Bump version: 1.1.0 → 1.1.1

Include version in setup.py too
Add ASDF .tool-versions file
2025-07-04 00:30:35 +02:00 · 2022-09-06 08:17:47 +10:00 · 2022-09-06 08:17:36 +10:00 · 2022-09-06 08:06:34 +10:00 · 2022-09-06 08:04:28 +10:00 · 2022-09-06 07:53:59 +10:00
55 changed files with 2337 additions and 1621 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: pip
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '31 21 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/pythonpackage.yml
+++ b/.github/workflows/pythonpackage.yml
@ -8,6 +8,8 @@ on:
    branches: [ master ]
  pull_request:
    branches: [ master ]
+  workflow_dispatch:
+    branches: [ master ]

 jobs:
  build:
@ -15,12 +17,12 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        python-version: [3.5, 3.6, 3.7, 3.8]
+        python-version: ["3.8", "3.9", "3.10"]

    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install dependencies
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,5 @@
-/sshuttle/version.py
 /tmp/
+/.coverage
 /.cache/
 /.eggs/
 /.tox/
@ -15,3 +15,4 @@
 /.redo
 /.pytest_cache/
 /.python-version
+.vscode/
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@ -0,0 +1,15 @@
+version: 2
+
+build:
+  os: ubuntu-20.04
+  tools:
+    python: "3.9"
+
+sphinx:
+  configuration: docs/conf.py
+
+python:
+  install:
+    - requirements: requirements.txt
+    - method: setuptools
+      path: .
--- a/.tool-versions
+++ b/.tool-versions
@ -0,0 +1 @@
+python 3.10.6
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -1,15 +1,44 @@
 ==========
 Change log
 ==========
-All notable changes to this project will be documented in this file. The format
-is based on `Keep a Changelog`_ and this project
-adheres to `Semantic Versioning`_.
+Release notes now moved to https://github.com/sshuttle/sshuttle/releases/

-.. _`Keep a Changelog`: http://keepachangelog.com/
-.. _`Semantic Versioning`: http://semver.org/
+These are the old release notes.


-1.0.3 - 2020-08-24
+1.0.5 - 2020-12-29
+------------------
+
+Added
+~~~~~
+* IPv6 support in nft method.
+* Intercept DNS requests sent by systemd-resolved.
+* Set default tmark.
+* Fix python2 server compatibility.
+* Python 3.9 support.
+
+Fixed
+~~~~~
+* Change license text to LGPL-2.1
+* Fix #494 sshuttle caught in infinite select() loop.
+* Include sshuttle version in verbose output.
+* Add psutil as dependency in setup.py
+* When subnets and excludes are specified with hostnames, use all IPs.
+* Update/document client's handling of IPv4 and IPv6.
+* Update sdnotify.py documentation.
+* Allow no remote to work.
+* Make prefixes in verbose output more consistent.
+* Make nat and nft rules consistent; improve rule ordering.
+* Make server and client handle resolv.conf differently.
+* Fix handling OSError in FirewallClient#__init__
+* Refactor automatic method selection.
+
+Removed
+~~~~~~~
+* Drop testing of Python 3.5
+
+
+1.0.4 - 2020-08-24
 ------------------

