described at
+            # https://superuser.com/questions/1560376/match-ipv6-protocol-using-nftables
+            if fport and fport != lport:
+                tcp_ports = ('meta', 'nfproto', ip_version_l, 'tcp',
+                             'dport', '{ %d-%d }' % (fport, lport))
+            elif fport and fport == lport:
+                tcp_ports = ('meta', 'nfproto', ip_version_l, 'tcp',
+                             'dport', '%d' % (fport))
+            else:
+                tcp_ports = ('meta', 'nfproto', ip_version_l,
+                             'meta', 'l4proto', 'tcp')
+
+            if sexclude:
+                _nft('add rule', chain, *(tcp_ports + (
+                     ip_version, 'daddr %s/%s' % (snet, swidth), 'return')))
+            else:
+                _nft('add rule', chain, *(tcp_ports + (
+                    ip_version, 'daddr %s/%s' % (snet, swidth),
+                    ('redirect to :' + str(port)))))
+
+    def restore_firewall(self, port, family, udp, user):
+        if udp:
+            raise Exception("UDP not supported by nft method_name")
+
+        if family == socket.AF_INET:
+            table = 'sshuttle-ipv4-%s' % port
+        if family == socket.AF_INET6:
+            table = 'sshuttle-ipv6-%s' % port
+
+        def _nft(action, *args):
+            return nft(family, table, action, *args)
+
+        # basic cleanup/setup of chains
+        nonfatal(_nft, 'delete table', '')
+
+    def get_supported_features(self):
+        result = super(Method, self).get_supported_features()
+        result.ipv6 = True
+        return result
+
+    def is_supported(self):
+        if which("nft"):
+            return True
+        debug2("nft method not supported because 'nft' command is missing.\n")
+        return False

sshuttle/methods/pf.py

@@ -3,6 +3,7 @@ import sys
 import platform
 import re
 import socket
+import errno
 import struct
 import subprocess as ssubprocess
 import shlex
@@ -10,11 +11,16 @@ from fcntl import ioctl
 from ctypes import c_char, c_uint8, c_uint16, c_uint32, Union, Structure, \
     sizeof, addressof, memmove
 from sshuttle.firewall import subnet_weight
-from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string
+from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string, \
+    get_env, which
 from sshuttle.methods import BaseMethod
 
 
-_pf_context = {'started_by_sshuttle': False, 'Xtoken': []}
+_pf_context = {
+    'started_by_sshuttle': 0,
+    'loaded_by_sshuttle': True,
+    'Xtoken': []
+}
 _pf_fd = None
 
 
@@ -31,7 +37,7 @@ class Generic(object):
 
     class pf_addr(Structure):
         class _pfa(Union):
-             _fields_ = [("v4", c_uint32),     # struct in_addr
+            _fields_ = [("v4", c_uint32),      # struct in_addr
                         ("v6", c_uint32 * 4),  # struct in6_addr
                         ("addr8", c_uint8 * 16),
                         ("addr16", c_uint16 * 8),
@@ -60,13 +66,14 @@ class Generic(object):
     def enable(self):
         if b'INFO:\nStatus: Disabled' in self.status:
             pfctl('-e')
-            _pf_context['started_by_sshuttle'] = True
+            _pf_context['started_by_sshuttle'] += 1
 
-    def disable(self, anchor):
+    @staticmethod
+    def disable(anchor):
         pfctl('-a %s -F all' % anchor)
-        if _pf_context['started_by_sshuttle']:
+        if _pf_context['started_by_sshuttle'] == 1:
             pfctl('-d')
-            _pf_context['started_by_sshuttle'] = False
+        _pf_context['started_by_sshuttle'] -= 1
 
     def query_nat(self, family, proto, src_ip, src_port, dst_ip, dst_port):
         [proto, family, src_port, dst_port] = [
@@ -94,11 +101,13 @@ class Generic(object):
         port = socket.ntohs(self._get_natlook_port(pnl.rdxport))
         return (ip, port)
 
-    def _add_natlook_ports(self, pnl, src_port, dst_port):
+    @staticmethod
+    def _add_natlook_ports(pnl, src_port, dst_port):
         pnl.sxport = socket.htons(src_port)
         pnl.dxport = socket.htons(dst_port)
 
-    def _get_natlook_port(self, xport):
+    @staticmethod
+    def _get_natlook_port(xport):
         return xport
 
     def add_anchors(self, anchor, status=None):
@@ -108,39 +117,44 @@ class Generic(object):
         if ('\nanchor "%s"' % anchor).encode('ASCII') not in status:
             self._add_anchor_rule(self.PF_PASS, anchor.encode('ASCII'))
 
-    def _add_anchor_rule(self, type, name, pr=None):
+    def _add_anchor_rule(self, kind, name, pr=None):
         if pr is None:
             pr = self.pfioc_rule()
 
         memmove(addressof(pr) + self.ANCHOR_CALL_OFFSET, name,
                 min(self.MAXPATHLEN, len(name)))  # anchor_call = name
         memmove(addressof(pr) + self.RULE_ACTION_OFFSET,
-                struct.pack('I', type), 4)  # rule.action = type
+                struct.pack('I', kind), 4)  # rule.action = kind
 
-        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
-            'I', self.PF_CHANGE_GET_TICKET), 4)  # action = PF_CHANGE_GET_TICKET
+        memmove(addressof(pr) + self.ACTION_OFFSET,
+                struct.pack('I', self.PF_CHANGE_GET_TICKET),
+                4)  # action = PF_CHANGE_GET_TICKET
         ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
 
-        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
-            'I', self.PF_CHANGE_ADD_TAIL), 4)  # action = PF_CHANGE_ADD_TAIL
+        memmove(addressof(pr) + self.ACTION_OFFSET,
+                struct.pack('I', self.PF_CHANGE_ADD_TAIL),
+                4)  # action = PF_CHANGE_ADD_TAIL
         ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
 
-    def _inet_version(self, family):
+    @staticmethod
+    def _inet_version(family):
         return b'inet' if family == socket.AF_INET else b'inet6'
 
-    def _lo_addr(self, family):
+    @staticmethod
+    def _lo_addr(family):
         return b'127.0.0.1' if family == socket.AF_INET else b'::1'
 
-    def add_rules(self, anchor, rules):
+    @staticmethod
+    def add_rules(anchor, rules):
         assert isinstance(rules, bytes)
         debug3("rules:\n" + rules.decode("ASCII"))
         pfctl('-a %s -f /dev/stdin' % anchor, rules)
 
-    def has_skip_loopback(self):
+    @staticmethod
+    def has_skip_loopback():
         return b'skip' in pfctl('-s Interfaces -i lo -v')[0]
 
 
-
 class FreeBsd(Generic):
     RULE_ACTION_OFFSET = 2968
 
@@ -165,8 +179,19 @@ class FreeBsd(Generic):
         freebsd.pfioc_natlook = pfioc_natlook
         return freebsd
 
-    def __init__(self):
-        super(FreeBsd, self).__init__()
+    def enable(self):
+        returncode = ssubprocess.call(['kldload', 'pf'], env=get_env())
+        # No env: No output.
+        super(FreeBsd, self).enable()
+        if returncode == 0:
+            _pf_context['loaded_by_sshuttle'] = True
+
+    def disable(self, anchor):
+        super(FreeBsd, self).disable(anchor)
+        if _pf_context['loaded_by_sshuttle'] and \
+                _pf_context['started_by_sshuttle'] == 0:
+            ssubprocess.call(['kldunload', 'pf'], env=get_env())
+            # No env: No output.
 
     def add_anchors(self, anchor):
         status = pfctl('-s all')[0]
@@ -174,14 +199,14 @@ class FreeBsd(Generic):
             self._add_anchor_rule(self.PF_RDR, anchor.encode('ASCII'))
         super(FreeBsd, self).add_anchors(anchor, status=status)
 
-    def _add_anchor_rule(self, type, name):
-        pr = self.pfioc_rule()
+    def _add_anchor_rule(self, kind, name, pr=None):
+        pr = pr or self.pfioc_rule()
         ppa = self.pfioc_pooladdr()
 
         ioctl(pf_get_dev(), self.DIOCBEGINADDRS, ppa)
         # pool ticket
         memmove(addressof(pr) + self.POOL_TICKET_OFFSET, ppa[4:8], 4)
-        super(FreeBsd, self)._add_anchor_rule(type, name, pr=pr)
+        super(FreeBsd, self)._add_anchor_rule(kind, name, pr=pr)
 
     def add_rules(self, anchor, includes, port, dnsport, nslist, family):
         inet_version = self._inet_version(family)
@@ -189,19 +214,19 @@ class FreeBsd(Generic):
 
         tables = []
         translating_rules = [
-            b'rdr pass on lo0 %s proto tcp to %s '
-            b'-> %s port %r' % (inet_version, subnet, lo_addr, port)
+            b'rdr pass on lo0 %s proto tcp from ! %s to %s '
+            b'-> %s port %r' % (inet_version, lo_addr, subnet, lo_addr, port)
             for exclude, subnet in includes if not exclude
         ]
         filtering_rules = [
             b'pass out route-to lo0 %s proto tcp '
             b'to %s keep state' % (inet_version, subnet)
             if not exclude else
-            b'pass out quick %s proto tcp to %s' % (inet_version, subnet)
+            b'pass out %s proto tcp to %s' % (inet_version, subnet)
             for exclude, subnet in includes
         ]
 
-        if len(nslist) > 0:
+        if nslist:
             tables.append(
                 b'table <dns_servers> {%s}' %
                 b','.join([ns[1].encode("ASCII") for ns in nslist]))
@@ -241,7 +266,7 @@ class OpenBsd(Generic):
                         ("proto_variant", c_uint8),
                         ("direction", c_uint8)]
 
-        self.pfioc_rule = c_char * 3400
+        self.pfioc_rule = c_char * 3424
         self.pfioc_natlook = pfioc_natlook
         super(OpenBsd, self).__init__()
 
@@ -267,11 +292,11 @@ class OpenBsd(Generic):
             b'pass out %s proto tcp to %s '
             b'route-to lo0 keep state' % (inet_version, subnet)
             if not exclude else
-            b'pass out quick %s proto tcp to %s' % (inet_version, subnet)
+            b'pass out %s proto tcp to %s' % (inet_version, subnet)
             for exclude, subnet in includes
         ]
 
-        if len(nslist) > 0:
+        if nslist:
             tables.append(
                 b'table <dns_servers> {%s}' %
                 b','.join([ns[1].encode("ASCII") for ns in nslist]))
@@ -362,15 +387,10 @@ else:
 def pfctl(args, stdin=None):
     argv = ['pfctl'] + shlex.split(args)
     debug1('>> %s\n' % ' '.join(argv))
-
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
     p = ssubprocess.Popen(argv, stdin=ssubprocess.PIPE,
                           stdout=ssubprocess.PIPE,
                           stderr=ssubprocess.PIPE,
-                          env=env)
+                          env=get_env())
     o = p.communicate(stdin)
     if p.returncode:
         raise Fatal('%r returned %d' % (argv, p.returncode))
@@ -400,7 +420,13 @@ class Method(BaseMethod):
     def get_tcp_dstip(self, sock):
         pfile = self.firewall.pfile
 