 Fixed
@ -101,7 +130,7 @@ Fixed

 Added
 ~~~~~
-* doas support as replacmeent for sudo on OpenBSD.
+* doas support as replacement for sudo on OpenBSD.
 * Added ChromeOS section to documentation (#262)
 * Add --no-sudo-pythonpath option

--- a/193
+++ b/193
@ -1,13 +1,14 @@
-                  GNU LIBRARY GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999

- Copyright (C) 1991 Free Software Foundation, Inc.
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

-[This is the first released version of the library GPL.  It is
- numbered 2 because it goes with version 2 of the ordinary GPL.]
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]

                            Preamble

@ -16,97 +17,109 @@ freedom to share and change it.  By contrast, the GNU General Public
 Licenses are intended to guarantee your freedom to share and change
 free software--to make sure the software is free for all its users.

-  This license, the Library General Public License, applies to some
-specially designated Free Software Foundation software, and to any
-other libraries whose authors decide to use it.  You can use it for
-your libraries, too.
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.

-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.

  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if
-you distribute copies of the library, or if you modify it.
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.

  For example, if you distribute copies of the library, whether gratis
 or for a fee, you must give the recipients all the rights that we gave
 you.  You must make sure that they, too, receive or can get the source
-code.  If you link a program with the library, you must provide
-complete object files to the recipients so that they can relink them
-with the library, after making changes to the library and recompiling
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
 it.  And you must show them these terms so they know their rights.

-  Our method of protecting your rights has two steps: (1) copyright
-the library, and (2) offer you this license which gives you legal
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
 permission to copy, distribute and/or modify the library.

-  Also, for each distributor's protection, we want to make certain
-that everyone understands that there is no warranty for this free
-library.  If the library is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original
-version, so that any problems introduced by others will not reflect on
-the original authors' reputations.
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.

-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that companies distributing free
-software will individually obtain patent licenses, thus in effect
-transforming the program into proprietary software.  To prevent this,
-we have made it clear that any patent must be licensed for everyone's
-free use or not licensed at all.
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.

-  Most GNU software, including some libraries, is covered by the ordinary
-GNU General Public License, which was designed for utility programs.  This
-license, the GNU Library General Public License, applies to certain
-designated libraries.  This license is quite different from the ordinary
-one; be sure to read it in full, and don't assume that anything in it is
-the same as in the ordinary license.
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.

-  The reason we have a separate public license for some libraries is that
-they blur the distinction we usually make between modifying or adding to a
-program and simply using it.  Linking a program with a library, without
-changing the library, is in some sense simply using the library, and is
-analogous to running a utility program or application program.  However, in
-a textual and legal sense, the linked executable is a combined work, a
-derivative of the original library, and the ordinary General Public License
-treats it as such.
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.

-  Because of this blurred distinction, using the ordinary General
-Public License for libraries did not effectively promote software
-sharing, because most developers did not use the libraries.  We
-concluded that weaker conditions might promote sharing better.
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.

-  However, unrestricted linking of non-free programs would deprive the
-users of those programs of all benefit from the free status of the
-libraries themselves.  This Library General Public License is intended to
-permit developers of non-free programs to use free libraries, while
-preserving your freedom as a user of such programs to change the free
-libraries that are incorporated in them.  (We have not seen how to achieve
-this as regards changes in header files, but we have achieved it as regards
-changes in the actual functions of the Library.)  The hope is that this
-will lead to faster development of free libraries.
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard.  To achieve this, non-free programs must be
+allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.

  The precise terms and conditions for copying, distribution and
 modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
-former contains code derived from the library, while the latter only
-works together with the library.
-
-  Note that it is possible for a library to be covered by the ordinary
-General Public License rather than by this special one.
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.

-                  GNU LIBRARY GENERAL PUBLIC LICENSE
+                  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

-  0. This License Agreement applies to any software library which
-contains a notice placed by the copyright holder or other authorized
-party saying it may be distributed under the terms of this Library
-General Public License (also called "this License").  Each licensee is
-addressed as "you".
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".

  A "library" means a collection of software functions and/or data
 prepared so as to be conveniently linked with application programs
@ -133,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
  1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@ -255,7 +268,7 @@ distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.

-  6. As an exception to the Sections above, you may also compile or
+  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
 under terms of your choice, provided that the terms permit
@ -282,23 +295,31 @@ of these things:
    Library will not necessarily be able to recompile the application
    to use the modified definitions.)

-    b) Accompany the work with a written offer, valid for at
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at
    least three years, to give the same user the materials
    specified in Subsection 6a, above, for a charge no more
    than the cost of performing this distribution.

-    c) If distribution of the work is made by offering access to copy
+    d) If distribution of the work is made by offering access to copy
    from a designated place, offer equivalent access to copy the above
    specified materials from the same place.

-    d) Verify that the user has already received a copy of these
+    e) Verify that the user has already received a copy of these
    materials or that you have already sent this user a copy.

  For an executable, the required form of the "work that uses the
 Library" must include any data and utility programs needed for
 reproducing the executable from it.  However, as a special exception,
-the source code distributed need not include anything that is normally
-distributed (in either source or binary form) with the major
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
 components (compiler, kernel, and so on) of the operating system on
 which the executable runs, unless that component itself accompanies
 the executable.
@ -347,7 +368,7 @@ Library), the recipient automatically receives a license from the
 original licensor to copy, distribute, link with or modify the Library
 subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
+You are not responsible for enforcing compliance by third parties with
 this License.

  11. If, as a consequence of a court judgment or allegation of patent
@ -390,7 +411,7 @@ excluded.  In such case, this License incorporates the limitation as if
 written in the body of this License.

  13. The Free Software Foundation may publish revised and/or new
-versions of the Library General Public License from time to time.
+versions of the Lesser General Public License from time to time.
 Such new versions will be similar in spirit to the present version,
 but may differ in detail to address new problems or concerns.

@ -453,16 +474,16 @@ convey the exclusion of warranty; and each file should have at least the
    Copyright (C) <year>  <name of author>

    This library is free software; you can redistribute it and/or
-    modify it under the terms of the GNU Library General Public
+    modify it under the terms of the GNU Lesser General Public
    License as published by the Free Software Foundation; either
-    version 2 of the License, or (at your option) any later version.
+    version 2.1 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-    Library General Public License for more details.
+    Lesser General Public License for more details.

-    You should have received a copy of the GNU Library General Public
+    You should have received a copy of the GNU Lesser General Public
    License along with this library; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

--- a/README.rst
+++ b/README.rst
@ -24,7 +24,7 @@ common case:
 - You can't use openssh's PermitTunnel feature because
  it's disabled by default on openssh servers; plus it does
  TCP-over-TCP, which has `terrible performance`_.
-  
+
 .. _terrible performance: https://sshuttle.readthedocs.io/en/stable/how-it-works.html

 Obtaining sshuttle
@ -37,7 +37,7 @@ Obtaining sshuttle
 - Debian stretch or later::

      apt-get install sshuttle
-      
+
 - Arch Linux::

      pacman -S sshuttle
@ -46,6 +46,14 @@ Obtaining sshuttle

      dnf install sshuttle

+- openSUSE::
+
+      zypper in sshuttle
+
+- Gentoo::
+
+      emerge -av net-proxy/sshuttle
+
 - NixOS::

      nix-env -iA nixos.sshuttle
@ -67,6 +75,11 @@ Obtaining sshuttle
      # pkg
      pkg install py36-sshuttle

+- macOS, via MacPorts::
+
+      sudo port selfupdate
+      sudo port install sshuttle
+
 It is also possible to install into a virtualenv as a non-root user.

 - From PyPI::
@ -103,5 +116,5 @@ https://sshuttle.readthedocs.org/en/latest/

 Running as a service
 --------------------
-Sshuttle can also be run as a service and configured using a config management system: 
+Sshuttle can also be run as a service and configured using a config management system:
 https://medium.com/@mike.reider/using-sshuttle-as-a-service-bec2684a65fe
--- a/bin/sudoers-add
+++ b/bin/sudoers-add
@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-# William Mantly <wmantly@gmail.com>
-# MIT License
-# https://github.com/wmantly/sudoers-add
-
-NEWLINE=$'\n'
-CONTENT=""
-ME="$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")"
-
-if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
-	echo "Usage: $ME [file_path] [sudoers-file-name]"
-	echo "Usage: [content] | $ME sudoers-file-name"
-	echo "This will take a sudoers config validate it and add it to /etc/sudoers.d/{sudoers-file-name}"
-	echo "The config can come from a file, first usage example or piped in second example."
-
-	exit 0
-fi
-
-if [ "$1" == "" ]; then
-	(>&2 echo "This command take at lest one argument. See $ME --help")
-
-	exit 1	
-fi
-
-if [ "$2" == "" ]; then
-	FILE_NAME=$1
-	shift
-else
-	FILE_NAME=$2
-fi
-
-if [[ $EUID -ne 0 ]]; then
-	echo "This script must be run as root"
-
-	exit 1
-fi
-
-while read -r line
-do
-	CONTENT+="${line}${NEWLINE}"
-done < "${1:-/dev/stdin}"
-
-if [ "$CONTENT" == "" ]; then
-	(>&2 echo "No config content specified. See $ME --help")
-	exit 1
-fi
-
-if [ "$FILE_NAME" == "" ]; then
-	(>&2 echo "No sudoers file name specified. See $ME --help")
-	exit 1
-fi
-
-# Make a temp file to hold the sudoers config
-umask 077
-TEMP_FILE=$(mktemp)
-echo "$CONTENT" > "$TEMP_FILE"
-
-# Make sure the content is valid
-visudo_STDOUT=$(visudo -c -f "$TEMP_FILE" 2>&1)
-visudo_code=$?
-# The temp file is no longer needed
-rm "$TEMP_FILE"
-
-if [ $visudo_code -eq 0 ]; then
-	echo "$CONTENT" > "/etc/sudoers.d/$FILE_NAME"
-	chmod 0440 "/etc/sudoers.d/$FILE_NAME"
-	echo "The sudoers file /etc/sudoers.d/$FILE_NAME has been successfully created!"
-
-	exit 0
-else
-	echo "Invalid sudoers config!"
-	echo "$visudo_STDOUT"
-
-	exit 1
-fi
-
--- a/docs/chromeos.rst
+++ b/docs/chromeos.rst
@ -9,4 +9,3 @@ stretch/Debian 9 VM, you can then install sshuttle as on any Linux box and
 it just works, as do xterms and ssvncviewer etc.

 https://www.reddit.com/r/Crostini/wiki/getstarted/crostini-setup-guide
-
--- a/docs/how-it-works.rst
+++ b/docs/how-it-works.rst
@ -34,4 +34,3 @@ sshuttle assembles the TCP stream locally, multiplexes it statefully over
 an ssh session, and disassembles it back into packets at the other end.  So
 it never ends up doing TCP-over-TCP.  It's just data-over-TCP, which is
 safe.
-
--- a/docs/index.rst
+++ b/docs/index.rst
@ -26,4 +26,3 @@ Indices and tables

 * :ref:`genindex`
 * :ref:`search`
-
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -5,7 +5,7 @@ Installation

      pip install sshuttle

- Debain package manager::
+- Debian package manager::

      sudo apt install sshuttle

@ -19,6 +19,5 @@ Installation
 Optionally after installation
 -----------------------------

- Add to sudoers file::
+- Install sudoers configuration. For details, see the "Sudoers File" section in :doc:`usage`

-      sshuttle --sudoers
--- a/docs/manpage.rst
+++ b/docs/manpage.rst
@ -4,14 +4,14 @@ sshuttle

 Synopsis
 --------
-**sshuttle** [*options*] [**-r** *[username@]sshserver[:port]*] \<*subnets* ...\>
+**sshuttle** [*options*] **-r** *[username@]sshserver[:port]* \<*subnets* ...\>


 Description
 -----------
 :program:`sshuttle` allows you to create a VPN connection from your
-machine to any remote server that you can connect to via
-ssh, as long as that server has python 3.5 or higher.
+machine to any remote server that you can connect to via ssh, as long
+as that server has a sufficiently new Python installation.

 To work, you must have root access on the local machine,
 but you can have a normal account on the server.
@ -31,20 +31,25 @@ Options
 .. option:: <subnets>

    A list of subnets to route over the VPN, in the form
-    ``a.b.c.d[/width][port[-port]]``.  Valid examples are 1.2.3.4 (a
-    single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4),
-    1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0
-    netmask), and 0/0 ('just route everything through the
-    VPN'). Any of the previous examples are also valid if you append
-    a port or a port range, so 1.2.3.4:8000 will only tunnel traffic
-    that has as the destination port 8000 of 1.2.3.4 and 
-    1.2.3.0/24:8000-9000 will tunnel traffic going to any port between
-    8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet.
-    It is also possible to use a name in which case the first IP it resolves
-    to during startup will be routed over the VPN. Valid examples are
-    example.com, example.com:8000 and example.com:8000-9000.
+    ``a.b.c.d[/width][port[-port]]``. Valid examples are 1.2.3.4 (a
+    single IP address) and 1.2.3.4/32 (equivalent to 1.2.3.4),
+    1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0 netmask).
+    Specify subnets 0/0 to match all IPv4 addresses and ::/0 to match
+    all IPv6 addresses. Any of the previous examples are also valid if
+    you append a port or a port range, so 1.2.3.4:8000 will only
+    tunnel traffic that has as the destination port 8000 of 1.2.3.4
+    and 1.2.3.0/24:8000-9000 will tunnel traffic going to any port
+    between 8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24
+    subnet. A hostname can be provided instead of an IP address. If
+    the hostname resolves to multiple IPs, all of the IPs are
+    included. If a width is provided with a hostname, the width is
+    applied to all of the hostnames IPs (if they are all either IPv4
+    or IPv6). Widths cannot be supplied to hostnames that resolve to
+    both IPv4 and IPv6. Valid examples are example.com,
+    example.com:8000, example.com/24, example.com/24:8000 and
+    example.com:8000-9000.

-.. option:: --method <auto|nat|nft|tproxy|pf>
+.. option:: --method <auto|nat|nft|tproxy|pf|ipfw>

   Which firewall method should sshuttle use? For auto, sshuttle attempts to
   guess the appropriate method depending on what it can find in PATH. The
@ -64,9 +69,9 @@ Options
    You can use any name resolving to an IP address of the machine running
    :program:`sshuttle`, e.g. ``--listen localhost``.

-    For the tproxy and pf methods this can be an IPv6 address. Use this option 
-    with comma separated values if required, to provide both IPv4 and IPv6
-    addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``.
+    For the nft, tproxy and pf methods this can be an IPv6 address. Use
+    this option with comma separated values if required, to provide both
+    IPv4 and IPv6 addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``.

 .. option:: -H, --auto-hosts

@ -84,6 +89,13 @@ Options
    few subnets over the VPN, you probably would prefer to
    keep using your local DNS server for everything else.

+    :program:`sshuttle` tries to store a cache of the hostnames in
+    ~/.sshuttle.hosts on the remote host. Similarly, it tries to read
+    the file when you later reconnect to the host with --auto-hosts
+    enabled to quickly populate the host list. When troubleshooting
+    this feature, try removing this file on the remote host when
+    sshuttle is not running.
+
 .. option:: -N, --auto-nets

    In addition to the subnets provided on the command
@ -92,14 +104,20 @@ Options
    are taken automatically from the server's routing
    table.

+    This feature does not detect IPv6 routes. Specify IPv6 subnets
+    manually. For example, specify the ``::/0`` subnet on the command
+    line to route all IPv6 traffic.
+
 .. option:: --dns

    Capture local DNS requests and forward to the remote DNS
    server. All queries to any of the local system's DNS
-    servers (/etc/resolv.conf) will be intercepted and
+    servers (/etc/resolv.conf and, if it exists,
+    /run/systemd/resolve/resolv.conf) will be intercepted and
    resolved on the remote side of the tunnel instead, there
    using the DNS specified via the :option:`--to-ns` option,
-    if specified.
+    if specified. Only plain DNS traffic sent to these servers
+    on port 53 are captured.

 .. option:: --ns-hosts=<server1[,server2[,server3[...]]]>

@ -122,16 +140,19 @@ Options

 .. option:: --python

-    Specify the name/path of the remote python interpreter.
-    The default is just ``python``, which means to use the
-    default python interpreter on the remote system's PATH.
+    Specify the name/path of the remote python interpreter. The
+    default is to use ``python3`` (or ``python``, if ``python3``
+    fails) in the remote system's PATH.

 .. option:: -r <[username@]sshserver[:port]>, --remote=<[username@]sshserver[:port]>

    The remote hostname and optional username and ssh
    port number to use for connecting to the remote server.
    For example, example.com, testuser@example.com,
-    testuser@example.com:2222, or example.com:2244.
+    testuser@example.com:2222, or example.com:2244. This
+    hostname is passed to ssh, so it will recognize any
+    aliases and settings you may have configured in
+    ~/.ssh/config.

 .. option:: -x <subnet>, --exclude=<subnet>

@ -164,7 +185,7 @@ Options

    A comma-separated list of hostnames to use to
    initialize the :option:`--auto-hosts` scan algorithm.
-    :option:`--auto-hosts` does things like poll local SMB servers
+    :option:`--auto-hosts` does things like poll netstat output
    for lists of local hostnames, but can speed things up
    if you use this option to give it a few names to start
    from.
@ -202,6 +223,11 @@ Options
    Automatically fork into the background after connecting
    to the remote server.  Implies :option:`--syslog`.

+.. option:: -s <file>, --subnets=<file>
+
+    Include the subnets specified in a file instead of on the
+    command line. One subnet per line.
+
 .. option:: --syslog

    after connecting, send all log messages to the
@ -216,7 +242,8 @@ Options

 .. option:: --disable-ipv6

-    If using tproxy or pf methods, this will disable IPv6 support.
+    Disable IPv6 support for methods that support it (nat, nft,
+    tproxy, and pf).

 .. option:: --firewall

@ -235,28 +262,28 @@ Options
    makes it a lot easier to debug and test the :option:`--auto-hosts`
    feature.

-.. option:: --sudoers
-
-    sshuttle will auto generate the proper sudoers.d config file and add it.
-    Once this is completed, sshuttle will exit and tell the user if
-    it succeed or not. Do not call this options with sudo, it may generate a
-    incorrect config file.
-
 .. option:: --sudoers-no-modify

-    sshuttle will auto generate the proper sudoers.d config and print it to
-    stdout. The option will not modify the system at all.
+    sshuttle prints a configuration to stdout which allows a user to
+    run sshuttle without a password. This option is INSECURE because,
+    with some cleverness, it also allows the user to run any command
+    as root without a password. The output also includes a suggested
+    method for you to install the configuration.
+
+    Use --sudoers-user to modify the user that it applies to.

 .. option:: --sudoers-user

-    Set the user name or group with %group_name for passwordless operation.
-    Default is the current user.set ALL for all users. Only works with
-    --sudoers or --sudoers-no-modify option.
+    Set the user name or group with %group_name for passwordless
+    operation. Default is the current user. Set to ALL for all users
+    (NOT RECOMMENDED: See note about security in --sudoers-no-modify
+    documentation above). Only works with the --sudoers-no-modify
+    option.

-.. option:: --sudoers-filename
+.. option:: -t <mark>, --tmark=<mark>

-    Set the file name for the sudoers.d file to be added. Default is
-    "sshuttle_auto". Only works with --sudoers.
+    An option used by the tproxy method: Use the specified traffic
+    mark. The mark must be a hexadecimal value. Defaults to 0x01.

 .. option:: --version

@ -285,54 +312,107 @@ Arguments read from a file must be one per line, as shown below::
    --option2
    value2

+The configuration file supports comments for human-readable
+annotations. For example::
+
+    # company-internal API
+    8.8.8.8/32
+    # home IoT
+    192.168.63.0/24
+

 Examples
 --------
-Test locally by proxying all local connections, without using ssh::

-    $ sshuttle -v 0/0
+Use the following command to route all IPv4 TCP traffic through remote
+(-r) host example.com (and possibly other traffic too, depending on
+the selected --method). The 0/0 subnet, short for 0.0.0.0/0, matches
+all IPv4 addresses. The ::/0 subnet, matching all IPv6 addresses could
+be added to the example. We also exclude (-x) example.com:22 so that
+we can establish ssh connections from our local machine to the remote
+host without them being routed through sshuttle. Excluding the remote
+host may be necessary on some machines for sshuttle to work properly.
+Press Ctrl+C to exit. To also route DNS queries through sshuttle, try
+adding --dns. Add or remove -v options to see more or less
+information::

-    Starting sshuttle proxy.
-    Listening on ('0.0.0.0', 12300).
+    $ sshuttle -r example.com -x example.com:22 0/0
+
+    Starting sshuttle proxy (version ...).
    [local sudo] Password:
-    firewall manager ready.
-    c : connecting to server...
-     s: available routes:
-     s:   192.168.42.0/24
-    c : connected.
-    firewall manager: starting transproxy.
-    c : Accept: 192.168.42.106:50035 -> 192.168.42.121:139.
-    c : Accept: 192.168.42.121:47523 -> 77.141.99.22:443.
-        ...etc...
+    fw: Starting firewall with Python version 3.9.5
+    fw: ready method name nat.
+    c : IPv6 disabled since it isn't supported by method nat.
+    c : Method: nat
+    c : IPv4: on
+    c : IPv6: off (not available with nat method)
+    c : UDP : off (not available with nat method)
+    c : DNS : off (available)
+    c : User: off (available)
+    c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
+    c :   (<AddressFamily.AF_INET: 2>, '0.0.0.0', 0, 0, 0)
+    c : Subnets to exclude from forwarding:
+    c :   (<AddressFamily.AF_INET: 2>, '...', 32, 22, 22)
+    c :   (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
+    c : TCP redirector listening on ('127.0.0.1', 12299).
+    c : Starting client with Python version 3.9.5
+    c : Connecting to server...
+    user@example.com's password:
+     s: Starting server with Python version 3.6.8
+     s: latency control setting = True
+     s: auto-nets:False
+    c : Connected to server.
+    fw: setting up.
+    fw: iptables -w -t nat -N sshuttle-12299
+    fw: iptables -w -t nat -F sshuttle-12299
+    ...
+    Accept: 192.168.42.121:60554 -> 77.141.99.22:22.
    ^C
-    firewall manager: undoing changes.
-    KeyboardInterrupt
    c : Keyboard interrupt: exiting.
-    c : SW#8:192.168.42.121:47523: deleting
-    c : SW#6:192.168.42.106:50035: deleting
+    c : SW'unknown':Mux#1: deleting (1 remain)
+    c : SW#7:192.168.42.121:60554: deleting (0 remain)

-Test connection to a remote server, with automatic hostname
+
+Connect to a remote server, with automatic hostname
 and subnet guessing::

-    $ sshuttle -vNHr example.org
-
-    Starting sshuttle proxy.
-    Listening on ('0.0.0.0', 12300).
-    firewall manager ready.
-    c : connecting to server...
+    $ sshuttle -vNHr example.com -x example.com:22
+    Starting sshuttle proxy (version ...).
+    [local sudo] Password:
+    fw: Starting firewall with Python version 3.9.5
+    fw: ready method name nat.
+    c : IPv6 disabled since it isn't supported by method nat.
+    c : Method: nat
+    c : IPv4: on
+    c : IPv6: off (not available with nat method)
+    c : UDP : off (not available with nat method)
+    c : DNS : off (available)
+    c : User: off (available)
+    c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
+    c : NOTE: Additional subnets to forward may be added below by --auto-nets.
+    c : Subnets to exclude from forwarding:
+    c :   (<AddressFamily.AF_INET: 2>, '...', 32, 22, 22)
+    c :   (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
+    c : TCP redirector listening on ('127.0.0.1', 12300).
+    c : Starting client with Python version 3.9.5
+    c : Connecting to server...
+    user@example.com's password:
+     s: Starting server with Python version 3.6.8
+     s: latency control setting = True
+     s: auto-nets:True
+    c : Connected to server.
+    c : seed_hosts: []
     s: available routes:
     s:   77.141.99.0/24
-    c : connected.
-    c : seed_hosts: []
-    firewall manager: starting transproxy.
-    hostwatch: Found: testbox1: 1.2.3.4
-    hostwatch: Found: mytest2: 5.6.7.8
-    hostwatch: Found: domaincontroller: 99.1.2.3
+    fw: setting up.
+    fw: iptables -w -t nat -N sshuttle-12300
+    fw: iptables -w -t nat -F sshuttle-12300
+    ...
    c : Accept: 192.168.42.121:60554 -> 77.141.99.22:22.
    ^C
-    firewall manager: undoing changes.
    c : Keyboard interrupt: exiting.
-    c : SW#6:192.168.42.121:60554: deleting
+    c : SW'unknown':Mux#1: deleting (1 remain)
+    c : SW#7:192.168.42.121:60554: deleting (0 remain)

 Run :program:`sshuttle` with a `/etc/sshuttle.conf` configuration file::

@ -356,9 +436,7 @@ Example configuration file::
 Discussion
 ----------
 When it starts, :program:`sshuttle` creates an ssh session to the
-server specified by the ``-r`` option.  If ``-r`` is omitted,
-it will start both its client and server locally, which is
-sometimes useful for testing.
+server specified by the ``-r`` option.

 After connecting to the remote server, :program:`sshuttle` uploads its
 (python) source code to the remote end and executes it
@ -377,7 +455,7 @@ Packet-level forwarding (eg. using the tun/tap devices on
 Linux) seems elegant at first, but it results in
 several problems, notably the 'tcp over tcp' problem.  The
 tcp protocol depends fundamentally on packets being dropped
-in order to implement its congestion control agorithm; if
+in order to implement its congestion control algorithm; if
 you pass tcp packets through a tcp-based tunnel (such as
 ssh), the inner tcp packets will never be dropped, and so
 the inner tcp stream's congestion control will be
--- a/docs/requirements.rst
+++ b/docs/requirements.rst
@ -6,7 +6,7 @@ Client side Requirements

 - sudo, or root access on your client machine.
  (The server doesn't need admin access.)
- Python 3.5 or greater.
+- Python 3.8 or greater.


 Linux with NAT method
@ -15,22 +15,36 @@ Supports:

 * IPv4 TCP
 * IPv4 DNS
+* IPv6 TCP
+* IPv6 DNS

 Requires:

-* iptables DNAT, REDIRECT, and ttl modules.
+* iptables DNAT and REDIRECT modules. ip6tables for IPv6.

+Linux with nft method
+~~~~~~~~~~~~~~~~~~~~~
+Supports
+
+* IPv4 TCP
+* IPv4 DNS
+* IPv6 TCP
+* IPv6 DNS
+
+Requires:
+
+* nftables

 Linux with TPROXY method
 ~~~~~~~~~~~~~~~~~~~~~~~~
 Supports:

 * IPv4 TCP
-* IPv4 UDP (requires ``recvmsg`` - see below)
-* IPv6 DNS (requires ``recvmsg`` - see below)
+* IPv4 UDP
+* IPv4 DNS
 * IPv6 TCP
-* IPv6 UDP (requires ``recvmsg`` - see below)
-* IPv6 DNS (requires ``recvmsg`` - see below)
+* IPv6 UDP
+* IPv6 DNS


 MacOS / FreeBSD / OpenBSD / pfSense
@ -58,7 +72,7 @@ cmd.exe with Administrator access. See :doc:`windows` for more information.
 Server side Requirements
 ------------------------

- Python 3.5 or greater.
+- Python 3.8 or greater.


 Additional Suggested Software
@ -67,7 +81,7 @@ Additional Suggested Software
 - If you are using systemd, sshuttle can notify it when the connection to
  the remote end is established and the firewall rules are installed. For
  this feature to work you must configure the process start-up type for the
-  sshuttle service unit to notify, as shown in the example below. 
+  sshuttle service unit to notify, as shown in the example below.

 .. code-block:: ini
   :emphasize-lines: 6
@ -75,10 +89,10 @@ Additional Suggested Software
   [Unit]
   Description=sshuttle
   After=network.target
-   
+
   [Service]
   Type=notify
   ExecStart=/usr/bin/sshuttle --dns --remote <user>@<server> <subnets...>
-   
+
   [Install]
   WantedBy=multi-user.target
--- a/docs/tproxy.rst
+++ b/docs/tproxy.rst
@ -1,6 +1,6 @@
 TPROXY
 ======
-TPROXY is the only method that has full support of IPv6 and UDP.
+TPROXY is the only method that supports UDP.

 There are some things you need to consider for TPROXY to work:

@ -8,26 +8,24 @@ There are some things you need to consider for TPROXY to work:
  done once after booting up::

      ip route add local default dev lo table 100
-      ip rule add fwmark 1 lookup 100
+      ip rule add fwmark {TMARK} lookup 100
      ip -6 route add local default dev lo table 100
-      ip -6 rule add fwmark 1 lookup 100
+      ip -6 rule add fwmark {TMARK} lookup 100
+
+  where {TMARK} is the identifier mark passed with -t or --tmark flag
+  as a hexadecimal string (default value is '0x01').

 - The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
  routes manually. e.g. by adding ``'::/0'`` to the end of the command line.

 - The client needs to be run as root. e.g.::

-      sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle  --method=tproxy ...
+      sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle --method=tproxy ...

 - You may need to exclude the IP address of the server you are connecting to.
  Otherwise sshuttle may attempt to intercept the ssh packets, which will not
  work. Use the ``--exclude`` parameter for this.

- Similarly, UDP return packets (including DNS) could get intercepted and
-  bounced back. This is the case if you have a broad subnet such as
-  ``0.0.0.0/0`` or ``::/0`` that includes the IP address of the client. Use the
-  ``--exclude`` parameter for this.
-
 - You need the ``--method=tproxy`` parameter, as above.

 - The routes for the outgoing packets must already exist. For example, if your
--- a/docs/trivia.rst
+++ b/docs/trivia.rst
@ -33,4 +33,3 @@ That project I did for Slipstream was what first gave me the idea to merge
 the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
 program that was the best of all worlds.  And here we are, at last.
 You're welcome.
-
--- a/docs/usage.rst
+++ b/docs/usage.rst
@ -11,6 +11,10 @@ Forward all traffic::
    sshuttle -r username@sshserver 0.0.0.0/0

 - Use the :option:`sshuttle -r` parameter to specify a remote server.
+  One some systems, you may also need to use the :option:`sshuttle -x`
+  parameter to exclude sshserver or sshserver:22 so that your local
+  machine can communicate directly to sshserver without it being
+  redirected by sshuttle.

 - By default sshuttle will automatically choose a method to use. Override with
  the :option:`sshuttle --method` parameter.
@ -47,7 +51,7 @@ were right there.  And if your "client" machine is a router, everyone on
 your local network can make connections to your remote network.

 You don't need to install sshuttle on the remote server;
-the remote server just needs to have python available. 
+the remote server just needs to have python available.
 sshuttle will automatically upload and run its source code
 to the remote python interpreter.

@ -67,44 +71,23 @@ admin access on the server.

 Sudoers File
 ------------
-sshuttle can auto-generate the proper sudoers.d file using the current user 
-for Linux and OSX. Doing this will allow sshuttle to run without asking for
-the local sudo password and to give users who do not have sudo access
-ability to run sshuttle::

-  sshuttle --sudoers
+sshuttle can generate a sudoers.d file for Linux and MacOS. This
+allows one or more users to run sshuttle without entering the
+local sudo password. **WARNING:** This option is *insecure*
+because, with some cleverness, it also allows these users to run any
+command (via the --ssh-cmd option) as root without a password.

-DO NOT run this command with sudo, it will ask for your sudo password when
-it is needed.
-
-A costume user or group can be set with the :
-option:`sshuttle --sudoers --sudoers-username {user_descriptor}` option. Valid
-values for this vary based on how your system is configured. Values such as 
-usernames, groups pre-pended with `%` and sudoers user aliases will work. See
-the sudoers manual for more information on valid user specif actions.
-The options must be used with `--sudoers`::
-
-  sshuttle --sudoers --sudoers-user mike
-  sshuttle --sudoers --sudoers-user %sudo
-
-The name of the file to be added to sudoers.d can be configured as well. This
-is mostly not necessary but can be useful for giving more than one user
-access to sshuttle. The default is `sshuttle_auto`::
-
-  sshuttle --sudoer --sudoers-filename sshuttle_auto_mike
-  sshuttle --sudoer --sudoers-filename sshuttle_auto_tommy
-
-You can also see what configuration will be added to your system without
-modifying anything. This can be helpfull is the auto feature does not work, or
-you want more control. This option also works with `--sudoers-username`.
-`--sudoers-filename` has no effect with this option::
+To print a sudo configuration file and see a suggested way to install it, run::

  sshuttle --sudoers-no-modify

-This will simply sprint the generated configuration to STDOUT. Example::
+A custom user or group can be set with the 
+:option:`sshuttle --sudoers-no-modify --sudoers-user {user_descriptor}`
+option. Valid values for this vary based on how your system is configured.
+Values such as usernames, groups pre-pended with `%` and sudoers user 
+aliases will work. See the sudoers manual for more information on valid
+user specif actions. The option must be used with `--sudoers-no-modify`::

-  08:40 PM william$ sshuttle --sudoers-no-modify
-
-  Cmnd_Alias SSHUTTLE304 = /usr/bin/env PYTHONPATH=/usr/local/lib/python2.7/dist-packages/sshuttle-0.78.5.dev30+gba5e6b5.d20180909-py2.7.egg /usr/bin/python /usr/local/bin/sshuttle --method auto --firewall
-
-  william ALL=NOPASSWD: SSHUTTLE304
+  sshuttle --sudoers-no-modify --sudoers-user mike
+  sshuttle --sudoers-no-modify --sudoers-user %sudo
--- a/docs/windows.rst
+++ b/docs/windows.rst
@ -16,4 +16,4 @@ Assuming the VM has the IP 192.168.1.200 obtained on the bridge NIC (we can
 configure that in Vagrant), we can then ask Windows to route all its traffic
 via the VM by running the following in cmd.exe with admin right::

-     route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
+    route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@ -1,7 +1,6 @@
 -r requirements.txt
-attrs==20.1.0
-pytest==6.0.1
-pytest-cov==2.10.1
-mock==2.0.0
-flake8==3.8.3
-pyflakes==2.2.0
+pytest==7.1.3
+pytest-cov==3.0.0
+flake8==5.0.4
+pyflakes==2.5.0
+bump2version==1.0.1
--- a/requirements.txt
+++ b/requirements.txt
@ -1 +1 @@
-setuptools-scm==4.1.2
+Sphinx==5.1.1
--- a/4
+++ b/4
@ -1,7 +1,7 @@
 #!/usr/bin/env sh
 set -e
-export PYTHONPATH="$(dirname $0):$PYTHONPATH"
-export PATH="$(dirname $0)/bin:$PATH"
+export PYTHONPATH="$(dirname "$0"):$PYTHONPATH"
+export PATH="$(dirname "$0")/bin:$PATH"

 python_best_version() {
  if [ -x "$(command -v python3)" ] &&
--- a/setup.cfg
+++ b/setup.cfg
@ -1,17 +1,25 @@
+[bumpversion]
+current_version = 1.1.1
+
+[bumpversion:file:setup.py]
+
+[bumpversion:file:sshuttle/version.py]
+
 [aliases]
-test=pytest
+test = pytest

 [bdist_wheel]
 universal = 1

 [upload]
-sign=true
-identity=0x1784577F811F6EAC
+sign = true
+identity = 0x1784577F811F6EAC

 [flake8]
-count=true
-show-source=true
-statistics=true
+count = true
+show-source = true
+statistics = true
+max-line-length = 128

 [tool:pytest]
 addopts = --cov=sshuttle --cov-branch --cov-report=term-missing
--- a/setup.py
+++ b/setup.py
@ -20,20 +20,9 @@
 from setuptools import setup, find_packages


-def version_scheme(version):
-    from setuptools_scm.version import guess_next_dev_version
-    version = guess_next_dev_version(version)
-    return version.lstrip("v")
-
-
 setup(
    name="sshuttle",
-    use_scm_version={
-        'write_to': "sshuttle/version.py",
-        'version_scheme': version_scheme,
-    },
-    setup_requires=['setuptools_scm'],
-    # version=version,
+    version='1.1.1',
    url='https://github.com/sshuttle/sshuttle',
    author='Brian May',
    author_email='brian@linuxpenguins.xyz',
@ -46,27 +35,26 @@ setup(
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Developers",
        "Intended Audience :: End Users/Desktop",
-        "License :: OSI Approved :: "
+        "License :: OSI Approved :: " +
            "GNU Lesser General Public License v2 or later (LGPLv2+)",
        "Operating System :: OS Independent",
-        "Programming Language :: Python :: 3.5",
-        "Programming Language :: Python :: 3.6",
-        "Programming Language :: Python :: 3.7",
        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.10",
        "Topic :: System :: Networking",
    ],
-    scripts=['bin/sudoers-add'],
    entry_points={
        'console_scripts': [
            'sshuttle = sshuttle.cmdline:main',
        ],
    },
-    python_requires='>=3.5',
+    python_requires='>=3.8',
+    install_requires=[
+    ],
    tests_require=[
        'pytest',
        'pytest-cov',
        'pytest-runner',
-        'mock',
        'flake8',
    ],
    keywords="ssh vpn",
--- a/sshuttle/assembler.py
+++ b/sshuttle/assembler.py
@ -1,17 +1,24 @@
 import sys
 import zlib
 import types
+import platform

 verbosity = verbosity  # noqa: F821 must be a previously defined global
+if verbosity > 0:
+    sys.stderr.write(' s: Running server on remote host with %s (version %s)\n'
+                     % (sys.executable, platform.python_version()))
 z = zlib.decompressobj()
 while 1:
    name = sys.stdin.readline().strip()
    if name:
-        name = name.decode("ASCII")
-
+        # python2 compat: in python2 sys.stdin.readline().strip() -> str
+        #                 in python3 sys.stdin.readline().strip() -> bytes
+        # (see #481)
+        if sys.version_info >= (3, 0):
+            name = name.decode("ASCII")
        nbytes = int(sys.stdin.readline())
        if verbosity >= 2:
-            sys.stderr.write('server: assembling %r (%d bytes)\n'
+            sys.stderr.write(' s: assembling %r (%d bytes)\r\n'
                             % (name, nbytes))
        content = z.decompress(sys.stdin.read(nbytes))

@ -37,5 +44,6 @@ sshuttle.helpers.verbose = verbosity

 import sshuttle.cmdline_options as options  # noqa: E402
 from sshuttle.server import main  # noqa: E402
-main(options.latency_control, options.auto_hosts, options.to_nameserver,
+main(options.latency_control, options.latency_buffer_size,
+     options.auto_hosts, options.to_nameserver,
     options.auto_nets)
--- a/sshuttle/client.py
+++ b/sshuttle/client.py
@ -14,35 +14,25 @@ import sshuttle.ssyslog as ssyslog
 import sshuttle.sdnotify as sdnotify
 from sshuttle.ssnet import SockWrapper, Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, islocal, \
-    resolvconf_nameservers
+    resolvconf_nameservers, which
 from sshuttle.methods import get_method, Features
+from sshuttle import __version__
 try:
    from pwd import getpwnam
 except ImportError:
    getpwnam = None

-try:
-    # try getting recvmsg from python
-    import socket as pythonsocket
-    getattr(pythonsocket.socket, "recvmsg")
-    socket = pythonsocket
-except AttributeError:
-    # try getting recvmsg from socket_ext library
-    try:
-        import socket_ext
-        getattr(socket_ext.socket, "recvmsg")
-        socket = socket_ext
-    except ImportError:
-        import socket
+import socket

 _extra_fd = os.open(os.devnull, os.O_RDONLY)


 def got_signal(signum, frame):
-    log('exiting on signal %d\n' % signum)
+    log('exiting on signal %d' % signum)
    sys.exit(1)


+# Filename of the pidfile created by the sshuttle client.
 _pidname = None


@ -78,13 +68,25 @@ def check_daemon(pidfile):


 def daemonize():
+    # Try to open the pidfile prior to forking. If there is a problem,
+    # the client can then exit with a proper exit status code and
+    # message.
+    try:
+        outfd = os.open(_pidname, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o666)
+    except PermissionError:
+        # User will have to look in syslog for error message since
+        # --daemon implies --syslog, all output gets redirected to
+        # syslog.
+        raise Fatal("failed to create/write pidfile %s" % _pidname)
+
+    # Create a daemon process with a new session id.
    if os.fork():
        os._exit(0)
    os.setsid()
    if os.fork():
        os._exit(0)

-    outfd = os.open(_pidname, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o666)
+    # Write pid to the pidfile.
    try:
        os.write(outfd, b'%d\n' % os.getpid())
    finally:
@ -121,14 +123,14 @@ class MultiListener:
        self.bind_called = False

    def setsockopt(self, level, optname, value):
-        assert(self.bind_called)
+        assert self.bind_called
        if self.v6:
            self.v6.setsockopt(level, optname, value)
        if self.v4:
            self.v4.setsockopt(level, optname, value)

    def add_handler(self, handlers, callback, method, mux):
-        assert(self.bind_called)
+        assert self.bind_called
        socks = []
        if self.v6:
            socks.append(self.v6)
@ -143,14 +145,14 @@ class MultiListener:
        )

    def listen(self, backlog):
-        assert(self.bind_called)
+        assert self.bind_called
        if self.v6:
            self.v6.listen(backlog)
        if self.v4:
            try:
                self.v4.listen(backlog)
            except socket.error as e:
-                # on some systems v4 bind will fail if the v6 suceeded,
+                # on some systems v4 bind will fail if the v6 succeeded,
                # in this case the v6 socket will receive v4 too.
                if e.errno == errno.EADDRINUSE and self.v6:
                    self.v4 = None
@ -158,11 +160,26 @@ class MultiListener:
                    raise e

    def bind(self, address_v6, address_v4):
-        assert(not self.bind_called)
+        assert not self.bind_called
        self.bind_called = True
        if address_v6 is not None:
            self.v6 = socket.socket(socket.AF_INET6, self.type, self.proto)
-            self.v6.bind(address_v6)
+            try:
+                self.v6.bind(address_v6)
+            except OSError as e:
+                if e.errno == errno.EADDRNOTAVAIL:
+                    # On an IPv6 Linux machine, this situation occurs
+                    # if you run the following prior to running
+                    # sshuttle:
+                    #
+                    # echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
+                    # echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
+                    raise Fatal("Could not bind to an IPv6 socket with "
+                                "address %s and port %s. "
+                                "Potential workaround: Run sshuttle "
+                                "with '--disable-ipv6'."
+                                % (str(address_v6[0]), str(address_v6[1])))
+                raise e
        else:
            self.v6 = None
        if address_v4 is not None:
@ -172,77 +189,133 @@ class MultiListener:
            self.v4 = None

    def print_listening(self, what):
-        assert(self.bind_called)
+        assert self.bind_called
        if self.v6:
            listenip = self.v6.getsockname()
-            debug1('%s listening on %r.\n' % (what, listenip))
-            debug2('%s listening with %r.\n' % (what, self.v6))
+            debug1('%s listening on %r.' % (what, listenip))
+            debug2('%s listening with %r.' % (what, self.v6))
        if self.v4:
            listenip = self.v4.getsockname()
-            debug1('%s listening on %r.\n' % (what, listenip))
-            debug2('%s listening with %r.\n' % (what, self.v4))
+            debug1('%s listening on %r.' % (what, listenip))
+            debug2('%s listening with %r.' % (what, self.v4))


 class FirewallClient:

    def __init__(self, method_name, sudo_pythonpath):
        self.auto_nets = []
-        python_path = os.path.dirname(os.path.dirname(__file__))
+
        argvbase = ([sys.executable, sys.argv[0]] +
                    ['-v'] * (helpers.verbose or 0) +
                    ['--method', method_name] +
                    ['--firewall'])
        if ssyslog._p:
            argvbase += ['--syslog']
-        # Default to sudo unless on OpenBSD in which case use built in `doas`
-        if platform.platform().startswith('OpenBSD'):
-            elev_prefix = ['doas']
+
+        # A list of commands that we can try to run to start the firewall.
+        argv_tries = []
+
+        if os.getuid() == 0:  # No need to elevate privileges
+            argv_tries.append(argvbase)
        else:
-            elev_prefix = ['sudo', '-p', '[local sudo] Password: ']
-        if sudo_pythonpath:
-            elev_prefix += ['/usr/bin/env',
-                            'PYTHONPATH=%s' % python_path]
-        argv_tries = [elev_prefix + argvbase, argvbase]
+            # Linux typically uses sudo; OpenBSD uses doas. However, some
+            # Linux distributions are starting to use doas.
+            sudo_cmd = ['sudo', '-p', '[local sudo] Password: ']
+            doas_cmd = ['doas']

-        # we can't use stdin/stdout=subprocess.PIPE here, as we normally would,
-        # because stupid Linux 'su' requires that stdin be attached to a tty.
-        # Instead, attach a *bidirectional* socket to its stdout, and use
-        # that for talking in both directions.
-        (s1, s2) = socket.socketpair()
+            # For clarity, try to replace executable name with the
+            # full path.
+            doas_path = which("doas")
+            if doas_path:
+                doas_cmd[0] = doas_path
+            sudo_path = which("sudo")
+            if sudo_path:
+                sudo_cmd[0] = sudo_path

-        def setup():
-            # run in the child process
-            s2.close()
-        e = None
-        if os.getuid() == 0:
-            argv_tries = argv_tries[-1:]  # last entry only
+            # sudo_pythonpath indicates if we should set the
+            # PYTHONPATH environment variable when elevating
+            # privileges. This can be adjusted with the
+            # --no-sudo-pythonpath option.
+            if sudo_pythonpath:
+                pp_prefix = ['/usr/bin/env',
+                             'PYTHONPATH=%s' %
+                             os.path.dirname(os.path.dirname(__file__))]
+                sudo_cmd = sudo_cmd + pp_prefix
+                doas_cmd = doas_cmd + pp_prefix
+
+            # Final order should be: sudo/doas command, env
+            # pythonpath, and then argvbase (sshuttle command).
+            sudo_cmd = sudo_cmd + argvbase
+            doas_cmd = doas_cmd + argvbase
+
+            # If we can find doas and not sudo or if we are on
+            # OpenBSD, try using doas first.
+            if (doas_path and not sudo_path) or \
+               platform.platform().startswith('OpenBSD'):
+                argv_tries = [doas_cmd, sudo_cmd, argvbase]
+            else:
+                argv_tries = [sudo_cmd, doas_cmd, argvbase]
+
+        # Try all commands in argv_tries in order. If a command
+        # produces an error, try the next one. If command is
+        # successful, set 'success' variable and break.
+        success = False
        for argv in argv_tries:
+            # we can't use stdin/stdout=subprocess.PIPE here, as we
+            # normally would, because stupid Linux 'su' requires that
+            # stdin be attached to a tty. Instead, attach a
+            # *bidirectional* socket to its stdout, and use that for
+            # talking in both directions.
+            (s1, s2) = socket.socketpair()
+
+            def setup():
+                # run in the child process
+                s2.close()
+
            try:
-                if argv[0] == 'su':
-                    sys.stderr.write('[local su] ')
+                debug1("Starting firewall manager with command: %r" % argv)
                self.p = ssubprocess.Popen(argv, stdout=s1, preexec_fn=setup)
                # No env: Talking to `FirewallClient.start`, which has no i18n.
-                e = None
-                break
-            except OSError:
-                pass
-        self.argv = argv
-        s1.close()
-        self.pfile = s2.makefile('rwb')
-        if e:
-            log('Spawning firewall manager: %r\n' % self.argv)
-            raise Fatal(e)
-        line = self.pfile.readline()
-        self.check()
-        if line[0:5] != b'READY':
-            raise Fatal('%r expected READY, got %r' % (self.argv, line))
-        method_name = line[6:-1]
-        self.method = get_method(method_name.decode("ASCII"))
-        self.method.set_firewall(self)
+            except OSError as e:
+                # This exception will occur if the program isn't
+                # present or isn't executable.
+                debug1('Unable to start firewall manager. Popen failed. '
+                       'Command=%r Exception=%s' % (argv, e))
+                continue
+
+            self.argv = argv
+            s1.close()
+            self.pfile = s2.makefile('rwb')
+            line = self.pfile.readline()
+
+            rv = self.p.poll()   # Check if process is still running
+            if rv:
+                # We might get here if program runs and exits before
+                # outputting anything. For example, someone might have
+                # entered the wrong password to elevate privileges.
+                debug1('Unable to start firewall manager. '
+                       'Process exited too early. '
+                       '%r returned %d' % (self.argv, rv))
+                continue
+
+            if line[0:5] != b'READY':
+                debug1('Unable to start firewall manager. '
+                       'Expected READY, got %r. '
+                       'Command=%r' % (line, self.argv))
+                continue
+
+            method_name = line[6:-1]
+            self.method = get_method(method_name.decode("ASCII"))
+            self.method.set_firewall(self)
+            success = True
+            break
+
+        if not success:
+            raise Fatal("All attempts to elevate privileges failed.")

    def setup(self, subnets_include, subnets_exclude, nslist,
              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp,
-              user):
+              user, tmark):
        self.subnets_include = subnets_include
        self.subnets_exclude = subnets_exclude
        self.nslist = nslist
@ -252,6 +325,7 @@ class FirewallClient:
        self.dnsport_v4 = dnsport_v4
        self.udp = udp
        self.user = user
+        self.tmark = tmark

    def check(self):
        rv = self.p.poll()
@ -290,7 +364,8 @@ class FirewallClient:
        else:
            user = b'%d' % self.user

-        self.pfile.write(b'GO %d %s\n' % (udp, user))
+        self.pfile.write(b'GO %d %s %s %d\n' %
+                         (udp, user, bytes(self.tmark, 'ascii'), os.getpid()))
        self.pfile.flush()

        line = self.pfile.readline()
@ -299,8 +374,8 @@ class FirewallClient:
            raise Fatal('%r expected STARTED, got %r' % (self.argv, line))

    def sethostip(self, hostname, ip):
-        assert(not re.search(rb'[^-\w\.]', hostname))
-        assert(not re.search(rb'[^0-9.]', ip))
+        assert not re.search(br'[^-\w\.]', hostname)
+        assert not re.search(br'[^0-9.]', ip)
        self.pfile.write(b'HOST %s,%s\n' % (hostname, ip))
        self.pfile.flush()