-        peer = sock.getpeername()
+        try:
+            peer = sock.getpeername()
+        except socket.error:
+            _, e = sys.exc_info()[:2]
+            if e.args[0] == errno.EINVAL:
+                return sock.getsockname()
+
         proxy = sock.getsockname()
 
         argv = (sock.family, socket.IPPROTO_TCP,
@@ -417,11 +443,8 @@ class Method(BaseMethod):
 
         return sock.getsockname()
 
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
-        tables = []
-        translating_rules = []
-        filtering_rules = []
-
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by pf method_name'
@@ -429,13 +452,13 @@ class Method(BaseMethod):
         if udp:
             raise Exception("UDP not supported by pf method_name")
 
-        if len(subnets) > 0:
+        if subnets:
             includes = []
             # If a given subnet is both included and excluded, list the
             # exclusion first; the table will ignore the second, opposite
             # definition
-            for f, swidth, sexclude, snet, fport, lport \
-                    in sorted(subnets, key=subnet_weight, reverse=True):
+            for _, swidth, sexclude, snet, fport, lport \
+                    in sorted(subnets, key=subnet_weight):
                 includes.append((sexclude, b"%s/%d%s" % (
                     snet.encode("ASCII"),
                     swidth,
@@ -446,7 +469,7 @@ class Method(BaseMethod):
         pf.add_rules(anchor, includes, port, dnsport, nslist, family)
         pf.enable()
 
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by pf method_name'
@@ -468,3 +491,9 @@ class Method(BaseMethod):
             return True
         else:
             return False
+
+    def is_supported(self):
+        if which("pfctl"):
+            return True
+        debug2("pf method not supported because 'pfctl' command is missing.\n")
+        return False

sshuttle/methods/tproxy.py

@@ -3,7 +3,7 @@ from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string
 from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists
 from sshuttle.methods import BaseMethod
-from sshuttle.helpers import debug1, debug3, Fatal
+from sshuttle.helpers import debug1, debug2, debug3, Fatal, which
 
 recvmsg = None
 try:
@@ -33,7 +33,7 @@ IPV6_RECVORIGDSTADDR = IPV6_ORIGDSTADDR
 if recvmsg == "python":
     def recv_udp(listener, bufsize):
         debug3('Accept UDP python using recvmsg.\n')
-        data, ancdata, msg_flags, srcip = listener.recvmsg(
+        data, ancdata, _, srcip = listener.recvmsg(
             4096, socket.CMSG_SPACE(24))
         dstip = None
         family = None
@@ -64,7 +64,7 @@ if recvmsg == "python":
 elif recvmsg == "socket_ext":
     def recv_udp(listener, bufsize):
         debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, flags = listener.recvmsg(
+        srcip, data, adata, _ = listener.recvmsg(
             (bufsize,), socket.CMSG_SPACE(24))
         dstip = None
         family = None
@@ -150,7 +150,18 @@ class Method(BaseMethod):
         if udp_listener.v6 is not None:
             udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)
 
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
+                       user):
+        if self.firewall is None:
+            tmark = '1'
+        else:
+            tmark = self.firewall.tmark
+
+        self.setup_firewall_tproxy(port, dnsport, nslist, family, subnets, udp,
+                                   user, tmark)
+
+    def setup_firewall_tproxy(self, port, dnsport, nslist, family, subnets,
+                              udp, user, tmark):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by tproxy method'
@@ -168,13 +179,12 @@ class Method(BaseMethod):
             return proto + ('--dport', '%d:%d' % (fport, lport)) \
                     if fport else proto
 
-
         mark_chain = 'sshuttle-m-%s' % port
         tproxy_chain = 'sshuttle-t-%s' % port
         divert_chain = 'sshuttle-d-%s' % port
 
         # basic cleanup/setup of chains
-        self.restore_firewall(port, family, udp)
+        self.restore_firewall(port, family, udp, user)
 
         _ipt('-N', mark_chain)
         _ipt('-F', mark_chain)
@@ -182,9 +192,9 @@ class Method(BaseMethod):
         _ipt('-F', divert_chain)
         _ipt('-N', tproxy_chain)
         _ipt('-F', tproxy_chain)
-        _ipt('-I', 'OUTPUT', '1', '-j', mark_chain)
-        _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain)
-        _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', '1')
+        _ipt('-I', 'OUTPUT', tmark, '-j', mark_chain)
+        _ipt('-I', 'PREROUTING', tmark, '-j', tproxy_chain)
+        _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', tmark)
         _ipt('-A', divert_chain, '-j', 'ACCEPT')
         _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
              '-m', 'tcp', '-p', 'tcp')
@@ -193,17 +203,17 @@ class Method(BaseMethod):
             _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
                  '-m', 'udp', '-p', 'udp')
 
-        for f, ip in [i for i in nslist if i[0] == family]:
-            _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
+        for _, ip in [i for i in nslist if i[0] == family]:
+            _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark,
                  '--dest', '%s/32' % ip,
                  '-m', 'udp', '-p', 'udp', '--dport', '53')
             _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                 '--tproxy-mark', '0x1/0x1',
+                 '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
                  '--dest', '%s/32' % ip,
                  '-m', 'udp', '-p', 'udp', '--dport', '53',
                  '--on-port', str(dnsport))
 
-        for f, swidth, sexclude, snet, fport, lport \
+        for _, swidth, sexclude, snet, fport, lport \
                 in sorted(subnets, key=subnet_weight, reverse=True):
             tcp_ports = ('-p', 'tcp')
             tcp_ports = _ipt_proto_ports(tcp_ports, fport, lport)
@@ -218,12 +228,12 @@ class Method(BaseMethod):
                      '-m', 'tcp',
                      *tcp_ports)
             else:
-                _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
+                _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark,
                      '--dest', '%s/%s' % (snet, swidth),
                      '-m', 'tcp',
                      *tcp_ports)
                 _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                     '--tproxy-mark', '0x1/0x1',
+                     '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
                      '--dest', '%s/%s' % (snet, swidth),
                      '-m', 'tcp',
                      *(tcp_ports + ('--on-port', str(port))))
@@ -242,16 +252,17 @@ class Method(BaseMethod):
                          '-m', 'udp',
                          *udp_ports)
                 else:
-                    _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
+                    _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark,
                          '--dest', '%s/%s' % (snet, swidth),
-                         '-m', 'udp', '-p', 'udp')
+                         '-m', 'udp',
+                         *udp_ports)
                     _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                         '--tproxy-mark', '0x1/0x1',
+                         '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
                          '--dest', '%s/%s' % (snet, swidth),
                          '-m', 'udp',
                          *(udp_ports + ('--on-port', str(port))))
 
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
         if family not in [socket.AF_INET, socket.AF_INET6]:
             raise Exception(
                 'Address family "%s" unsupported by tproxy method'
@@ -283,3 +294,10 @@ class Method(BaseMethod):
         if ipt_chain_exists(family, table, divert_chain):
             _ipt('-F', divert_chain)
             _ipt('-X', divert_chain)
+
+    def is_supported(self):
+        if which("iptables") and which("ip6tables"):
+            return True
+        debug2("tproxy method not supported because 'iptables' "
+               "or 'ip6tables' commands are missing.\n")
+        return False

sshuttle/options.py

@@ -1,6 +1,7 @@
 import re
 import socket
 from argparse import ArgumentParser, Action, ArgumentTypeError as Fatal
+
 from sshuttle import __version__
 
 
@@ -13,9 +14,9 @@ def parse_subnetport_file(s):
 
     raw_config_lines = handle.readlines()
     subnets = []
-    for line_no, line in enumerate(raw_config_lines):
+    for _, line in enumerate(raw_config_lines):
         line = line.strip()
-        if len(line) == 0:
+        if not line:
             continue
         if line[0] == '#':
             continue
@@ -27,29 +28,73 @@ def parse_subnetport_file(s):
 # 1.2.3.4/5:678, 1.2.3.4:567, 1.2.3.4/16 or just 1.2.3.4
 # [1:2::3/64]:456, [1:2::3]:456, 1:2::3/64 or just 1:2::3
 # example.com:123 or just example.com
+#
+# In addition, the port number can be specified as a range:
+# 1.2.3.4:8000-8080.
+#
+# Can return multiple matches if the domain name used in the request
+# has multiple IP addresses.
 def parse_subnetport(s):
+
     if s.count(':') > 1:
         rx = r'(?:\[?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
     else:
-        rx = r'([\w\.]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
+        rx = r'([\w\.\-]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
 
     m = re.match(rx, s)
     if not m:
         raise Fatal('%r is not a valid address/mask:port format' % s)
 
-    addr, width, fport, lport = m.groups()
+    # Ports range from fport to lport. If only one port is specified,
+    # fport is defined and lport is None.
+    #
+    # cidr is the mask defined with the slash notation
+    host, cidr, fport, lport = m.groups()
     try:
-        addrinfo = socket.getaddrinfo(addr, 0, 0, socket.SOCK_STREAM)
+        addrinfo = socket.getaddrinfo(host, 0, 0, socket.SOCK_STREAM)
     except socket.gaierror:
-        raise Fatal('Unable to resolve address: %s' % addr)
+        raise Fatal('Unable to resolve address: %s' % host)
 
-    family, _, _, _, addr = min(addrinfo)
-    max_width = 32 if family == socket.AF_INET else 128
-    width = int(width or max_width)
-    if not 0 <= width <= max_width:
-        raise Fatal('width %d is not between 0 and %d' % (width, max_width))
+    # If the address is a domain with multiple IPs and a mask is also
+    # provided, proceed cautiously:
+    if cidr is not None:
+        addr_v6 = [a for a in addrinfo if a[0] == socket.AF_INET6]
+        addr_v4 = [a for a in addrinfo if a[0] == socket.AF_INET]
 
-    return (family, addr[0], width, int(fport or 0), int(lport or fport or 0))
+        # Refuse to proceed if IPv4 and IPv6 addresses are present:
+        if len(addr_v6) > 0 and len(addr_v4) > 0:
+            raise Fatal("%s has IPv4 and IPv6 addresses, so the mask "
+                        "of /%s is not supported. Specify the IP "
+                        "addresses directly if you wish to specify "
+                        "a mask." % (host, cidr))
+
+        # Warn if a domain has multiple IPs of the same type (IPv4 vs
+        # IPv6) and the mask is applied to all of the IPs.
+        if len(addr_v4) > 1 or len(addr_v6) > 1:
+            print("WARNING: %s has multiple IP addresses. The "
+                  "mask of /%s is applied to all of the addresses."
+                  % (host, cidr))
+
+    rv = []
+    for a in addrinfo:
+        family, _, _, _, addr = a
+
+        # Largest possible slash value we can use with this IP:
+        max_cidr = 32 if family == socket.AF_INET else 128
+
+        if cidr is None:  # if no mask, use largest mask
+            cidr_to_use = max_cidr
+        else:   # verify user-provided mask is appropriate
+            cidr_to_use = int(cidr)
+            if not 0 <= cidr_to_use <= max_cidr:
+                raise Fatal('Slash in CIDR notation (/%d) is '
+                            'not between 0 and %d'
+                            % (cidr_to_use, max_cidr))
+
+        rv.append((family, addr[0], cidr_to_use,
+                   int(fport or 0), int(lport or fport or 0)))
+
+    return rv
 