@ -319,23 +394,23 @@ def expire_connections(now, mux):
    remove = []
    for chan, timeout in dnsreqs.items():
        if timeout < now:
-            debug3('expiring dnsreqs channel=%d\n' % chan)
+            debug3('expiring dnsreqs channel=%d' % chan)
            remove.append(chan)
            del mux.channels[chan]
    for chan in remove:
        del dnsreqs[chan]
-    debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
+    debug3('Remaining DNS requests: %d' % len(dnsreqs))

    remove = []
    for peer, (chan, timeout) in udp_by_src.items():
        if timeout < now:
-            debug3('expiring UDP channel channel=%d peer=%r\n' % (chan, peer))
+            debug3('expiring UDP channel channel=%d peer=%r' % (chan, peer))
            mux.send(chan, ssnet.CMD_UDP_CLOSE, b'')
            remove.append(peer)
            del mux.channels[chan]
    for peer in remove:
        del udp_by_src[peer]
-    debug3('Remaining UDP channels: %d\n' % len(udp_by_src))
+    debug3('Remaining UDP channels: %d' % len(udp_by_src))


 def onaccept_tcp(listener, method, mux, handlers):
@ -344,7 +419,7 @@ def onaccept_tcp(listener, method, mux, handlers):
        sock, srcip = listener.accept()
    except socket.error as e:
        if e.args[0] in [errno.EMFILE, errno.ENFILE]:
-            debug1('Rejected incoming connection: too many open files!\n')
+            debug1('Rejected incoming connection: too many open files!')
            # free up an fd so we can eat the connection
            os.close(_extra_fd)
            try:
@ -357,15 +432,15 @@ def onaccept_tcp(listener, method, mux, handlers):
            raise

    dstip = method.get_tcp_dstip(sock)
-    debug1('Accept TCP: %s:%r -> %s:%r.\n' % (srcip[0], srcip[1],
-                                              dstip[0], dstip[1]))
+    debug1('Accept TCP: %s:%r -> %s:%r.' % (srcip[0], srcip[1],
+                                            dstip[0], dstip[1]))
    if dstip[1] == sock.getsockname()[1] and islocal(dstip[0], sock.family):
-        debug1("-- ignored: that's my address!\n")
+        debug1("-- ignored: that's my address!")
        sock.close()
        return
    chan = mux.next_channel()
    if not chan:
-        log('warning: too many open channels.  Discarded connection.\n')
+        log('warning: too many open channels.  Discarded connection.')
        sock.close()
        return
    mux.send(chan, ssnet.CMD_TCP_CONNECT, b'%d,%s,%d' %
@ -378,7 +453,7 @@ def onaccept_tcp(listener, method, mux, handlers):
 def udp_done(chan, data, method, sock, dstip):
    (src, srcport, data) = data.split(b",", 2)
    srcip = (src, int(srcport))
-    debug3('doing send from %r to %r\n' % (srcip, dstip,))
+    debug3('doing send from %r to %r' % (srcip, dstip,))
    method.send_udp(sock, srcip, dstip, data)


@ -388,7 +463,7 @@ def onaccept_udp(listener, method, mux, handlers):
    if t is None:
        return
    srcip, dstip, data = t
-    debug1('Accept UDP: %r -> %r.\n' % (srcip, dstip,))
+    debug1('Accept UDP: %r -> %r.' % (srcip, dstip,))
    if srcip in udp_by_src:
        chan, _ = udp_by_src[srcip]
    else:
@ -405,7 +480,7 @@ def onaccept_udp(listener, method, mux, handlers):


 def dns_done(chan, data, method, sock, srcip, dstip, mux):
-    debug3('dns_done: channel=%d src=%r dst=%r\n' % (chan, srcip, dstip))
+    debug3('dns_done: channel=%d src=%r dst=%r' % (chan, srcip, dstip))
    del mux.channels[chan]
    del dnsreqs[chan]
    method.send_udp(sock, srcip, dstip, data)
@ -417,7 +492,13 @@ def ondns(listener, method, mux, handlers):
    if t is None:
        return
    srcip, dstip, data = t
-    debug1('DNS request from %r to %r: %d bytes\n' % (srcip, dstip, len(data)))
+    # dstip is None if we are using a method where we can't determine
+    # the destination IP of the DNS request that we captured from the client.
+    if dstip is None:
+        debug1('DNS request from %r: %d bytes' % (srcip, len(data)))
+    else:
+        debug1('DNS request from %r to %r: %d bytes' %
+               (srcip, dstip, len(data)))
    chan = mux.next_channel()
    dnsreqs[chan] = now + 30
    mux.send(chan, ssnet.CMD_DNS_REQ, data)
@ -427,27 +508,25 @@ def ondns(listener, method, mux, handlers):


 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
-          python, latency_control,
+          python, latency_control, latency_buffer_size,
          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon,
          to_nameserver):

-    debug1('Starting client with Python version %s\n'
+    helpers.logprefix = 'c : '
+    debug1('Starting client with Python version %s'
           % platform.python_version())

    method = fw.method

    handlers = []
-    if helpers.verbose >= 1:
-        helpers.logprefix = 'c : '
-    else:
-        helpers.logprefix = 'client: '
-    debug1('connecting to server...\n')
+    debug1('Connecting to server...')

    try:
        (serverproc, serversock) = ssh.connect(
            ssh_cmd, remotename, python,
            stderr=ssyslog._p and ssyslog._p.stdin,
            options=dict(latency_control=latency_control,
+                         latency_buffer_size=latency_buffer_size,
                         auto_hosts=auto_hosts,
                         to_nameserver=to_nameserver,
                         auto_nets=auto_nets))
@ -475,18 +554,95 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        else:
            raise

+    # Returns None if process is still running (or returns exit code)
    rv = serverproc.poll()
-    if rv:
-        raise Fatal('server died with error code %d' % rv)
+    if rv is not None:
+        errmsg = "server died with error code %d\n" % rv
+
+        # Our fatal exceptions return exit code 99
+        if rv == 99:
+            errmsg += "This error code likely means that python started and " \
+                "the sshuttle server started. However, the sshuttle server " \
+                "may have raised a 'Fatal' exception after it started."
+        elif rv == 98:
+            errmsg += "This error code likely means that we were able to " \
+                "run python on the server, but that the program continued " \
+                "to the line after we call python's exec() to execute " \
+                "sshuttle's server code. Try specifying the python " \
+                "executable to user on the server by passing --python " \
+                "to sshuttle."
+
+        # This error should only be possible when --python is not specified.
+        elif rv == 97 and not python:
+            errmsg += "This error code likely means that either we " \
+                "couldn't find python3 or python in the PATH on the " \
+                "server or that we do not have permission to run 'exec' in " \
+                "the /bin/sh shell on the server. Try specifying the " \
+                "python executable to use on the server by passing " \
+                "--python to sshuttle."
+
+        # POSIX sh standards says error code 127 is used when you try
+        # to execute a program that does not exist. See section 2.8.2
+        # of
+        # https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_08
+        elif rv == 127:
+            if python:
+                errmsg += "This error code likely means that we were not " \
+                    "able to execute the python executable that specified " \
+                    "with --python. You specified '%s'.\n" % python
+                if python.startswith("/"):
+                    errmsg += "\nTip for users in a restricted shell on the " \
+                        "server: The server may refuse to run programs " \
+                        "specified with an absolute path. Try specifying " \
+                        "just the name of the python executable. However, " \
+                        "if python is not in your PATH and you cannot " \
+                        "run programs specified with an absolute path, " \
+                        "it is possible that sshuttle will not work."
+            else:
+                errmsg += "This error code likely means that we were unable " \
+                    "to execute /bin/sh on the remote server. This can " \
+                    "happen if /bin/sh does not exist on the server or if " \
+                    "you are in a restricted shell that does not allow you " \
+                    "to run programs specified with an absolute path. " \
+                    "Try rerunning sshuttle with the --python parameter."
+
+        # When the redirected subnet includes the remote ssh host, the
+        # firewall rules can interrupt the ssh connection to the
+        # remote machine. This issue impacts some Linux machines. The
+        # user sees that the server dies with a broken pipe error and
+        # code 255.
+        #
+        # The solution to this problem is to exclude the remote
+        # server.
+        #
+        # There are many github issues from users encountering this
+        # problem. Most of the discussion on the topic is here:
+        # https://github.com/sshuttle/sshuttle/issues/191
+        elif rv == 255:
+            errmsg += "It might be possible to resolve this error by " \
+                "excluding the server that you are ssh'ing to. For example, " \
+                "if you are running 'sshuttle -v -r example.com 0/0' to " \
+                "redirect all traffic through example.com, then try " \
+                "'sshuttle -v -r example.com -x example.com 0/0' to " \
+                "exclude redirecting the connection to example.com itself " \
+                "(i.e., sshuttle's firewall rules may be breaking the " \
+                "ssh connection that it previously established). " \
+                "Alternatively, you may be able to use 'sshuttle -v -r " \
+                "example.com -x example.com:22 0/0' to redirect " \
+                "everything except ssh connections between your machine " \
+                "and example.com."
+
+        raise Fatal(errmsg)

    if initstring != expected:
        raise Fatal('expected server init string %r; got %r'
                    % (expected, initstring))
-    log('Connected.\n')
+    log('Connected to server.')
    sys.stdout.flush()
+
    if daemon:
        daemonize()
-        log('daemonizing (%s).\n' % _pidname)
+        log('daemonizing (%s).' % _pidname)

    def onroutes(routestr):
        if auto_nets:
@ -498,11 +654,11 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                width = int(width)
                ip = ip.decode("ASCII")
                if family == socket.AF_INET6 and tcp_listener.v6 is None:
-                    debug2("Ignored auto net %d/%s/%d\n" % (family, ip, width))
+                    debug2("Ignored auto net %d/%s/%d" % (family, ip, width))
                if family == socket.AF_INET and tcp_listener.v4 is None:
-                    debug2("Ignored auto net %d/%s/%d\n" % (family, ip, width))
+                    debug2("Ignored auto net %d/%s/%d" % (family, ip, width))
                else:
-                    debug2("Adding auto net %d/%s/%d\n" % (family, ip, width))
+                    debug2("Adding auto net %d/%s/%d" % (family, ip, width))
                    fw.auto_nets.append((family, ip, width, 0, 0))

        # we definitely want to do this *after* starting ssh, or we might end
@ -522,7 +678,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        sdnotify.send(sdnotify.ready(), sdnotify.status('Connected'))

    def onhostlist(hostlist):
-        debug2('got host list: %r\n' % hostlist)
+        debug2('got host list: %r' % hostlist)
        for line in hostlist.strip().split():
            if line:
                name, ip = line.split(b',', 1)
@ -538,65 +694,132 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        dns_listener.add_handler(handlers, ondns, method, mux)

    if seed_hosts is not None:
-        debug1('seed_hosts: %r\n' % seed_hosts)
+        debug1('seed_hosts: %r' % seed_hosts)
        mux.send(0, ssnet.CMD_HOST_REQ, str.encode('\n'.join(seed_hosts)))

-    while 1:
-        rv = serverproc.poll()
-        if rv:
-            raise Fatal('server died with error code %d' % rv)
+    def check_ssh_alive():
+        if daemon:
+            # poll() won't tell us when process exited since the
+            # process is no longer our child (it returns 0 all the
+            # time).
+            try:
+                os.kill(serverproc.pid, 0)
+            except OSError:
+                raise Fatal('ssh connection to server (pid %d) exited.' %
+                            serverproc.pid)
+        else:
+            rv = serverproc.poll()
+            # poll returns None if process hasn't exited.
+            if rv is not None:
+                raise Fatal('ssh connection to server (pid %d) exited '
+                            'with returncode %d' % (serverproc.pid, rv))

+    while 1:
+        check_ssh_alive()
        ssnet.runonce(handlers, mux)
        if latency_control:
            mux.check_fullness()


 def main(listenip_v6, listenip_v4,
-         ssh_cmd, remotename, python, latency_control, dns, nslist,
+         ssh_cmd, remotename, python, latency_control,
+         latency_buffer_size, dns, nslist,
         method_name, seed_hosts, auto_hosts, auto_nets,
         subnets_include, subnets_exclude, daemon, to_nameserver, pidfile,
-         user, sudo_pythonpath):
+         user, sudo_pythonpath, tmark):

    if not remotename:
-        # XXX: We can't make it required at the argparse level,
-        #      because sshuttle calls out to itself in FirewallClient.
-        raise Fatal("You must specify -r/--remote.")
+        raise Fatal("You must use -r/--remote to specify a remote "
+                    "host to route traffic through.")

    if daemon:
        try:
            check_daemon(pidfile)
        except Fatal as e:
-            log("%s\n" % e)
+            log("%s" % e)
            return 5
-    debug1('Starting sshuttle proxy.\n')
+    debug1('Starting sshuttle proxy (version %s).' % __version__)
+    helpers.logprefix = 'c : '

    fw = FirewallClient(method_name, sudo_pythonpath)

-    # Get family specific subnet lists
+    # nslist is the list of name severs to intercept. If --dns is
+    # used, we add all DNS servers in resolv.conf. Otherwise, the list
+    # can be populated with the --ns-hosts option (which is already
+    # stored in nslist). This list is used to setup the firewall so it
+    # can redirect packets outgoing to this server to the remote host
+    # instead.
    if dns:
-        nslist += resolvconf_nameservers()
+        nslist += resolvconf_nameservers(True)
+
+    # If we are intercepting DNS requests, we tell the remote host
+    # where it should send the DNS requests to with the --to-ns
+    # option.
+    if len(nslist) > 0:
        if to_nameserver is not None:
            to_nameserver = "%s@%s" % tuple(to_nameserver[1:])
-    else:
-        # option doesn't make sense if we aren't proxying dns
+    else:  # if we are not intercepting DNS traffic
+        # ...and the user specified a server to send DNS traffic to.
+        if to_nameserver and len(to_nameserver) > 0:
+            print("WARNING: --to-ns option is ignored unless "
+                  "--dns or --ns-hosts is used.")
        to_nameserver = None