 
 # 1.2.3.4:567 or just 1.2.3.4 or just 567
@@ -62,27 +107,32 @@ def parse_ipport(s):
     elif ']' in s:
         rx = r'(?:\[([^]]+)])(?::(\d+))?$'
     else:
-        rx = r'([\w\.]+)(?::(\d+))?$'
+        rx = r'([\w\.\-]+)(?::(\d+))?$'
 
     m = re.match(rx, s)
     if not m:
         raise Fatal('%r is not a valid IP:port format' % s)
 
-    ip, port = m.groups()
-    ip = ip or '0.0.0.0'
+    host, port = m.groups()
+    host = host or '0.0.0.0'
     port = int(port or 0)
 
     try:
-        addrinfo = socket.getaddrinfo(ip, port, 0, socket.SOCK_STREAM)
+        addrinfo = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM)
     except socket.gaierror:
-        raise Fatal('%r is not a valid IP:port format' % s)
+        raise Fatal('Unable to resolve address: %s' % host)
+
+    if len(addrinfo) > 1:
+        print("WARNING: Host %s has more than one IP, only using one of them."
+              % host)
 
     family, _, _, _, addr = min(addrinfo)
+    # Note: addr contains (ip, port)
     return (family,) + addr[:2]
 
 
-def parse_list(list):
-    return re.split(r'[\s,]+', list.strip()) if list else []
+def parse_list(lst):
+    return re.split(r'[\s,]+', lst.strip()) if lst else []
 
 
 class Concat(Action):
@@ -98,7 +148,8 @@ class Concat(Action):
 
 parser = ArgumentParser(
     prog="sshuttle",
-    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>"
+    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>",
+    fromfile_prefix_chars="@"
 )
 parser.add_argument(
     "subnets",
@@ -120,7 +171,8 @@ parser.add_argument(
     "-H", "--auto-hosts",
     action="store_true",
     help="""
-    continuously scan for remote hostnames and update local /etc/hosts as they are found
+    continuously scan for remote hostnames and update local /etc/hosts as
+    they are found
     """
 )
 parser.add_argument(
@@ -146,9 +198,19 @@ parser.add_argument(
     capture and forward DNS requests made to the following servers
     """
 )
+parser.add_argument(
+    "--to-ns",
+    metavar="IP[:PORT]",
+    type=parse_ipport,
+    help="""
+    the DNS server to forward requests to; defaults to servers in
+    /etc/resolv.conf on remote side if not given.
+    """
+)
+
 parser.add_argument(
     "--method",
-    choices=["auto", "nat", "tproxy", "pf", "ipfw"],
+    choices=["auto", "nat", "nft", "tproxy", "pf", "ipfw"],
     metavar="TYPE",
     default="auto",
     help="""
@@ -164,9 +226,9 @@ parser.add_argument(
 )
 parser.add_argument(
     "-r", "--remote",
-    metavar="[USERNAME@]ADDR[:PORT]",
+    metavar="[USERNAME[:PASSWORD]@]ADDR[:PORT]",
     help="""
-    ssh hostname (and optional username) of remote %(prog)s server
+    ssh hostname (and optional username and password) of remote %(prog)s server
     """
 )
 parser.add_argument(
@@ -218,7 +280,8 @@ parser.add_argument(
     metavar="HOSTNAME[,HOSTNAME]",
     default=[],
     help="""
-    comma-separated list of hostnames for initial scan (may be used with or without --auto-hosts)
+    comma-separated list of hostnames for initial scan (may be used with
+    or without --auto-hosts)
     """
 )
 parser.add_argument(
@@ -229,6 +292,16 @@ parser.add_argument(
     sacrifice latency to improve bandwidth benchmarks
     """
 )
+parser.add_argument(
+    "--latency-buffer-size",
+    metavar="SIZE",
+    type=int,
+    default=32768,
+    dest="latency_buffer_size",
+    help="""
+    size of latency control buffer
+    """
+)
 parser.add_argument(
     "--wrap",
     metavar="NUM",
@@ -277,6 +350,12 @@ parser.add_argument(
     pidfile name (only if using --daemon) [%(default)s]
     """
 )
+parser.add_argument(
+    "--user",
+    help="""
+    apply all the rules only to this linux user
+    """
+)
 parser.add_argument(
     "--firewall",
     action="store_true",
@@ -291,3 +370,50 @@ parser.add_argument(
     (internal use only)
     """
 )
+parser.add_argument(
+    "--sudoers",
+    action="store_true",
+    help="""
+    Add sshuttle to the sudoers for this user
+    """
+)
+parser.add_argument(
+    "--sudoers-no-modify",
+    action="store_true",
+    help="""
+    Prints the sudoers config to STDOUT and DOES NOT modify anything.
+    """
+)
+parser.add_argument(
+    "--sudoers-user",
+    default="",
+    help="""
+    Set the user name or group with %%group_name for passwordless operation.
+    Default is the current user.set ALL for all users. Only works with
+    --sudoers or --sudoers-no-modify option.
+    """
+)
+parser.add_argument(
+    "--sudoers-filename",
+    default="sshuttle_auto",
+    help="""
+    Set the file name for the sudoers.d file to be added. Default is
+    "sshuttle_auto". Only works with --sudoers or --sudoers-no-modify option.
+    """
+)
+parser.add_argument(
+    "--no-sudo-pythonpath",
+    action="store_false",
+    dest="sudo_pythonpath",
+    help="""
+    do not set PYTHONPATH when invoking sudo
+    """
+)
+parser.add_argument(
+    "-t", "--tmark",
+    metavar="[MARK]",
+    default="1",
+    help="""
+    transproxy optional traffic mark with provided MARK value
+    """
+)

sshuttle/sdnotify.py

@@ -1,8 +1,21 @@
+"""When sshuttle is run via a systemd service file, we can communicate
+to systemd about the status of the sshuttle process. In particular, we
+can send READY status to tell systemd that sshuttle has completed
+startup and send STOPPING to indicate that sshuttle is beginning
+shutdown.
+
+For details, see:
+https://www.freedesktop.org/software/systemd/man/sd_notify.html
+"""
+
 import socket
 import os
+
 from sshuttle.helpers import debug1
 
+
 def _notify(message):
+    """Send a notification message to systemd."""
     addr = os.environ.get("NOTIFY_SOCKET", None)
 
     if not addr or len(addr) == 1 or addr[0] not in ('/', '@'):
@@ -27,14 +40,24 @@ def _notify(message):
         debug1("Error notifying systemd: %s\n" % e)
         return False
 
+
 def send(*messages):
+    """Send multiple messages to systemd."""
     return _notify(b'\n'.join(messages))
 
+
 def ready():
+    """Constructs a message that is appropriate to send upon completion of
+sshuttle startup."""
     return b"READY=1"
 
+
 def stop():
+    """Constructs a message that is appropriate to send when sshuttle is
+beginning to shutdown."""
     return b"STOPPING=1"
 
+
 def status(message):
+    """Constructs a status message to be sent to systemd."""
     return b"STATUS=%s" % message.encode('utf8')

sshuttle/server.py

@@ -7,25 +7,21 @@ import sys
 import os
 import platform
 
+
 import sshuttle.ssnet as ssnet
 import sshuttle.helpers as helpers
 import sshuttle.hostwatch as hostwatch
 import subprocess as ssubprocess
 from sshuttle.ssnet import Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal, \
-    resolvconf_random_nameserver
-
-try:
-    from shutil import which
-except ImportError:
-    from distutils.spawn import find_executable as which
+    resolvconf_random_nameserver, which, get_env
 
 
 def _ipmatch(ipstr):
     # FIXME: IPv4 only
     if ipstr == 'default':
         ipstr = '0.0.0.0/0'
-    m = re.match('^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
+    m = re.match(r'^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
     if m:
         g = m.groups()
         ips = g[0]
@@ -86,11 +82,7 @@ def _route_iproute(line):
 
 def _list_routes(argv, extract_route):
     # FIXME: IPv4 only
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
     routes = []
     for line in p.stdout:
         if not line.strip():
@@ -105,7 +97,6 @@ def _list_routes(argv, extract_route):
     rv = p.wait()
     if rv != 0:
         log('WARNING: %r returned %d\n' % (argv, rv))
-        log('WARNING: That prevents --auto-nets from working.\n')
 
     return routes
 
@@ -116,7 +107,8 @@ def list_routes():
     elif which('netstat'):
         routes = _list_routes(['netstat', '-rn'], _route_netstat)
     else:
-        log('WARNING: Neither ip nor netstat were found on the server.\n')
+        log('WARNING: Neither "ip" nor "netstat" were found on the server. '
+            '--auto-nets feature will not work.\n')
         routes = []
 
     for (family, ip, width) in routes:
@@ -160,7 +152,7 @@ class Hostwatch:
 
 class DnsProxy(Handler):
 
-    def __init__(self, mux, chan, request):
+    def __init__(self, mux, chan, request, to_nameserver):
         Handler.__init__(self, [])
         self.timeout = time.time() + 30
         self.mux = mux
@@ -168,22 +160,43 @@ class DnsProxy(Handler):
         self.tries = 0
         self.request = request
         self.peers = {}
+        self.to_ns_peer = None
+        self.to_ns_port = None
+        if to_nameserver is None:
+            self.to_nameserver = None
+        else:
+            self.to_ns_peer, self.to_ns_port = to_nameserver.split("@")
+            self.to_nameserver = self._addrinfo(self.to_ns_peer,
+                                                self.to_ns_port)
         self.try_send()
 
+    @staticmethod
+    def _addrinfo(peer, port):
+        if int(port) == 0:
+            port = 53
+        family, _, _, _, sockaddr = socket.getaddrinfo(peer, port)[0]
+        return (family, sockaddr)
+
     def try_send(self):
         if self.tries >= 3:
             return
         self.tries += 1
 
-        family, peer = resolvconf_random_nameserver()
+        if self.to_nameserver is None:
+            _, peer = resolvconf_random_nameserver(False)
+            port = 53
+        else:
+            peer = self.to_ns_peer
+            port = int(self.to_ns_port)
 