-    subnets = subnets_include + subnets_exclude  # we don't care here
-    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
-    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
-    subnets_v4 = [i for i in subnets if i[0] == socket.AF_INET]
+    # Get family specific subnet lists. Also, the user may not specify
+    # any subnets if they use --auto-nets. In this case, our subnets
+    # list will be empty and the forwarded subnets will be determined
+    # later by the server.
+    subnets_v4 = [i for i in subnets_include if i[0] == socket.AF_INET]
+    subnets_v6 = [i for i in subnets_include if i[0] == socket.AF_INET6]
    nslist_v4 = [i for i in nslist if i[0] == socket.AF_INET]
+    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]

-    # Check features available
+    # Get available features from the firewall method
    avail = fw.method.get_supported_features()
+
+    # A feature is "required" if the user supplies us parameters which
+    # implies that the feature is needed.
    required = Features()

+    # Select the default addresses to bind to / listen to.
+
+    # Assume IPv4 is always available and should always be enabled. If
+    # a method doesn't provide IPv4 support or if we wish to run
+    # ipv6-only, changes to this code are required.
+    assert avail.ipv4
+    required.ipv4 = True
+
+    # listenip_v4 contains user specified value or it is set to "auto".
+    if listenip_v4 == "auto":
+        listenip_v4 = ('127.0.0.1', 0)
+
+    # listenip_v6 is...
+    #    None when IPv6 is disabled.
+    #    "auto" when listen address is unspecified.
+    #    The user specified address if provided by user
+    if listenip_v6 is None:
+        debug1("IPv6 disabled by --disable-ipv6")
    if listenip_v6 == "auto":
        if avail.ipv6:
+            debug1("IPv6 enabled: Using default IPv6 listen address ::1")
            listenip_v6 = ('::1', 0)
        else:
+            debug1("IPv6 disabled since it isn't supported by method "
+                   "%s." % fw.method.name)
            listenip_v6 = None

+    # Make final decision about enabling IPv6:
+    required.ipv6 = False
+    if listenip_v6:
+        required.ipv6 = True
+
+    # If we get here, it is possible that listenip_v6 was user
+    # specified but not supported by the current method.
+    if required.ipv6 and not avail.ipv6:
+        raise Fatal("An IPv6 listen address was supplied, but IPv6 is "
+                    "disabled at your request or is unsupported by the %s "
+                    "method." % fw.method.name)
+
    if user is not None:
        if getpwnam is None:
            raise Fatal("Routing by user not available on this system.")
@ -604,38 +827,66 @@ def main(listenip_v6, listenip_v4,
            user = getpwnam(user).pw_uid
        except KeyError:
            raise Fatal("User %s does not exist." % user)
-
-    if fw.method.name != 'nat':
-        required.ipv6 = len(subnets_v6) > 0 or listenip_v6 is not None
-        required.ipv4 = len(subnets_v4) > 0 or listenip_v4 is not None
-    else:
-        required.ipv6 = None
-        required.ipv4 = None
-
-    required.udp = avail.udp
-    required.dns = len(nslist) > 0
    required.user = False if user is None else True

-    # if IPv6 not supported, ignore IPv6 DNS servers
-    if not required.ipv6:
-        nslist_v6 = []
-        nslist = nslist_v4
+    if not required.ipv6 and len(subnets_v6) > 0:
+        print("WARNING: IPv6 subnets were ignored because IPv6 is disabled "
+              "in sshuttle.")
+        subnets_v6 = []
+        subnets_include = subnets_v4

+    required.udp = avail.udp  # automatically enable UDP if it is available
+    required.dns = len(nslist) > 0
+
+    # Remove DNS servers using IPv6.
+    if required.dns:
+        if not required.ipv6 and len(nslist_v6) > 0:
+            print("WARNING: Your system is configured to use an IPv6 DNS "
+                  "server but sshuttle is not using IPv6. Therefore DNS "
+                  "traffic your system sends to the IPv6 DNS server won't "
+                  "be redirected via sshuttle to the remote machine.")
+            nslist_v6 = []
+            nslist = nslist_v4
+
+        if len(nslist) == 0:
+            raise Fatal("Can't redirect DNS traffic since IPv6 is not "
+                        "enabled in sshuttle and all of the system DNS "
+                        "servers are IPv6.")
+
+    # If we aren't using IPv6, we can safely ignore excluded IPv6 subnets.
+    if not required.ipv6:
+        orig_len = len(subnets_exclude)
+        subnets_exclude = [i for i in subnets_exclude
+                           if i[0] == socket.AF_INET]
+        if len(subnets_exclude) < orig_len:
+            print("WARNING: Ignoring one or more excluded IPv6 subnets "
+                  "because IPv6 is not enabled.")
+
+    # This will print error messages if we required a feature that
+    # isn't available by the current method.
    fw.method.assert_features(required)

-    if required.ipv6 and listenip_v6 is None:
-        raise Fatal("IPv6 required but not listening.")
-
    # display features enabled
-    debug1("IPv6 enabled: %r\n" % required.ipv6)
-    debug1("UDP enabled: %r\n" % required.udp)
-    debug1("DNS enabled: %r\n" % required.dns)
-    debug1("User enabled: %r\n" % required.user)
+    def feature_status(label, enabled, available):
+        msg = label + ": "
+        if enabled:
+            msg += "on"
+        else:
+            msg += "off "
+            if available:
+                msg += "(available)"
+            else:
+                msg += "(not available with %s method)" % fw.method.name
+        debug1(msg)

-    # bind to required ports
-    if listenip_v4 == "auto":
-        listenip_v4 = ('127.0.0.1', 0)
+    debug1("Method: %s" % fw.method.name)
+    feature_status("IPv4", required.ipv4, avail.ipv4)
+    feature_status("IPv6", required.ipv6, avail.ipv6)
+    feature_status("UDP ", required.udp, avail.udp)
+    feature_status("DNS ", required.dns, avail.dns)
+    feature_status("User", required.user, avail.user)

+    # Exclude traffic destined to our listen addresses.
    if required.ipv4 and \
            not any(listenip_v4[0] == sex[1] for sex in subnets_v4):
        subnets_exclude.append((socket.AF_INET, listenip_v4[0], 32, 0, 0))
@ -644,6 +895,25 @@ def main(listenip_v6, listenip_v4,
            not any(listenip_v6[0] == sex[1] for sex in subnets_v6):
        subnets_exclude.append((socket.AF_INET6, listenip_v6[0], 128, 0, 0))

+    # We don't print the IP+port of where we are listening here
+    # because we do that below when we have identified the ports to
+    # listen on.
+    debug1("Subnets to forward through remote host (type, IP, cidr mask "
+           "width, startPort, endPort):")
+    for i in subnets_include:
+        debug1("  "+str(i))
+    if auto_nets:
+        debug1("NOTE: Additional subnets to forward may be added below by "
+               "--auto-nets.")
+    debug1("Subnets to exclude from forwarding:")
+    for i in subnets_exclude:
+        debug1("  "+str(i))
+    if required.dns:
+        debug1("DNS requests normally directed at these servers will be "
+               "redirected to remote:")
+        for i in nslist:
+            debug1("  "+str(i))
+
    if listenip_v6 and listenip_v6[1] and listenip_v4 and listenip_v4[1]:
        # if both ports given, no need to search for a spare port
        ports = [0, ]
@ -659,9 +929,8 @@ def main(listenip_v6, listenip_v4,
    redirectport_v6 = 0
    redirectport_v4 = 0
    bound = False
-    debug2('Binding redirector:')
    for port in ports:
-        debug2(' %d' % port)
+        debug2('Trying to bind redirector on port %d' % port)
        tcp_listener = MultiListener()

        if required.udp:
@ -703,9 +972,8 @@ def main(listenip_v6, listenip_v4,
            else:
                raise e

-    debug2('\n')
    if not bound:
-        assert(last_e)
+        assert last_e
        raise last_e
    tcp_listener.listen(10)
    tcp_listener.print_listening("TCP redirector")
@ -715,10 +983,9 @@ def main(listenip_v6, listenip_v4,
    bound = False
    if required.dns:
        # search for spare port for DNS
-        debug2('Binding DNS:')
        ports = range(12300, 9000, -1)
        for port in ports:
-            debug2(' %d' % port)
+            debug2('Trying to bind DNS redirector on port %d' % port)
            if port in used_ports:
                continue

@ -749,10 +1016,10 @@ def main(listenip_v6, listenip_v4,
                    used_ports.append(port)
                else:
                    raise e
-        debug2('\n')
+
        dns_listener.print_listening("DNS")
        if not bound:
-            assert(last_e)
+            assert last_e
            raise last_e
    else:
        dnsport_v6 = 0
@ -791,13 +1058,14 @@ def main(listenip_v6, listenip_v4,
    # start the firewall
    fw.setup(subnets_include, subnets_exclude, nslist,
             redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4,
-             required.udp, user)
+             required.udp, user, tmark)

    # start the client process
    try:
        return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
-                     python, latency_control, dns_listener,
-                     seed_hosts, auto_hosts, auto_nets, daemon, to_nameserver)
+                     python, latency_control, latency_buffer_size,
+                     dns_listener, seed_hosts, auto_hosts, auto_nets,
+                     daemon, to_nameserver)
    finally:
        try:
            if daemon:
--- a/sshuttle/cmdline.py
+++ b/sshuttle/cmdline.py
@ -1,6 +1,5 @@
 import re
 import socket
-import platform
 import sshuttle.helpers as helpers
 import sshuttle.client as client
 import sshuttle.firewall as firewall
@ -14,20 +13,9 @@ from sshuttle.sudoers import sudoers
 def main():
    opt = parser.parse_args()

-    if opt.sudoers or opt.sudoers_no_modify:
-        if platform.platform().startswith('OpenBSD'):
-            log('Automatic sudoers does not work on BSD')
-            exit(1)
-
-        if not opt.sudoers_filename:
-            log('--sudoers-file must be set or omited.')
-            exit(1)
-
-        sudoers(
-            user_name=opt.sudoers_user,
-            no_modify=opt.sudoers_no_modify,
-            file_name=opt.sudoers_filename
-        )
+    if opt.sudoers_no_modify:
+        # sudoers() calls exit() when it completes
+        sudoers(user_name=opt.sudoers_user)

    if opt.daemon:
        opt.syslog = 1
@ -45,10 +33,19 @@ def main():
                parser.error('exactly zero arguments expected')
            return firewall.main(opt.method, opt.syslog)
        elif opt.hostwatch:
-            return hostwatch.hw_main(opt.subnets, opt.auto_hosts)
+            hostwatch.hw_main(opt.subnets, opt.auto_hosts)
+            return 0
        else:
-            includes = opt.subnets + opt.subnets_file
-            excludes = opt.exclude
+            # parse_subnetports() is used to create a list of includes
+            # and excludes. It is called once for each parameter and
+            # returns a list of one or more items for each subnet (it
+            # can return more than one item when a hostname in the
+            # parameter resolves to multiple IP addresses. Here, we
+            # flatten these lists.
+            includes = [item for sublist in opt.subnets+opt.subnets_file
+                        for item in sublist]
+            excludes = [item for sublist in opt.exclude for item in sublist]
+
            if not includes and not opt.auto_nets:
                parser.error('at least one subnet, subnet file, '
                             'or -N expected')
@ -77,6 +74,13 @@ def main():
                ipport_v4 = "auto"
                # parse_ipport6('[::1]:0')
                ipport_v6 = "auto" if not opt.disable_ipv6 else None
+            try:
+                int(opt.tmark, 16)
+            except ValueError:
+                parser.error("--tmark must be a hexadecimal value")
+            opt.tmark = opt.tmark.lower()   # make 'x' in 0x lowercase
+            if not opt.tmark.startswith("0x"):  # accept without 0x prefix
+                opt.tmark = "0x%s" % opt.tmark
            if opt.syslog:
                ssyslog.start_syslog()
                ssyslog.close_stdin()
@ -87,6 +91,7 @@ def main():
                                      remotename,
                                      opt.python,
                                      opt.latency_control,
+                                      opt.latency_buffer_size,
                                      opt.dns,
                                      nslist,
                                      opt.method,
@ -99,7 +104,8 @@ def main():
                                      opt.to_ns,
                                      opt.pidfile,
                                      opt.user,
-                                      opt.sudo_pythonpath)
+                                      opt.sudo_pythonpath,
+                                      opt.tmark)

            if return_code == 0:
                log('Normal exit code, exiting...')
@ -108,9 +114,9 @@ def main():
            return return_code

    except Fatal as e:
-        log('fatal: %s\n' % e)
+        log('fatal: %s' % e)
        return 99
    except KeyboardInterrupt:
        log('\n')
-        log('Keyboard interrupt: exiting.\n')
+        log('Keyboard interrupt: exiting.')
        return 1
--- a/sshuttle/firewall.py
+++ b/sshuttle/firewall.py
@ -1,16 +1,20 @@
 import errno
+import shutil
 import socket
 import signal
 import sys
 import os
 import platform
 import traceback
+import subprocess as ssubprocess

 import sshuttle.ssyslog as ssyslog
-from sshuttle.helpers import debug1, debug2, Fatal
+import sshuttle.helpers as helpers
+from sshuttle.helpers import log, debug1, debug2, Fatal
 from sshuttle.methods import get_auto_method, get_method