+        family, sockaddr = self._addrinfo(peer, port)
         sock = socket.socket(family, socket.SOCK_DGRAM)
-        sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
-        sock.connect((peer, 53))
+        sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
+        sock.connect(sockaddr)
 
         self.peers[sock] = peer
 
-        debug2('DNS: sending to %r (try %d)\n' % (peer, self.tries))
+        debug2('DNS: sending to %r:%d (try %d)\n' % (peer, port, self.tries))
         try:
             sock.send(self.request)
             self.socks.append(sock)
@@ -235,15 +248,15 @@ class UdpProxy(Handler):
         self.chan = chan
         self.sock = sock
         if family == socket.AF_INET:
-            self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+            self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
 
     def send(self, dstip, data):
-        debug2('UDP: sending to %r port %d\n' % dstip)
+        debug2(' s: UDP: sending to %r port %d\n' % dstip)
         try:
             self.sock.sendto(data, dstip)
         except socket.error:
             _, e = sys.exc_info()[:2]
-            log('UDP send to %r port %d: %s\n' % (dstip[0], dstip[1], e))
+            log(' s: UDP send to %r port %d: %s\n' % (dstip[0], dstip[1], e))
             return
 
     def callback(self, sock):
@@ -251,38 +264,37 @@ class UdpProxy(Handler):
             data, peer = sock.recvfrom(4096)
         except socket.error:
             _, e = sys.exc_info()[:2]
-            log('UDP recv from %r port %d: %s\n' % (peer[0], peer[1], e))
+            log(' s: UDP recv from %r port %d: %s\n' % (peer[0], peer[1], e))
             return
-        debug2('UDP response: %d bytes\n' % len(data))
+        debug2(' s: UDP response: %d bytes\n' % len(data))
         hdr = b("%s,%r," % (peer[0], peer[1]))
         self.mux.send(self.chan, ssnet.CMD_UDP_DATA, hdr + data)
 
 
-def main(latency_control, auto_hosts):
-    debug1('Starting server with Python version %s\n'
+def main(latency_control, auto_hosts, to_nameserver, auto_nets):
+    debug1(' s: Starting server with Python version %s\n'
            % platform.python_version())
 
-    if helpers.verbose >= 1:
-        helpers.logprefix = ' s: '
-    else:
-        helpers.logprefix = 'server: '
+    helpers.logprefix = ' s: '
     debug1('latency control setting = %r\n' % latency_control)
 
-    routes = list(list_routes())
-    debug1('available routes:\n')
-    for r in routes:
-        debug1('  %d/%s/%d\n' % r)
-
     # synchronization header
     sys.stdout.write('\0\0SSHUTTLE0001')
     sys.stdout.flush()
 
     handlers = []
-    mux = Mux(socket.fromfd(sys.stdin.fileno(),
-                            socket.AF_INET, socket.SOCK_STREAM),
-              socket.fromfd(sys.stdout.fileno(),
-                            socket.AF_INET, socket.SOCK_STREAM))
+    mux = Mux(sys.stdin, sys.stdout)
     handlers.append(mux)
+
+    debug1('auto-nets:' + str(auto_nets) + '\n')
+    if auto_nets:
+        routes = list(list_routes())
+        debug1('available routes:\n')
+        for r in routes:
+            debug1('  %d/%s/%d\n' % r)
+    else:
+        routes = []
+
     routepkt = ''
     for r in routes:
         routepkt += '%d,%s,%d\n' % r
@@ -304,12 +316,12 @@ def main(latency_control, auto_hosts):
                 hw.leftover = b('')
             mux.send(0, ssnet.CMD_HOST_LIST, b('\n').join(lines))
         else:
-            raise Fatal('hostwatch process died')
+            raise Fatal(' s: hostwatch process died')
 
     def got_host_req(data):
         if not hw.pid:
             (hw.pid, hw.sock) = start_hostwatch(
-                    data.strip().split(), auto_hosts)
+                    data.decode("ASCII").strip().split(), auto_hosts)
             handlers.append(Handler(socks=[hw.sock],
                                     callback=hostwatch_ready))
     mux.got_host_req = got_host_req
@@ -332,7 +344,7 @@ def main(latency_control, auto_hosts):
 
     def dns_req(channel, data):
         debug2('Incoming DNS request channel=%d.\n' % channel)
-        h = DnsProxy(mux, channel, data)
+        h = DnsProxy(mux, channel, data, to_nameserver)
         handlers.append(h)
         dnshandlers[channel] = h
     mux.got_dns_req = dns_req
@@ -358,7 +370,7 @@ def main(latency_control, auto_hosts):
         family = int(data)
         mux.channels[channel] = lambda cmd, data: udp_req(channel, cmd, data)
         if channel in udphandlers:
-            raise Fatal('UDP connection channel %d already open' % channel)
+            raise Fatal(' s: UDP connection channel %d already open' % channel)
         else:
             h = UdpProxy(mux, channel, family)
             handlers.append(h)

sshuttle/ssh.py

@@ -3,89 +3,96 @@ import os
 import re
 import socket
 import zlib
-import imp
+import importlib
+import importlib.util
 import subprocess as ssubprocess
 import shlex
+from shlex import quote
+import ipaddress
+from urllib.parse import urlparse
+
 import sshuttle.helpers as helpers
-from sshuttle.helpers import debug2
-
-try:
-    # Python >= 3.5
-    from shlex import quote
-except ImportError:
-    # Python 2.x
-    from pipes import quote
+from sshuttle.helpers import debug2, which, get_path, Fatal
 
 
-def readfile(name):
-    tokens = name.split(".")
-    f = None
-
-    token = tokens[0]
-    token_name = [token]
-    token_str = ".".join(token_name)
-
-    try:
-        f, pathname, description = imp.find_module(token_str)
-
-        for token in tokens[1:]:
-            module = imp.load_module(token_str, f, pathname, description)
-            if f is not None:
-                f.close()
-
-            token_name.append(token)
-            token_str = ".".join(token_name)
-
-            f, pathname, description = imp.find_module(
-                token, module.__path__)
-
-        if f is not None:
-            contents = f.read()
-        else:
-            contents = ""
-
-    finally:
-        if f is not None:
-            f.close()
-
-    return contents.encode("UTF8")
+def get_module_source(name):
+    spec = importlib.util.find_spec(name)
+    with open(spec.origin, "rt") as f:
+        return f.read().encode("utf-8")
 
 
 def empackage(z, name, data=None):
     if not data:
-        data = readfile(name)
+        data = get_module_source(name)
     content = z.compress(data)
     content += z.flush(zlib.Z_SYNC_FLUSH)
 
     return b'%s\n%d\n%s' % (name.encode("ASCII"), len(content), content)
 
 
+def parse_hostport(rhostport):
+    """
+    parses the given rhostport variable, looking like this:
+
+            [username[:password]@]host[:port]
+
+    if only host is given, can be a hostname, IPv4/v6 address or a ssh alias
+    from ~/.ssh/config
+
+    and returns a tuple (username, password, port, host)
+    """
+    # leave use of default port to ssh command to prevent overwriting
+    # ports configured in ~/.ssh/config when no port is given
+    if rhostport is None or len(rhostport) == 0:
+        return None, None, None, None
+    port = None
+    username = None
+    password = None
+    host = rhostport
+
+    if "@" in host:
+        # split username (and possible password) from the host[:port]
+        username, host = host.rsplit("@", 1)
+        # Fix #410 bad username error detect
+        if ":" in username:
+            # this will even allow for the username to be empty
+            username, password = username.split(":")
+
+    if ":" in host:
+        # IPv6 address and/or got a port specified
+
+        # If it is an IPv6 adress with port specification,
+        # then it will look like: [::1]:22
+
+        try:
+            # try to parse host as an IP adress,
+            # if that works it is an IPv6 address
+            host = str(ipaddress.ip_address(host))
+        except ValueError:
+            # if that fails parse as URL to get the port
+            parsed = urlparse('//{}'.format(host))
+            try:
+                host = str(ipaddress.ip_address(parsed.hostname))
+            except ValueError:
+                # else if both fails, we have a hostname with port
+                host = parsed.hostname
+            port = parsed.port
+
+    if password is None or len(password) == 0:
+        password = None
+
+    return username, password, port, host
+
+
 def connect(ssh_cmd, rhostport, python, stderr, options):
-    portl = []
-
-    if re.sub(r'.*@', '', rhostport or '').count(':') > 1:
-        if rhostport.count(']') or rhostport.count('['):
-            result = rhostport.split(']')
-            rhost = result[0].strip('[')
-            if len(result) > 1:
-                result[1] = result[1].strip(':')
-                if result[1] is not '':
-                    portl = ['-p', str(int(result[1]))]
-        # can't disambiguate IPv6 colons and a port number. pass the hostname
-        # through.
-        else:
-            rhost = rhostport
-    else:  # IPv4
-        l = (rhostport or '').rsplit(':', 1)
-        rhost = l[0]
-        if len(l) > 1:
-            portl = ['-p', str(int(l[1]))]
-
-    if rhost == '-':
-        rhost = None
+    username, password, port, host = parse_hostport(rhostport)
+    if username:
+        rhost = "{}@{}".format(username, host)
+    else:
+        rhost = host
 
     z = zlib.compressobj(1)
-    content = readfile('sshuttle.assembler')
+    content = get_module_source('sshuttle.assembler')
     optdata = ''.join("%s=%r\n" % (k, v) for (k, v) in list(options.items()))
     optdata = optdata.encode("UTF8")
     content2 = (empackage(z, 'sshuttle') +
@@ -113,15 +120,38 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
             sshl = shlex.split(ssh_cmd)
         else:
             sshl = ['ssh']
+        if port is not None:
+            portl = ["-p", str(port)]
+        else:
+            portl = []
         if python:
             pycmd = "'%s' -c '%s'" % (python, pyscript)
         else:
-            pycmd = ("P=python3.5; $P -V 2>/dev/null || P=python; "
-                     "exec \"$P\" -c %s") % quote(pyscript)
-            pycmd = ("exec /bin/sh -c %s" % quote(pycmd))
-        argv = (sshl +
-                portl +
-                [rhost, '--', pycmd])
+            pycmd = ("P=python3; $P -V 2>%s || P=python; "
+                     "exec \"$P\" -c %s") % (os.devnull, quote(pyscript))
+            pycmd = ("/bin/sh -c {}".format(quote(pycmd)))
+
+        if password is not None:
+            os.environ['SSHPASS'] = str(password)
+            argv = (["sshpass", "-e"] + sshl +
+                    portl +
+                    [rhost, '--', pycmd])
+
+        else:
+            argv = (sshl +
+                    portl +
+                    [rhost, '--', pycmd])
+
+    # Our which() function searches for programs in get_path()
+    # directories (which include PATH). This step isn't strictly
+    # necessary if ssh is already in the user's PATH, but it makes the
+    # error message friendlier if the user incorrectly passes in a
+    # custom ssh command that we cannot find.
+    abs_path = which(argv[0])
+    if abs_path is None:
+        raise Fatal("Failed to find '%s' in path %s" % (argv[0], get_path()))
+    argv[0] = abs_path
+
     (s1, s2) = socket.socketpair()
 
     def setup():
@@ -129,6 +159,7 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
         s2.close()
     s1a, s1b = os.dup(s1.fileno()), os.dup(s1.fileno())
     s1.close()
+
     debug2('executing: %r\n' % argv)
     p = ssubprocess.Popen(argv, stdin=s1a, stdout=s1b, preexec_fn=setup,
                           close_fds=True, stderr=stderr)

sshuttle/ssnet.py

@@ -4,19 +4,19 @@ import socket
 import errno
 import select
 import os
-from sshuttle.helpers import b, binary_type, log, debug1, debug2, debug3, Fatal
+import fcntl
+
+from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal
 
 MAX_CHANNEL = 65535
+LATENCY_BUFFER_SIZE = 32768
 
-# these don't exist in the socket module in python 2.3!
 SHUT_RD = 0
 SHUT_WR = 1
 SHUT_RDWR = 2
 
-
 HDR_LEN = 8
 
-
 CMD_EXIT = 0x4200
 CMD_PING = 0x4201
 CMD_PONG = 0x4202
@@ -55,17 +55,18 @@ cmd_to_name = {
 NET_ERRS = [errno.ECONNREFUSED, errno.ETIMEDOUT,
             errno.EHOSTUNREACH, errno.ENETUNREACH,
             errno.EHOSTDOWN, errno.ENETDOWN,
-            errno.ENETUNREACH]
+            errno.ENETUNREACH, errno.ECONNABORTED,
+            errno.ECONNRESET]
 
 
-def _add(l, elem):
-    if elem not in l:
-        l.append(elem)
+def _add(socks, elem):
+    if elem not in socks:
+        socks.append(elem)
 
 
-def _fds(l):
+def _fds(socks):
     out = []
-    for i in l:
+    for i in socks:
         try:
             out.append(i.fileno())
         except AttributeError:
@@ -93,8 +94,12 @@ def _try_peername(sock):
             return '%s:%s' % (pn[0], pn[1])
     except socket.error:
         _, e = sys.exc_info()[:2]
-        if e.args[0] not in (errno.ENOTCONN, errno.ENOTSOCK):
+        if e.args[0] == errno.EINVAL:
+            pass
+        elif e.args[0] not in (errno.ENOTCONN, errno.ENOTSOCK):
             raise
+    except AttributeError:
+        pass
     return 'unknown'
 
 
@@ -200,7 +205,8 @@ class SockWrapper:
                 _, e = sys.exc_info()[:2]
                 self.seterr('nowrite: %s' % e)
 
-    def too_full(self):
+    @staticmethod
+    def too_full():
         return False  # fullness is determined by the socket's select() state
 
     def uwrite(self, buf):
@@ -270,7 +276,7 @@ class Handler:
 
     def callback(self, sock):
         log('--no callback defined-- %r\n' % self)
-        (r, w, x) = select.select(self.socks, [], [], 0)
+        (r, _, _) = select.select(self.socks, [], [], 0)
         for s in r:
             v = s.recv(4096)
             if not v:
@@ -331,10 +337,10 @@ class Proxy(Handler):
 
 class Mux(Handler):
 
-    def __init__(self, rsock, wsock):
-        Handler.__init__(self, [rsock, wsock])
-        self.rsock = rsock
-        self.wsock = wsock
+    def __init__(self, rfile, wfile):
+        Handler.__init__(self, [rfile, wfile])
+        self.rfile = rfile
+        self.wfile = wfile
         self.new_channel = self.got_dns_req = self.got_routes = None
         self.got_udp_open = self.got_udp_data = self.got_udp_close = None
         self.got_host_req = self.got_host_list = None
@@ -349,7 +355,7 @@ class Mux(Handler):
 
     def next_channel(self):
         # channel 0 is special, so we never allocate it
-        for timeout in range(1024):
+        for _ in range(1024):
             self.chani += 1
             if self.chani > MAX_CHANNEL:
                 self.chani = 1
@@ -363,7 +369,7 @@ class Mux(Handler):
         return total
 
     def check_fullness(self):
-        if self.fullness > 32768:
+        if self.fullness > LATENCY_BUFFER_SIZE:
             if not self.too_full:
                 self.send(0, CMD_PING, b('rttest'))
             self.too_full = True
@@ -374,7 +380,7 @@ class Mux(Handler):
         # log('outbuf: %d %r\n' % (self.amount_queued(), ob))
 
     def send(self, channel, cmd, data):
-        assert isinstance(data, binary_type)
+        assert isinstance(data, bytes)
         assert len(data) <= 65535
         p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) \
             + data
@@ -431,9 +437,15 @@ class Mux(Handler):
                 callback(cmd, data)
 
     def flush(self):
-        self.wsock.setblocking(False)
+        try:
+            os.set_blocking(self.wfile.fileno(), False)
+        except AttributeError:
+            # python < 3.5
+            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_GETFL)
+            flags |= os.O_NONBLOCK
+            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_SETFL, flags)
         if self.outbuf and self.outbuf[0]:
-            wrote = _nb_clean(os.write, self.wsock.fileno(), self.outbuf[0])
+            wrote = _nb_clean(os.write, self.wfile.fileno(), self.outbuf[0])
             debug2('mux wrote: %r/%d\n' % (wrote, len(self.outbuf[0])))
             if wrote:
                 self.outbuf[0] = self.outbuf[0][wrote:]
@@ -441,9 +453,15 @@ class Mux(Handler):
             self.outbuf[0:1] = []
 
     def fill(self):
-        self.rsock.setblocking(False)
         try:
-            read = _nb_clean(os.read, self.rsock.fileno(), 32768)
+            os.set_blocking(self.rfile.fileno(), False)
+        except AttributeError:
+            # python < 3.5
+            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_GETFL)
+            flags |= os.O_NONBLOCK
+            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_SETFL, flags)
+        try:
+            read = _nb_clean(os.read, self.rfile.fileno(), LATENCY_BUFFER_SIZE)
         except OSError:
             _, e = sys.exc_info()[:2]
             raise Fatal('other end: %r' % e)
@@ -473,22 +491,22 @@ class Mux(Handler):
                 break
 
     def pre_select(self, r, w, x):
-        _add(r, self.rsock)
+        _add(r, self.rfile)
         if self.outbuf:
-            _add(w, self.wsock)
+            _add(w, self.wfile)
 
     def callback(self, sock):
-        (r, w, x) = select.select([self.rsock], [self.wsock], [], 0)
-        if self.rsock in r:
+        (r, w, _) = select.select([self.rfile], [self.wfile], [], 0)
+        if self.rfile in r:
             self.handle()
-        if self.outbuf and self.wsock in w:
+        if self.outbuf and self.wfile in w:
             self.flush()
 
 
 class MuxWrapper(SockWrapper):
 
     def __init__(self, mux, channel):
-        SockWrapper.__init__(self, mux.rsock, mux.wsock)
+        SockWrapper.__init__(self, mux.rfile, mux.wfile)
         self.mux = mux
         self.channel = channel
         self.mux.channels[channel] = self.got_packet
@@ -565,7 +583,7 @@ class MuxWrapper(SockWrapper):
 def connect_dst(family, ip, port):
     debug2('Connecting to %s:%d\n' % (ip, port))
     outsock = socket.socket(family)
-    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
     return SockWrapper(outsock, outsock,
                        connect_to=(ip, port),
                        peername='%s:%d' % (ip, port))

sshuttle/ssyslog.py

@@ -8,12 +8,24 @@ _p = None
 
 def start_syslog():
     global _p
-    _p = ssubprocess.Popen(['logger',
-                            '-p', 'daemon.notice',
-                            '-t', 'sshuttle'], stdin=ssubprocess.PIPE)
+    with open(os.devnull, 'w') as devnull:
+        _p = ssubprocess.Popen(
+            ['logger', '-p', 'daemon.notice', '-t', 'sshuttle'],
+            stdin=ssubprocess.PIPE,
+            stdout=devnull,
+            stderr=devnull
+        )
+
+
+def close_stdin():
+    sys.stdin.close()
+
+
+def stdout_to_syslog():
+    sys.stdout.flush()
+    os.dup2(_p.stdin.fileno(), sys.stdout.fileno())
 
 
 def stderr_to_syslog():
-    sys.stdout.flush()
     sys.stderr.flush()
-    os.dup2(_p.stdin.fileno(), 2)
+    os.dup2(_p.stdin.fileno(), sys.stderr.fileno())

sshuttle/sudoers.py

@@ -0,0 +1,64 @@
+import os
+import sys
+import getpass
+from uuid import uuid4
+from subprocess import Popen, PIPE
+from sshuttle.helpers import log, debug1
+from distutils import spawn
+
+path_to_sshuttle = sys.argv[0]
+path_to_dist_packages = os.path.dirname(os.path.abspath(__file__))[:-9]
+
+# randomize command alias to avoid collisions
+command_alias = 'SSHUTTLE%(num)s' % {'num': uuid4().hex[-3:].upper()}
+
+# Template for the sudoers file
+template = '''
+Cmnd_Alias %(ca)s = /usr/bin/env PYTHONPATH=%(dist_packages)s %(py)s %(path)s *
+
+%(user_name)s ALL=NOPASSWD: %(ca)s
+'''
+
+
+def build_config(user_name):
+    content = template % {
+        'ca': command_alias,
+        'dist_packages': path_to_dist_packages,
+        'py': sys.executable,
+        'path': path_to_sshuttle,
+        'user_name': user_name,
+    }
+
+    return content
+
+
+def save_config(content, file_name):
+    process = Popen([
+        '/usr/bin/sudo',
+        spawn.find_executable('sudoers-add'),
+        file_name,
+    ], stdout=PIPE, stdin=PIPE)
+
+    process.stdin.write(content.encode())
+
+    streamdata = process.communicate()[0]
+    returncode = process.returncode
+
+    if returncode:
+        log('Failed updating sudoers file.\n')
+        debug1(streamdata)
+        exit(returncode)
+    else:
+        log('Success, sudoers file update.\n')
+        exit(0)
+
+
+def sudoers(user_name=None, no_modify=None, file_name=None):
+    user_name = user_name or getpass.getuser()
+    content = build_config(user_name)
+
+    if no_modify:
+        sys.stdout.write(content)
+        exit(0)
+    else:
+        save_config(content, file_name)

tests/client/test_firewall.py

@@ -1,23 +1,23 @@
-from mock import Mock, patch, call
 import io
-import socket
+from socket import AF_INET, AF_INET6
 
+from mock import Mock, patch, call
 import sshuttle.firewall
 
 
 def setup_daemon():
     stdin = io.StringIO(u"""ROUTES
-2,24,0,1.2.3.0,8000,9000
-2,32,1,1.2.3.66,8080,8080
-10,64,0,2404:6800:4004:80c::,0,0
-10,128,1,2404:6800:4004:80c::101f,80,80
+{inet},24,0,1.2.3.0,8000,9000
+{inet},32,1,1.2.3.66,8080,8080
+{inet6},64,0,2404:6800:4004:80c::,0,0
+{inet6},128,1,2404:6800:4004:80c::101f,80,80
 NSLIST
-2,1.2.3.33
-10,2404:6800:4004:80c::33
+{inet},1.2.3.33
+{inet6},2404:6800:4004:80c::33
 PORTS 1024,1025,1026,1027
-GO 1
+GO 1 -
 HOST 1.2.3.3,existing
-""")
+""".format(inet=AF_INET, inet6=AF_INET6))
     stdout = Mock()
     return stdin, stdout
 