 HOSTSFILE = '/etc/hosts'
+sshuttle_pid = None


 def rewrite_etc_hosts(hostmap, port):
@ -27,7 +31,11 @@ def rewrite_etc_hosts(hostmap, port):
        else:
            raise
    if old_content.strip() and not os.path.exists(BAKFILE):
-        os.link(HOSTSFILE, BAKFILE)
+        try:
+            os.link(HOSTSFILE, BAKFILE)
+        except OSError:
+            # file is locked - performing non-atomic copy
+            shutil.copyfile(HOSTSFILE, BAKFILE)
    tmpname = "%s.%d.tmp" % (HOSTSFILE, port)
    f = open(tmpname, 'w')
    for line in old_content.rstrip().split('\n'):
@ -43,29 +51,64 @@ def rewrite_etc_hosts(hostmap, port):
        os.chmod(tmpname, st.st_mode)
    else:
        os.chown(tmpname, 0, 0)
-        os.chmod(tmpname, 0o600)
-    os.rename(tmpname, HOSTSFILE)
+        os.chmod(tmpname, 0o644)
+    try:
+        os.rename(tmpname, HOSTSFILE)
+    except OSError:
+        # file is locked - performing non-atomic copy
+        log('Warning: Using a non-atomic way to overwrite %s that can corrupt the file if '
+            'multiple processes write to it simultaneously.' % HOSTSFILE)
+        shutil.move(tmpname, HOSTSFILE)


-def restore_etc_hosts(port):
-    rewrite_etc_hosts({}, port)
+def restore_etc_hosts(hostmap, port):
+    # Only restore if we added hosts to /etc/hosts previously.
+    if len(hostmap) > 0:
+        debug2('undoing /etc/hosts changes.')
+        rewrite_etc_hosts({}, port)
+
+
+def firewall_exit(signum, frame):
+    # The typical sshuttle exit is that the main sshuttle process
+    # exits, closes file descriptors it uses, and the firewall process
+    # notices that it can't read from stdin anymore and exits
+    # (cleaning up firewall rules).
+    #
+    # However, in some cases, Ctrl+C might get sent to the firewall
+    # process. This might caused if someone manually tries to kill the
+    # firewall process, or if sshuttle was started using sudo's use_pty option
+    # and they try to exit by pressing Ctrl+C. Here, we forward the
+    # Ctrl+C/SIGINT to the main sshuttle process which should trigger
+    # the typical exit process as described above.
+    global sshuttle_pid
+    if sshuttle_pid:
+        debug1("Relaying SIGINT to sshuttle process %d\n" % sshuttle_pid)
+        os.kill(sshuttle_pid, signal.SIGINT)


 # Isolate function that needs to be replaced for tests
 def setup_daemon():
    if os.getuid() != 0:
-        raise Fatal('you must be root (or enable su/sudo) to set the firewall')
+        raise Fatal('You must be root (or enable su/sudo) to set the firewall')

    # don't disappear if our controlling terminal or stdout/stderr
    # disappears; we still have to clean up.
    signal.signal(signal.SIGHUP, signal.SIG_IGN)
    signal.signal(signal.SIGPIPE, signal.SIG_IGN)
-    signal.signal(signal.SIGTERM, signal.SIG_IGN)
-    signal.signal(signal.SIGINT, signal.SIG_IGN)
+    signal.signal(signal.SIGTERM, firewall_exit)
+    signal.signal(signal.SIGINT, firewall_exit)

-    # ctrl-c shouldn't be passed along to me.  When the main sshuttle dies,
-    # I'll die automatically.
-    os.setsid()
+    # Calling setsid() here isn't strictly necessary. However, it forces
+    # Ctrl+C to get sent to the main sshuttle process instead of to
+    # the firewall process---which is our preferred way to shutdown.
+    # Nonetheless, if the firewall process receives a SIGTERM/SIGINT
+    # signal, it will relay a SIGINT to the main sshuttle process
+    # automatically.
+    try:
+        os.setsid()
+    except OSError:
+        # setsid() fails if sudo is configured with the use_pty option.
+        pass

    # because of limitations of the 'su' command, the *real* stdin/stdout
    # are both attached to stdout initially.  Clone stdout into stdin so we
@ -85,19 +128,50 @@ def subnet_weight(s):
    return (-s[-1] + (s[-2] or -65535), s[1], s[2])


+def flush_systemd_dns_cache():
+    # If the user is using systemd-resolve for DNS resolution, it is
+    # possible for the request to go through systemd-resolve before we
+    # see it...and it may use a cached result instead of sending a
+    # request that we can intercept. When sshuttle starts and stops,
+    # this means that we should clear the cache!
+    #
+    # The command to do this was named systemd-resolve, but changed to
+    # resolvectl in systemd 239.
+    # https://github.com/systemd/systemd/blob/f8eb41003df1a4eab59ff9bec67b2787c9368dbd/NEWS#L3816
+
+    p = None
+    if helpers.which("resolvectl"):
+        debug2("Flushing systemd's DNS resolver cache: "
+               "resolvectl flush-caches")
+        p = ssubprocess.Popen(["resolvectl", "flush-caches"],
+                              stdout=ssubprocess.PIPE, env=helpers.get_env())
+    elif helpers.which("systemd-resolve"):
+        debug2("Flushing systemd's DNS resolver cache: "
+               "systemd-resolve --flush-caches")
+        p = ssubprocess.Popen(["systemd-resolve", "--flush-caches"],
+                              stdout=ssubprocess.PIPE, env=helpers.get_env())
+
+    if p:
+        # Wait so flush is finished and process doesn't show up as defunct.
+        rv = p.wait()
+        if rv != 0:
+            log("Received non-zero return code %d when flushing DNS resolver "
+                "cache." % rv)
+
+
 # This is some voodoo for setting up the kernel's transparent
 # proxying stuff.  If subnets is empty, we just delete our sshuttle rules;
 # otherwise we delete it, then make them from scratch.
 #
 # This code is supposed to clean up after itself by deleting its rules on
 # exit.  In case that fails, it's not the end of the world; future runs will
-# supercede it in the transproxy list, at least, so the leftover rules
+# supersede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
 def main(method_name, syslog):
+    helpers.logprefix = 'fw: '
    stdin, stdout = setup_daemon()
    hostmap = {}
-
-    debug1('firewall manager: Starting firewall with Python version %s\n'
+    debug1('Starting firewall with Python version %s'
           % platform.python_version())

    if method_name == "auto":
@ -109,7 +183,12 @@ def main(method_name, syslog):
        ssyslog.start_syslog()
        ssyslog.stderr_to_syslog()

-    debug1('firewall manager: ready method name %s.\n' % method.name)
+    if not method.is_supported():
+        raise Fatal("The %s method is not supported on this machine. "
+                    "Check that the appropriate programs are in your "
+                    "PATH." % method_name)
+
+    debug1('ready method name %s.' % method.name)
    stdout.write('READY %s\n' % method.name)
    stdout.flush()

@ -122,18 +201,18 @@ def main(method_name, syslog):

    subnets = []
    if line != 'ROUTES\n':
-        raise Fatal('firewall: expected ROUTES but got %r' % line)
+        raise Fatal('expected ROUTES but got %r' % line)
    while 1:
        line = stdin.readline(128)
        if not line:
-            raise Fatal('firewall: expected route but got %r' % line)
+            raise Fatal('expected route but got %r' % line)
        elif line.startswith("NSLIST\n"):
            break
        try:
            (family, width, exclude, ip, fport, lport) = \
-                    line.strip().split(',', 5)
-        except BaseException:
-            raise Fatal('firewall: expected route or NSLIST but got %r' % line)
+                line.strip().split(',', 5)
+        except Exception:
+            raise Fatal('expected route or NSLIST but got %r' % line)
        subnets.append((
            int(family),
            int(width),
@ -141,60 +220,63 @@ def main(method_name, syslog):
            ip,
            int(fport),
            int(lport)))
-    debug2('firewall manager: Got subnets: %r\n' % subnets)
+    debug2('Got subnets: %r' % subnets)

    nslist = []
    if line != 'NSLIST\n':
-        raise Fatal('firewall: expected NSLIST but got %r' % line)
+        raise Fatal('expected NSLIST but got %r' % line)
    while 1:
        line = stdin.readline(128)
        if not line:
-            raise Fatal('firewall: expected nslist but got %r' % line)
+            raise Fatal('expected nslist but got %r' % line)
        elif line.startswith("PORTS "):
            break
        try:
            (family, ip) = line.strip().split(',', 1)
-        except BaseException:
-            raise Fatal('firewall: expected nslist or PORTS but got %r' % line)
+        except Exception:
+            raise Fatal('expected nslist or PORTS but got %r' % line)
        nslist.append((int(family), ip))
-        debug2('firewall manager: Got partial nslist: %r\n' % nslist)
-    debug2('firewall manager: Got nslist: %r\n' % nslist)
+        debug2('Got partial nslist: %r' % nslist)
+    debug2('Got nslist: %r' % nslist)

    if not line.startswith('PORTS '):
-        raise Fatal('firewall: expected PORTS but got %r' % line)
+        raise Fatal('expected PORTS but got %r' % line)
    _, _, ports = line.partition(" ")
    ports = ports.split(",")
    if len(ports) != 4:
-        raise Fatal('firewall: expected 4 ports but got %d' % len(ports))
+        raise Fatal('expected 4 ports but got %d' % len(ports))
    port_v6 = int(ports[0])
    port_v4 = int(ports[1])
    dnsport_v6 = int(ports[2])
    dnsport_v4 = int(ports[3])

-    assert(port_v6 >= 0)
-    assert(port_v6 <= 65535)
-    assert(port_v4 >= 0)
-    assert(port_v4 <= 65535)
-    assert(dnsport_v6 >= 0)
-    assert(dnsport_v6 <= 65535)
-    assert(dnsport_v4 >= 0)
-    assert(dnsport_v4 <= 65535)
+    assert port_v6 >= 0
+    assert port_v6 <= 65535
+    assert port_v4 >= 0
+    assert port_v4 <= 65535
+    assert dnsport_v6 >= 0
+    assert dnsport_v6 <= 65535
+    assert dnsport_v4 >= 0
+    assert dnsport_v4 <= 65535

-    debug2('firewall manager: Got ports: %d,%d,%d,%d\n'
+    debug2('Got ports: %d,%d,%d,%d'
           % (port_v6, port_v4, dnsport_v6, dnsport_v4))

    line = stdin.readline(128)
    if not line:
-        raise Fatal('firewall: expected GO but got %r' % line)
+        raise Fatal('expected GO but got %r' % line)
    elif not line.startswith("GO "):
-        raise Fatal('firewall: expected GO but got %r' % line)
+        raise Fatal('expected GO but got %r' % line)

    _, _, args = line.partition(" ")
-    udp, user = args.strip().split(" ", 1)
+    global sshuttle_pid
+    udp, user, tmark, sshuttle_pid = args.strip().split(" ", 3)
    udp = bool(int(udp))
+    sshuttle_pid = int(sshuttle_pid)
    if user == '-':
        user = None
-    debug2('firewall manager: Got udp: %r, user: %r\n' % (udp, user))
+    debug2('Got udp: %r, user: %r, tmark: %s, sshuttle_pid: %d' %
+           (udp, user, tmark, sshuttle_pid))

    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
@ -202,22 +284,23 @@ def main(method_name, syslog):
    nslist_v4 = [i for i in nslist if i[0] == socket.AF_INET]

    try:
-        debug1('firewall manager: setting up.\n')
+        debug1('setting up.')

        if subnets_v6 or nslist_v6:
-            debug2('firewall manager: setting up IPv6.\n')
+            debug2('setting up IPv6.')
            method.setup_firewall(
                port_v6, dnsport_v6, nslist_v6,
                socket.AF_INET6, subnets_v6, udp,
-                user)
+                user, tmark)

        if subnets_v4 or nslist_v4:
-            debug2('firewall manager: setting up IPv4.\n')
+            debug2('setting up IPv4.')
            method.setup_firewall(
                port_v4, dnsport_v4, nslist_v4,
                socket.AF_INET, subnets_v4, udp,
-                user)
+                user, tmark)

+        flush_systemd_dns_cache()
        stdout.write('STARTED\n')

        try:
@ -235,53 +318,56 @@ def main(method_name, syslog):
            if line.startswith('HOST '):
                (name, ip) = line[5:].strip().split(',', 1)
                hostmap[name] = ip
-                debug2('firewall manager: setting up /etc/hosts.\n')
+                debug2('setting up /etc/hosts.')
                rewrite_etc_hosts(hostmap, port_v6 or port_v4)
            elif line:
                if not method.firewall_command(line):
-                    raise Fatal('firewall: expected command, got %r' % line)
+                    raise Fatal('expected command, got %r' % line)
            else:
                break
    finally:
        try:
-            debug1('firewall manager: undoing changes.\n')
-        except BaseException:
+            debug1('undoing changes.')
+        except Exception:
            debug2('An error occurred, ignoring it.')

        try:
            if subnets_v6 or nslist_v6:
-                debug2('firewall manager: undoing IPv6 changes.\n')
+                debug2('undoing IPv6 changes.')
                method.restore_firewall(port_v6, socket.AF_INET6, udp, user)
-        except BaseException:
+        except Exception:
            try:
-                debug1("firewall manager: "
-                       "Error trying to undo IPv6 firewall.\n")
-                for line in traceback.format_exc().splitlines():
-                    debug1("---> %s\n" % line)
-            except BaseException:
+                debug1("Error trying to undo IPv6 firewall.")
+                debug1(traceback.format_exc())
+            except Exception:
                debug2('An error occurred, ignoring it.')