@@ -55,38 +55,39 @@ def test_rewrite_etc_hosts(tmpdir):
         assert line == ""
 
     with patch('sshuttle.firewall.HOSTSFILE', new=str(new_hosts)):
-        sshuttle.firewall.restore_etc_hosts(10)
+        sshuttle.firewall.restore_etc_hosts(hostmap, 10)
     assert orig_hosts.computehash() == new_hosts.computehash()
 
 
 def test_subnet_weight():
     subnets = [
-        (socket.AF_INET, 16, 0, '192.168.0.0', 0, 0),
-        (socket.AF_INET, 24, 0, '192.168.69.0', 0, 0),
-        (socket.AF_INET, 32, 0, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 32, 1, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 32, 1, '192.168.69.70', 80, 80),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 0, 0),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 400, 450)
+        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
+        (AF_INET, 24, 0, '192.168.69.0', 0, 0),
+        (AF_INET, 32, 0, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 1, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 1, '192.168.69.70', 80, 80),
+        (AF_INET, 0, 1, '0.0.0.0', 0, 0),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
+        (AF_INET, 0, 1, '0.0.0.0', 400, 450)
     ]
     subnets_sorted = [
-        (socket.AF_INET, 32, 1, '192.168.69.70', 80, 80),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 400, 450),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
-        (socket.AF_INET, 32, 1, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 32, 0, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 24, 0, '192.168.69.0', 0, 0),
-        (socket.AF_INET, 16, 0, '192.168.0.0', 0, 0),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 0, 0)
+        (AF_INET, 32, 1, '192.168.69.70', 80, 80),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
+        (AF_INET, 0, 1, '0.0.0.0', 400, 450),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
+        (AF_INET, 32, 1, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 0, '192.168.69.70', 0, 0),
+        (AF_INET, 24, 0, '192.168.69.0', 0, 0),
+        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
+        (AF_INET, 0, 1, '0.0.0.0', 0, 0)
     ]
 
-    assert subnets_sorted == \
-            sorted(subnets, key=sshuttle.firewall.subnet_weight, reverse=True)
+    assert subnets_sorted == sorted(subnets,
+                                    key=sshuttle.firewall.subnet_weight,
+                                    reverse=True)
 
 
 @patch('sshuttle.firewall.rewrite_etc_hosts')
@@ -115,20 +116,24 @@ def test_main(mock_get_method, mock_setup_daemon, mock_rewrite_etc_hosts):
     assert mock_setup_daemon.mock_calls == [call()]
     assert mock_get_method.mock_calls == [
         call('not_auto'),
+        call().is_supported(),
+        call().is_supported().__bool__(),
         call().setup_firewall(
             1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::', 0, 0),
-                (10, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
-            True),
+            [(AF_INET6, u'2404:6800:4004:80c::33')],
+            AF_INET6,
+            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
+                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+            True,
+            None),
         call().setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0', 8000, 9000),
-                (2, 32, True, u'1.2.3.66', 8080, 8080)],
-            True),
-        call().restore_firewall(1024, 10, True),
-        call().restore_firewall(1025, 2, True),
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
+                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
+            True,
+            None),
+        call().restore_firewall(1024, AF_INET6, True, None),
+        call().restore_firewall(1025, AF_INET, True, None),
     ]

tests/client/test_helpers.py

@@ -1,8 +1,9 @@
-from mock import patch, call
-import sys
 import io
 import socket
+from socket import AF_INET, AF_INET6
+import errno
 
+from mock import patch, call
 import sshuttle.helpers
 
 
@@ -130,12 +131,14 @@ nameserver 2404:6800:4004:80c::3
 nameserver 2404:6800:4004:80c::4
 """)
 
-    ns = sshuttle.helpers.resolvconf_nameservers()
+    ns = sshuttle.helpers.resolvconf_nameservers(False)
     assert ns == [
-        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
-        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
-        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
-        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
+        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
+        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
+        (AF_INET6, u'2404:6800:4004:80c::1'),
+        (AF_INET6, u'2404:6800:4004:80c::2'),
+        (AF_INET6, u'2404:6800:4004:80c::3'),
+        (AF_INET6, u'2404:6800:4004:80c::4')
     ]
 
 
@@ -153,39 +156,41 @@ nameserver 2404:6800:4004:80c::2
 nameserver 2404:6800:4004:80c::3
 nameserver 2404:6800:4004:80c::4
 """)
-    ns = sshuttle.helpers.resolvconf_random_nameserver()
+    ns = sshuttle.helpers.resolvconf_random_nameserver(False)
     assert ns in [
-        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
-        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
-        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
-        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
+        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
+        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
+        (AF_INET6, u'2404:6800:4004:80c::1'),
+        (AF_INET6, u'2404:6800:4004:80c::2'),
+        (AF_INET6, u'2404:6800:4004:80c::3'),
+        (AF_INET6, u'2404:6800:4004:80c::4')
     ]
 
 
-def test_islocal():
-    assert sshuttle.helpers.islocal("127.0.0.1", socket.AF_INET)
-    assert not sshuttle.helpers.islocal("192.0.2.1", socket.AF_INET)
-    assert sshuttle.helpers.islocal("::1", socket.AF_INET6)
-    assert not sshuttle.helpers.islocal("2001:db8::1", socket.AF_INET6)
+@patch('sshuttle.helpers.socket.socket.bind')
+def test_islocal(mock_bind):
+    bind_error = socket.error(errno.EADDRNOTAVAIL)
+    mock_bind.side_effect = [None, bind_error, None, bind_error]
+
+    assert sshuttle.helpers.islocal("127.0.0.1", AF_INET)
+    assert not sshuttle.helpers.islocal("192.0.2.1", AF_INET)
+    assert sshuttle.helpers.islocal("::1", AF_INET6)
+    assert not sshuttle.helpers.islocal("2001:db8::1", AF_INET6)
 
 
 def test_family_ip_tuple():
     assert sshuttle.helpers.family_ip_tuple("127.0.0.1") \
-        == (socket.AF_INET, "127.0.0.1")
+        == (AF_INET, "127.0.0.1")
     assert sshuttle.helpers.family_ip_tuple("192.168.2.6") \
-        == (socket.AF_INET, "192.168.2.6")
+        == (AF_INET, "192.168.2.6")
     assert sshuttle.helpers.family_ip_tuple("::1") \
-        == (socket.AF_INET6, "::1")
+        == (AF_INET6, "::1")
     assert sshuttle.helpers.family_ip_tuple("2404:6800:4004:80c::1") \
-        == (socket.AF_INET6, "2404:6800:4004:80c::1")
+        == (AF_INET6, "2404:6800:4004:80c::1")
 
 
 def test_family_to_string():
-    assert sshuttle.helpers.family_to_string(socket.AF_INET) == "AF_INET"
-    assert sshuttle.helpers.family_to_string(socket.AF_INET6) == "AF_INET6"
-    if sys.version_info < (3, 0):
-        expected = "1"
-        assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == "1"
-    else:
-        expected = 'AddressFamily.AF_UNIX'
+    assert sshuttle.helpers.family_to_string(AF_INET) == "AF_INET"
+    assert sshuttle.helpers.family_to_string(AF_INET6) == "AF_INET6"
+    expected = 'AddressFamily.AF_UNIX'
     assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == expected

tests/client/test_methods_nat.py

@@ -1,8 +1,9 @@
-import pytest
-from mock import Mock, patch, call
 import socket
+from socket import AF_INET, AF_INET6
 import struct
 
+import pytest
+from mock import Mock, patch, call
 from sshuttle.helpers import Fatal
 from sshuttle.methods import get_method
 
@@ -17,12 +18,22 @@ def test_get_supported_features():
 
 def test_get_tcp_dstip():
     sock = Mock()
+    sock.family = AF_INET
     sock.getsockopt.return_value = struct.pack(
-        '!HHBBBB', socket.ntohs(socket.AF_INET), 1024, 127, 0, 0, 1)
+        '!HHBBBB', socket.ntohs(AF_INET), 1024, 127, 0, 0, 1)
     method = get_method('nat')
     assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
     assert sock.mock_calls == [call.getsockopt(0, 80, 16)]
 
+    sock = Mock()
+    sock.family = AF_INET6
+    sock.getsockopt.return_value = struct.pack(
+        '!HH4xBBBBBBBBBBBBBBBB', socket.ntohs(AF_INET6),
+        1024, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1)
+    method = get_method('nft')
+    assert method.get_tcp_dstip(sock) == ('::1', 1024)
+    assert sock.mock_calls == [call.getsockopt(41, 80, 64)]
+
 
 def test_recv_udp():
     sock = Mock()
@@ -84,11 +95,12 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
-            10,
-            [(10, 64, False, u'2404:6800:4004:80c::', 0, 0),
-                (10, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
-            True)
+            [(AF_INET6, u'2404:6800:4004:80c::33')],
+            AF_INET6,
+            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
+                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+            True,
+            None)
     assert str(excinfo.value) \
         == 'Address family "AF_INET6" unsupported by nat method_name'
     assert mock_ipt_chain_exists.mock_calls == []
@@ -98,11 +110,12 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0', 8000, 9000),
-                (2, 32, True, u'1.2.3.66', 8080, 8080)],
-            True)
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
+                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
+            True,
+            None)
     assert str(excinfo.value) == 'UDP not supported by nat method_name'
     assert mock_ipt_chain_exists.mock_calls == []
     assert mock_ipt_ttl.mock_calls == []
@@ -110,48 +123,53 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0', 8000, 9000),
-            (2, 32, True, u'1.2.3.66', 8080, 8080)],
-        False)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
+            (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
+        False,
+        None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'nat', 'sshuttle-1025')
+        call(AF_INET, 'nat', 'sshuttle-1025')
     ]
     assert mock_ipt_ttl.mock_calls == [
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
-            '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
-             '--to-ports', '1025'),
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
-             '--dest', u'1.2.3.33/32', '-p', 'udp',
-             '--dport', '53', '--to-ports', '1027')
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
+             '-m', 'ttl', '--ttl', '63')
     ]
     assert mock_ipt.mock_calls == [
-        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-X', 'sshuttle-1025'),
-        call(2, 'nat', '-N', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
-            '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080')
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-X', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-N', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+             '--dest', u'1.2.3.33/32', '-p', 'udp',
+             '--dport', '53', '--to-ports', '1027'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
+             '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+             '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
+             '--to-ports', '1025')
     ]
     mock_ipt_chain_exists.reset_mock()
     mock_ipt_ttl.reset_mock()
     mock_ipt.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'nat', 'sshuttle-1025')
+        call(AF_INET, 'nat', 'sshuttle-1025')
     ]
     assert mock_ipt_ttl.mock_calls == []
     assert mock_ipt.mock_calls == [
-        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-X', 'sshuttle-1025')
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-X', 'sshuttle-1025')
     ]
     mock_ipt_chain_exists.reset_mock()
     mock_ipt_ttl.reset_mock()

tests/client/test_methods_pf.py

@@ -1,9 +1,10 @@
+import socket
+from socket import AF_INET, AF_INET6
+
 import pytest
 from mock import Mock, patch, call, ANY
-import socket
-
 from sshuttle.methods import get_method
-from sshuttle.helpers import Fatal
+from sshuttle.helpers import Fatal, get_env
 from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd
 
 
@@ -20,7 +21,7 @@ def test_get_tcp_dstip():
     sock = Mock()
     sock.getpeername.return_value = ("127.0.0.1", 1024)
     sock.getsockname.return_value = ("127.0.0.2", 1025)
-    sock.family = socket.AF_INET
+    sock.family = AF_INET
 
     firewall = Mock()
     firewall.pfile.readline.return_value = \
@@ -94,7 +95,7 @@ def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
     assert not method.firewall_command("somthing")
 
     command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
         "127.0.0.1", 1025, "127.0.0.2", 1024)
     assert method.firewall_command(command)
 
@@ -117,7 +118,7 @@ def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
     assert not method.firewall_command("somthing")
 
     command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
         "127.0.0.1", 1025, "127.0.0.2", 1024)
     assert method.firewall_command(command)
 
@@ -140,7 +141,7 @@ def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
     assert not method.firewall_command("somthing")
 
     command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
         "127.0.0.1", 1025, "127.0.0.2", 1024)
     assert method.firewall_command(command)
 
@@ -180,11 +181,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
-        10,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        False)
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        False,
+        None)
     assert mock_ioctl.mock_calls == [
         call(mock_pf_get_dev(), 0xC4704433, ANY),
         call(mock_pf_get_dev(), 0xCC20441A, ANY),
@@ -199,14 +201,14 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
         call('-s all'),
         call('-a sshuttle6-1024 -f /dev/stdin',
              b'table <dns_servers> {2404:6800:4004:80c::33}\n'
-             b'rdr pass on lo0 inet6 proto tcp to '
+             b'rdr pass on lo0 inet6 proto tcp from ! ::1 to '
              b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n'
              b'rdr pass on lo0 inet6 proto udp '
              b'to <dns_servers> port 53 -> ::1 port 1026\n'
-             b'pass out quick inet6 proto tcp to '
-             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
              b'pass out route-to lo0 inet6 proto tcp to '
              b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
+             b'pass out inet6 proto tcp to '
+             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
              b'pass out route-to lo0 inet6 proto udp '
              b'to <dns_servers> port 53 keep state\n'),
         call('-E'),
@@ -218,11 +220,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0', 0, 0),
-                (2, 32, True, u'1.2.3.66', 80, 80)],
-            True)
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+            True,
+            None)
     assert str(excinfo.value) == 'UDP not supported by pf method_name'
     assert mock_pf_get_dev.mock_calls == []
     assert mock_ioctl.mock_calls == []
@@ -230,10 +233,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
-        False)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        False,
+        None)
     assert mock_ioctl.mock_calls == [
         call(mock_pf_get_dev(), 0xC4704433, ANY),
         call(mock_pf_get_dev(), 0xCC20441A, ANY),
@@ -248,12 +253,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
         call('-s all'),
         call('-a sshuttle-1025 -f /dev/stdin',
              b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 '
+             b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 to 1.2.3.0/24 '
              b'-> 127.0.0.1 port 1025\n'
              b'rdr pass on lo0 inet proto udp '
              b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
-             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
+             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out route-to lo0 inet proto udp '
              b'to <dns_servers> port 53 keep state\n'),
         call('-E'),
@@ -262,7 +267,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     mock_ioctl.reset_mock()
     mock_pfctl.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
     assert mock_ioctl.mock_calls == []
     assert mock_pfctl.mock_calls == [
         call('-a sshuttle-1025 -F all'),
@@ -275,10 +280,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
 @patch('sshuttle.helpers.verbose', new=3)
 @patch('sshuttle.methods.pf.pf', FreeBsd())
+@patch('subprocess.call')
 @patch('sshuttle.methods.pf.pfctl')
 @patch('sshuttle.methods.pf.ioctl')
 @patch('sshuttle.methods.pf.pf_get_dev')
-def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
+def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
+                                mock_subprocess_call):
     mock_pfctl.side_effect = pfctl
 
     method = get_method('pf')
@@ -286,28 +293,31 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
-        10,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        False)
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        False,
+        None)
 
     assert mock_pfctl.mock_calls == [
         call('-s all'),
         call('-a sshuttle6-1024 -f /dev/stdin',
              b'table <dns_servers> {2404:6800:4004:80c::33}\n'
-             b'rdr pass on lo0 inet6 proto tcp to 2404:6800:4004:80c::/64 '
-             b'port 8000:9000 -> ::1 port 1024\n'
+             b'rdr pass on lo0 inet6 proto tcp from ! ::1 to '
+             b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n'
              b'rdr pass on lo0 inet6 proto udp '
              b'to <dns_servers> port 53 -> ::1 port 1026\n'
-             b'pass out quick inet6 proto tcp to '
-             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
              b'pass out route-to lo0 inet6 proto tcp to '
              b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
+             b'pass out inet6 proto tcp to '
+             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
              b'pass out route-to lo0 inet6 proto udp '
              b'to <dns_servers> port 53 keep state\n'),
         call('-e'),
     ]
+    assert call(['kldload', 'pf'], env=get_env()) in \
+        mock_subprocess_call.mock_calls
     mock_pf_get_dev.reset_mock()
     mock_ioctl.reset_mock()
     mock_pfctl.reset_mock()
@@ -315,11 +325,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0', 0, 0),
-                (2, 32, True, u'1.2.3.66', 80, 80)],
-            True)
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+            True,
+            None)
     assert str(excinfo.value) == 'UDP not supported by pf method_name'
     assert mock_pf_get_dev.mock_calls == []
     assert mock_ioctl.mock_calls == []
@@ -327,10 +338,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
-        False)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        False,
+        None)
     assert mock_ioctl.mock_calls == [
         call(mock_pf_get_dev(), 0xC4704433, ANY),
         call(mock_pf_get_dev(), 0xCBE0441A, ANY),
@@ -343,12 +356,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
         call('-s all'),
         call('-a sshuttle-1025 -f /dev/stdin',
              b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 -> '
-             b'127.0.0.1 port 1025\n'
+             b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 '
+             b'to 1.2.3.0/24 -> 127.0.0.1 port 1025\n'
              b'rdr pass on lo0 inet proto udp '
              b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
-             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
+             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out route-to lo0 inet proto udp '
              b'to <dns_servers> port 53 keep state\n'),
         call('-e'),
@@ -357,10 +370,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     mock_ioctl.reset_mock()
     mock_pfctl.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
+    method.restore_firewall(1024, AF_INET6, False, None)
     assert mock_ioctl.mock_calls == []
     assert mock_pfctl.mock_calls == [
         call('-a sshuttle-1025 -F all'),
+        call('-a sshuttle6-1024 -F all'),
         call("-d"),
     ]
     mock_pf_get_dev.reset_mock()
@@ -381,15 +396,16 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
-        10,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        False)
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        False,
+        None)
 
     assert mock_ioctl.mock_calls == [
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
     ]
     assert mock_pfctl.mock_calls == [
         call('-s Interfaces -i lo -v'),
@@ -401,10 +417,10 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
              b'port 8000:9000 divert-to ::1 port 1024\n'
              b'pass in on lo0 inet6 proto udp '
              b'to <dns_servers> port 53 rdr-to ::1 port 1026\n'
-             b'pass out quick inet6 proto tcp to '
-             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
              b'pass out inet6 proto tcp to 2404:6800:4004:80c::/64 '
              b'port 8000:9000 route-to lo0 keep state\n'
+             b'pass out inet6 proto tcp to '
+             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
              b'pass out inet6 proto udp to '
              b'<dns_servers> port 53 route-to lo0 keep state\n'),
         call('-e'),
@@ -416,11 +432,12 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     with pytest.raises(Exception) as excinfo:
         method.setup_firewall(
             1025, 1027,
-            [(2, u'1.2.3.33')],
-            2,
-            [(2, 24, False, u'1.2.3.0', 0, 0),
-                (2, 32, True, u'1.2.3.66', 80, 80)],
-            True)
+            [(AF_INET, u'1.2.3.33')],
+            AF_INET,
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+            True,
+            None)
     assert str(excinfo.value) == 'UDP not supported by pf method_name'
     assert mock_pf_get_dev.mock_calls == []
     assert mock_ioctl.mock_calls == []
@@ -428,14 +445,15 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0', 0, 0),
-            (2, 32, True, u'1.2.3.66', 80, 80)],
-        False)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        False,
+        None)
     assert mock_ioctl.mock_calls == [
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
     ]
     assert mock_pfctl.mock_calls == [
         call('-s Interfaces -i lo -v'),
@@ -447,8 +465,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
              b'127.0.0.1 port 1025\n'
              b'pass in on lo0 inet proto udp to '
              b'<dns_servers> port 53 rdr-to 127.0.0.1 port 1027\n'
-             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out inet proto tcp to 1.2.3.0/24 route-to lo0 keep state\n'
+             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
              b'pass out inet proto udp to '
              b'<dns_servers> port 53 route-to lo0 keep state\n'),
         call('-e'),
@@ -457,11 +475,13 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
     mock_ioctl.reset_mock()
     mock_pfctl.reset_mock()
 
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
+    method.restore_firewall(1024, AF_INET6, False, None)
     assert mock_ioctl.mock_calls == []
     assert mock_pfctl.mock_calls == [
         call('-a sshuttle-1025 -F all'),
-        call("-d"),
+        call('-a sshuttle6-1024 -F all'),
+        call('-d'),
     ]
     mock_pf_get_dev.reset_mock()
     mock_pfctl.reset_mock()

tests/client/test_methods_tproxy.py

@@ -1,3 +1,6 @@
+import socket
+from socket import AF_INET, AF_INET6
+
 from mock import Mock, patch, call
 
 from sshuttle.methods import get_method
@@ -49,7 +52,7 @@ def test_send_udp(mock_socket):
     assert sock.mock_calls == []
     assert mock_socket.mock_calls == [
         call(sock.family, 2),
-        call().setsockopt(1, 2, 1),
+        call().setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1),
         call().setsockopt(0, 19, 1),
         call().bind('127.0.0.2'),
         call().sendto("2222222", '127.0.0.1'),
@@ -100,71 +103,73 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
 
     method.setup_firewall(
         1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
-        10,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        True)
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+        True,
+        None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(10, 'mangle', 'sshuttle-m-1024'),
-        call(10, 'mangle', 'sshuttle-t-1024'),
-        call(10, 'mangle', 'sshuttle-d-1024')
+        call(AF_INET6, 'mangle', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', 'sshuttle-d-1024')
     ]
     assert mock_ipt_ttl.mock_calls == []
     assert mock_ipt.mock_calls == [
-        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
+        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
+             'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
              '--set-mark', '1'),
-        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
              '-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
              '-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
              '--set-mark', '1', '--dest', u'2404:6800:4004:80c::33/32',
              '-m', 'udp', '-p', 'udp', '--dport', '53'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
              '--tproxy-mark', '0x1/0x1',
              '--dest', u'2404:6800:4004:80c::33/32',
              '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
              '--dest', u'2404:6800:4004:80c::101f/128',
              '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
              '--dest', u'2404:6800:4004:80c::101f/128',
              '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
              '--dest', u'2404:6800:4004:80c::101f/128',
              '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
              '--dest', u'2404:6800:4004:80c::101f/128',
              '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
              '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
              '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
              '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
              '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000',
              '--on-port', '1024'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
              '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
-             '-m', 'udp', '-p', 'udp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
              '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
              '-m', 'udp', '-p', 'udp', '--dport', '8000:9000',
              '--on-port', '1024')
@@ -173,22 +178,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
     mock_ipt_ttl.reset_mock()
     mock_ipt.reset_mock()
 
-    method.restore_firewall(1025, 10, True)
+    method.restore_firewall(1025, AF_INET6, True, None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(10, 'mangle', 'sshuttle-m-1025'),
-        call(10, 'mangle', 'sshuttle-t-1025'),
-        call(10, 'mangle', 'sshuttle-d-1025')
+        call(AF_INET6, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', 'sshuttle-d-1025')
     ]
     assert mock_ipt_ttl.mock_calls == []
     assert mock_ipt.mock_calls == [
-        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-d-1025')
+        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1025')
     ]
     mock_ipt_chain_exists.reset_mock()
     mock_ipt_ttl.reset_mock()
@@ -198,68 +203,71 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
 
     method.setup_firewall(
         1025, 1027,
-        [(2, u'1.2.3.33')],
-        2,
-        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
-        True)
+        [(AF_INET, u'1.2.3.33')],
+        AF_INET,
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
+        True,
+        None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'mangle', 'sshuttle-m-1025'),
-        call(2, 'mangle', 'sshuttle-t-1025'),
-        call(2, 'mangle', 'sshuttle-d-1025')
+        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-d-1025')
     ]
     assert mock_ipt_ttl.mock_calls == []
     assert mock_ipt.mock_calls == [
-        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-A', 'sshuttle-d-1025',
+        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
+             'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
              '-j', 'MARK', '--set-mark', '1'),
-        call(2, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
              '-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
              '-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
              '--set-mark', '1', '--dest', u'1.2.3.33/32',
              '-m', 'udp', '-p', 'udp', '--dport', '53'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
              '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.33/32',
              '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
              '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
              '--dport', '80:80'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
              '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
              '--dport', '80:80'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
              '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
              '--dport', '80:80'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
              '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
              '--dport', '80:80'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
              '--set-mark', '1', '--dest', u'1.2.3.0/24',
              '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
              '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
              '-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
              '--set-mark', '1', '--dest', u'1.2.3.0/24',
              '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
              '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
              '-m', 'udp', '-p', 'udp', '--on-port', '1025')
     ]
@@ -267,22 +275,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
     mock_ipt_ttl.reset_mock()
     mock_ipt.reset_mock()
 
-    method.restore_firewall(1025, 2, True)
+    method.restore_firewall(1025, AF_INET, True, None)
     assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'mangle', 'sshuttle-m-1025'),
-        call(2, 'mangle', 'sshuttle-t-1025'),
-        call(2, 'mangle', 'sshuttle-d-1025')
+        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-d-1025')
     ]
     assert mock_ipt_ttl.mock_calls == []
     assert mock_ipt.mock_calls == [
-        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-d-1025')
+        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025')
     ]
     mock_ipt_chain_exists.reset_mock()
     mock_ipt_ttl.reset_mock()

tests/client/test_options.py

@@ -1,8 +1,10 @@
 import socket
-import pytest
-import sshuttle.options
 from argparse import ArgumentTypeError as Fatal
 
+import pytest
+
+import sshuttle.options
+
 _ip4_reprs = {
         '0.0.0.0': '0.0.0.0',
         '255.255.255.255': '255.255.255.255',
@@ -11,7 +13,6 @@ _ip4_reprs = {
         '3098282570': '184.172.10.74',
         '0xb8.0xac.0x0a.0x4a': '184.172.10.74',
         '0270.0254.0012.0112': '184.172.10.74',
-        'localhost': '127.0.0.1'
 }
 
 _ip4_swidths = (1, 8, 22, 27, 32)
@@ -25,10 +26,11 @@ _ip6_reprs = {
 
 _ip6_swidths = (48, 64, 96, 115, 128)
 
+
 def test_parse_subnetport_ip4():
     for ip_repr, ip in _ip4_reprs.items():
         assert sshuttle.options.parse_subnetport(ip_repr) \
-                == (socket.AF_INET, ip, 32, 0, 0)
+                == [(socket.AF_INET, ip, 32, 0, 0)]
     with pytest.raises(Fatal) as excinfo:
         sshuttle.options.parse_subnetport('10.256.0.0')
     assert str(excinfo.value) == 'Unable to resolve address: 10.256.0.0'
@@ -39,37 +41,35 @@ def test_parse_subnetport_ip4_with_mask():
         for swidth in _ip4_swidths:
             assert sshuttle.options.parse_subnetport(
                     '/'.join((ip_repr, str(swidth)))
-                    ) == (socket.AF_INET, ip, swidth, 0, 0)
+                    ) == [(socket.AF_INET, ip, swidth, 0, 0)]
     assert sshuttle.options.parse_subnetport('0/0') \
-            == (socket.AF_INET, '0.0.0.0', 0, 0, 0)
+        == [(socket.AF_INET, '0.0.0.0', 0, 0, 0)]
     with pytest.raises(Fatal) as excinfo:
         sshuttle.options.parse_subnetport('10.0.0.0/33')
-    assert str(excinfo.value) == 'width 33 is not between 0 and 32'
+    assert str(excinfo.value) \
+        == 'Slash in CIDR notation (/33) is not between 0 and 32'
 
 
 def test_parse_subnetport_ip4_with_port():
     for ip_repr, ip in _ip4_reprs.items():
         assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80'))) \
-                == (socket.AF_INET, ip, 32, 80, 80)
-        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80-90'))) \
-                == (socket.AF_INET, ip, 32, 80, 90)
+            == [(socket.AF_INET, ip, 32, 80, 80)]
+        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80-90')))\
+            == [(socket.AF_INET, ip, 32, 80, 90)]
 
 
 def test_parse_subnetport_ip4_with_mask_and_port():
     for ip_repr, ip in _ip4_reprs.items():
         assert sshuttle.options.parse_subnetport(ip_repr + '/32:80') \
-                == (socket.AF_INET, ip, 32, 80, 80)
+            == [(socket.AF_INET, ip, 32, 80, 80)]
         assert sshuttle.options.parse_subnetport(ip_repr + '/16:80-90') \
-                == (socket.AF_INET, ip, 16, 80, 90)
+            == [(socket.AF_INET, ip, 16, 80, 90)]
 
 
 def test_parse_subnetport_ip6():
     for ip_repr, ip in _ip6_reprs.items():
         assert sshuttle.options.parse_subnetport(ip_repr) \
-                == (socket.AF_INET6, ip, 128, 0, 0)
-    with pytest.raises(Fatal) as excinfo:
-        sshuttle.options.parse_subnetport('2001::1::3f')
-    assert str(excinfo.value) == 'Unable to resolve address: 2001::1::3f'
+                == [(socket.AF_INET6, ip, 128, 0, 0)]
 
 
 def test_parse_subnetport_ip6_with_mask():
@@ -77,25 +77,26 @@ def test_parse_subnetport_ip6_with_mask():
         for swidth in _ip4_swidths + _ip6_swidths:
             assert sshuttle.options.parse_subnetport(
                     '/'.join((ip_repr, str(swidth)))
-                    ) == (socket.AF_INET6, ip, swidth, 0, 0)
+                    ) == [(socket.AF_INET6, ip, swidth, 0, 0)]
     assert sshuttle.options.parse_subnetport('::/0') \
-            == (socket.AF_INET6, '::', 0, 0, 0)
+        == [(socket.AF_INET6, '::', 0, 0, 0)]
     with pytest.raises(Fatal) as excinfo:
         sshuttle.options.parse_subnetport('fc00::/129')
-    assert str(excinfo.value) == 'width 129 is not between 0 and 128'
+    assert str(excinfo.value) \
+        == 'Slash in CIDR notation (/129) is not between 0 and 128'
 
 
 def test_parse_subnetport_ip6_with_port():
     for ip_repr, ip in _ip6_reprs.items():
         assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80') \
-                == (socket.AF_INET6, ip, 128, 80, 80)
+            == [(socket.AF_INET6, ip, 128, 80, 80)]
         assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80-90') \
-                == (socket.AF_INET6, ip, 128, 80, 90)
+            == [(socket.AF_INET6, ip, 128, 80, 90)]
 
 
 def test_parse_subnetport_ip6_with_mask_and_port():
     for ip_repr, ip in _ip6_reprs.items():
         assert sshuttle.options.parse_subnetport('[' + ip_repr + '/128]:80') \
-                == (socket.AF_INET6, ip, 128, 80, 80)
-        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90') \
-                == (socket.AF_INET6, ip, 16, 80, 90)
+            == [(socket.AF_INET6, ip, 128, 80, 80)]
+        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90')\
+            == [(socket.AF_INET6, ip, 16, 80, 90)]

tests/client/test_sdnotify.py

@@ -1,8 +1,7 @@
-from mock import Mock, patch, call
-import sys
-import io
 import socket
 
+from mock import Mock, patch, call
+
 import sshuttle.sdnotify
 
 

tests/server/test_server.py

@@ -1,8 +1,9 @@
-import os
 import io
 import socket
+
+from mock import patch, Mock
+
 import sshuttle.server
-from mock import patch, Mock, call
 
 
 def test__ipmatch():

tests/ssh/test_parse_hostport.py

@@ -0,0 +1,20 @@
+from sshuttle.ssh import parse_hostport
+
+
+def test_host_only():
+    assert parse_hostport("host") == (None, None, None, "host")
+    assert parse_hostport("1.2.3.4") == (None, None, None, "1.2.3.4")
+    assert parse_hostport("2001::1") == (None, None, None, "2001::1")
+    assert parse_hostport("[2001::1]") == (None, None, None, "2001::1")
+
+
+def test_host_and_port():
+    assert parse_hostport("host:22") == (None, None, 22, "host")
+    assert parse_hostport("1.2.3.4:22") == (None, None, 22, "1.2.3.4")
+    assert parse_hostport("[2001::1]:22") == (None, None, 22, "2001::1")
+
+
+def test_username_and_host():
+    assert parse_hostport("user@host") == ("user", None, None, "host")
+    assert parse_hostport("user:@host") == ("user", None, None, "host")
+    assert parse_hostport("user:pass@host") == ("user", "pass", None, "host")

tox.ini

@@ -1,20 +1,24 @@
 [tox]
 downloadcache = {toxworkdir}/cache/
 envlist =
-    py26,
-    py27,
-    py34,
     py35,
+    py36,
+    py37,
+    py38,
+    py39,
 
 [testenv]
 basepython =
-    py26: python2.6
-    py27: python2.7
-    py34: python3.4
-    py35: python3.5
+    py36: python3.6
+    py37: python3.7
+    py38: python3.8
+    py39: python3.9
 commands =
-    py.test
-deps =
+    pip install -e .
+    # actual flake8 test
+    flake8 sshuttle tests
+    # flake8 complexity warnings
+    flake8 sshuttle tests --exit-zero --max-complexity=10
     pytest
-    mock
-    setuptools>=17.1
+deps =
+    -rrequirements-tests.txt