        try:
            if subnets_v4 or nslist_v4:
-                debug2('firewall manager: undoing IPv4 changes.\n')
+                debug2('undoing IPv4 changes.')
                method.restore_firewall(port_v4, socket.AF_INET, udp, user)
-        except BaseException:
+        except Exception:
            try:
-                debug1("firewall manager: "
-                       "Error trying to undo IPv4 firewall.\n")
-                for line in traceback.format_exc().splitlines():
-                    debug1("firewall manager: ---> %s\n" % line)
-            except BaseException:
+                debug1("Error trying to undo IPv4 firewall.")
+                debug1(traceback.format_exc())
+            except Exception:
                debug2('An error occurred, ignoring it.')

        try:
-            debug2('firewall manager: undoing /etc/hosts changes.\n')
-            restore_etc_hosts(port_v6 or port_v4)
-        except BaseException:
+            # debug2() message printed in restore_etc_hosts() function.
+            restore_etc_hosts(hostmap, port_v6 or port_v4)
+        except Exception:
            try:
-                debug1("firewall manager: "
-                       "Error trying to undo /etc/hosts changes.\n")
-                for line in traceback.format_exc().splitlines():
-                    debug1("firewall manager: ---> %s\n" % line)
-            except BaseException:
+                debug1("Error trying to undo /etc/hosts changes.")
+                debug1(traceback.format_exc())
+            except Exception:
                debug2('An error occurred, ignoring it.')
+
+        try:
+            flush_systemd_dns_cache()
+        except Exception:
+            try:
+                debug1("Error trying to flush systemd dns cache.")
+                debug1(traceback.format_exc())
+            except Exception:
+                debug2("An error occurred, ignoring it.")
--- a/sshuttle/helpers.py
+++ b/sshuttle/helpers.py
@ -1,6 +1,7 @@
 import sys
 import socket
 import errno
+import os

 logprefix = ''
 verbose = 0
@ -14,14 +15,22 @@ def log(s):
    global logprefix
    try:
        sys.stdout.flush()
-        if s.find("\n") != -1:
-            prefix = logprefix
-            s = s.rstrip("\n")
-            for line in s.split("\n"):
-                sys.stderr.write(prefix + line + "\n")
-                prefix = "---> "
-        else:
-            sys.stderr.write(logprefix + s)
+        # Put newline at end of string if line doesn't have one.
+        if not s.endswith("\n"):
+            s = s+"\n"
+
+        prefix = logprefix
+        s = s.rstrip("\n")
+        for line in s.split("\n"):
+            # We output with \r\n instead of \n because when we use
+            # sudo with the use_pty option, the firewall process, the
+            # other processes printing to the terminal will have the
+            # \n move to the next line, but they will fail to reset
+            # cursor to the beginning of the line. Printing output
+            # with \r\n endings fixes that problem and does not appear
+            # to cause problems elsewhere.
+            sys.stderr.write(prefix + line + "\r\n")
+            prefix = "    "
        sys.stderr.flush()
    except IOError:
        # this could happen if stderr gets forcibly disconnected, eg. because
@ -48,17 +57,64 @@ class Fatal(Exception):
    pass


-def resolvconf_nameservers():
-    lines = []
-    for line in open('/etc/resolv.conf'):
-        words = line.lower().split()
-        if len(words) >= 2 and words[0] == 'nameserver':
-            lines.append(family_ip_tuple(words[1]))
-    return lines
+def resolvconf_nameservers(systemd_resolved):
+    """Retrieves a list of tuples (address type, address as a string) of
+    the DNS servers used by the system to resolve hostnames.
+
+    If parameter is False, DNS servers are retrieved from only
+    /etc/resolv.conf. This behavior makes sense for the sshuttle
+    server.
+
+    If parameter is True, we retrieve information from both
+    /etc/resolv.conf and /run/systemd/resolve/resolv.conf (if it
+    exists). This behavior makes sense for the sshuttle client.
+
+    """
+
+    # Historically, we just needed to read /etc/resolv.conf.
+    #
+    # If systemd-resolved is active, /etc/resolv.conf will point to
+    # localhost and the actual DNS servers that systemd-resolved uses
+    # are stored in /run/systemd/resolve/resolv.conf. For programs
+    # that use the localhost DNS server, having sshuttle read
+    # /etc/resolv.conf is sufficient. However, resolved provides other
+    # ways of resolving hostnames (such as via dbus) that may not
+    # route requests through localhost. So, we retrieve a list of DNS
+    # servers that resolved uses so we can intercept those as well.
+    #
+    # For more information about systemd-resolved, see:
+    # https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
+    #
+    # On machines without systemd-resolved, we expect opening the
+    # second file will fail.
+    files = ['/etc/resolv.conf']
+    if systemd_resolved:
+        files += ['/run/systemd/resolve/resolv.conf']
+
+    nsservers = []
+    for f in files:
+        this_file_nsservers = []
+        try:
+            for line in open(f):
+                words = line.lower().split()
+                if len(words) >= 2 and words[0] == 'nameserver':
+                    this_file_nsservers.append(family_ip_tuple(words[1]))
+            debug2("Found DNS servers in %s: %s" %
+                   (f, [n[1] for n in this_file_nsservers]))
+            nsservers += this_file_nsservers
+        except OSError as e:
+            debug3("Failed to read %s when looking for DNS servers: %s" %
+                   (f, e.strerror))
+
+    return nsservers


-def resolvconf_random_nameserver():
-    lines = resolvconf_nameservers()
+def resolvconf_random_nameserver(systemd_resolved):
+    """Return a random nameserver selected from servers produced by
+    resolvconf_nameservers(). See documentation for
+    resolvconf_nameservers() for a description of the parameter.
+    """
+    lines = resolvconf_nameservers(systemd_resolved)
    if lines:
        if len(lines) > 1:
            # don't import this unless we really need it
@ -99,3 +155,75 @@ def family_to_string(family):
        return "AF_INET"
    else:
        return str(family)
+
+
+def get_env():
+    """An environment for sshuttle subprocesses. See get_path()."""
+    env = {
+        'PATH': get_path(),
+        'LC_ALL': "C",
+    }
+    return env
+
+
+def get_path():
+    """Returns a string of paths separated by os.pathsep.
+
+    Users might not have all of the programs sshuttle needs in their
+    PATH variable (i.e., some programs might be in /sbin). Use PATH
+    and a hardcoded set of paths to search through. This function is
+    used by our which() and get_env() functions. If which() and the
+    subprocess environments differ, programs that which() finds might
+    not be found at run time (or vice versa).
+    """
+    path = []
+    if "PATH" in os.environ:
+        path += os.environ["PATH"].split(os.pathsep)
+    # Python default paths.
+    path += os.defpath.split(os.pathsep)
+    # /sbin, etc are not in os.defpath and may not be in PATH either.
+    # /bin/ and /usr/bin below are probably redundant.
+    path += ['/bin', '/usr/bin', '/sbin', '/usr/sbin']
+
+    # Remove duplicates. Not strictly necessary.
+    path_dedup = []
+    for i in path:
+        if i not in path_dedup:
+            path_dedup.append(i)
+
+    return os.pathsep.join(path_dedup)
+
+
+if sys.version_info >= (3, 3):
+    from shutil import which as _which
+else:
+    # Although sshuttle does not officially support older versions of
+    # Python, some still run the sshuttle server on remote machines
+    # with old versions of python.
+    def _which(file, mode=os.F_OK | os.X_OK, path=None):
+        if path is not None:
+            search_paths = path.split(os.pathsep)
+        elif "PATH" in os.environ:
+            search_paths = os.environ["PATH"].split(os.pathsep)
+        else:
+            search_paths = os.defpath.split(os.pathsep)
+
+        for p in search_paths:
+            filepath = os.path.join(p, file)
+            if os.path.exists(filepath) and os.access(filepath, mode):
+                return filepath
+        return None
+
+
+def which(file, mode=os.F_OK | os.X_OK):
+    """A wrapper around shutil.which() that searches a predictable set of
+    paths and is more verbose about what is happening. See get_path()
+    for more information.
+    """
+    path = get_path()
+    rv = _which(file, mode, path)
+    if rv:
+        debug2("which() found '%s' at %s" % (file, rv))
+    else:
+        debug2("which() could not find '%s' in %s" % (file, path))
+    return rv
--- a/sshuttle/hostwatch.py
+++ b/sshuttle/hostwatch.py
@ -9,22 +9,22 @@ import platform

 import subprocess as ssubprocess
 import sshuttle.helpers as helpers
-from sshuttle.helpers import log, debug1, debug2, debug3
+from sshuttle.helpers import log, debug1, debug2, debug3, get_env

 POLL_TIME = 60 * 15
 NETSTAT_POLL_TIME = 30
 CACHEFILE = os.path.expanduser('~/.sshuttle.hosts')

+# Have we already failed to write CACHEFILE?
+CACHE_WRITE_FAILED = False

-_nmb_ok = True
-_smb_ok = True
 hostnames = {}
 queue = {}
 try:
    null = open(os.devnull, 'wb')
 except IOError:
    _, e = sys.exc_info()[:2]
-    log('warning: %s\n' % e)
+    log('warning: %s' % e)
    null = os.popen("sh -c 'while read x; do :; done'", 'wb', 4096)


@ -33,7 +33,10 @@ def _is_ip(s):


 def write_host_cache():
+    """If possible, write our hosts file to disk so future connections
+       can reuse the hosts that we already found."""
    tmpname = '%s.%d.tmp' % (CACHEFILE, os.getpid())
+    global CACHE_WRITE_FAILED
    try:
        f = open(tmpname, 'wb')
        for name, ip in sorted(hostnames.items()):
@ -41,33 +44,50 @@ def write_host_cache():
        f.close()
        os.chmod(tmpname, 384)  # 600 in octal, 'rw-------'
        os.rename(tmpname, CACHEFILE)
-    finally:
+        CACHE_WRITE_FAILED = False
+    except (OSError, IOError):
+        # Write message if we haven't yet or if we get a failure after
+        # a previous success.
+        if not CACHE_WRITE_FAILED:
+            log("Failed to write host cache to temporary file "
+                "%s and rename it to %s" % (tmpname, CACHEFILE))
+            CACHE_WRITE_FAILED = True
+
        try:
            os.unlink(tmpname)
-        except BaseException:
+        except Exception:
            pass


 def read_host_cache():
+    """If possible, read the cache file from disk to populate hosts that
+       were found in a previous sshuttle run."""
    try:
        f = open(CACHEFILE)
-    except IOError:
+    except (OSError, IOError):
        _, e = sys.exc_info()[:2]
        if e.errno == errno.ENOENT:
            return
        else:
-            raise
+            log("Failed to read existing host cache file %s on remote host"
+                % CACHEFILE)
+            return
    for line in f:
        words = line.strip().split(',')
        if len(words) == 2:
            (name, ip) = words
            name = re.sub(r'[^-\w\.]', '-', name).strip()
+            # Remove characters that shouldn't be in IP
            ip = re.sub(r'[^0-9.]', '', ip).strip()
            if name and ip:
                found_host(name, ip)


 def found_host(name, ip):
+    """The provided name maps to the given IP. Add the host to the
+       hostnames list, send the host to the sshuttle client via
+       stdout, and write the host to the cache file.
+    """
    hostname = re.sub(r'\..*', '', name)
    hostname = re.sub(r'[^-\w\.]', '_', hostname)
    if (ip.startswith('127.') or ip.startswith('255.') or
@ -80,43 +100,51 @@ def found_host(name, ip):
    oldip = hostnames.get(name)
    if oldip != ip:
        hostnames[name] = ip
-        debug1('Found: %s: %s\n' % (name, ip))
+        debug1('Found: %s: %s' % (name, ip))
        sys.stdout.write('%s,%s\n' % (name, ip))
        write_host_cache()


 def _check_etc_hosts():
-    debug2(' > hosts\n')
-    for line in open('/etc/hosts'):
-        line = re.sub(r'#.*', '', line)
-        words = line.strip().split()
-        if not words:
-            continue
-        ip = words[0]
-        names = words[1:]
-        if _is_ip(ip):
-            debug3('<    %s %r\n' % (ip, names))
-            for n in names:
-                check_host(n)
-                found_host(n, ip)
+    """If possible, read /etc/hosts to find hosts."""
+    filename = '/etc/hosts'
+    debug2(' > Reading %s on remote host' % filename)
+    try:
+        for line in open(filename):
+            line = re.sub(r'#.*', '', line)  # remove comments
+            words = line.strip().split()
+            if not words:
+                continue
+            ip = words[0]
+            if _is_ip(ip):
+                names = words[1:]
+                debug3('<    %s %r' % (ip, names))
+                for n in names:
+                    check_host(n)
+                    found_host(n, ip)
+    except (OSError, IOError):
+        debug1("Failed to read %s on remote host" % filename)


 def _check_revdns(ip):
-    debug2(' > rev: %s\n' % ip)
+    """Use reverse DNS to try to get hostnames from an IP addresses."""
+    debug2(' > rev: %s' % ip)
    try:
        r = socket.gethostbyaddr(ip)
-        debug3('<    %s\n' % r[0])
+        debug3('<    %s' % r[0])
        check_host(r[0])
        found_host(r[0], ip)
-    except (socket.herror, UnicodeError):
+    except (OSError, socket.error, UnicodeError):
+        # This case is expected to occur regularly.
+        # debug3('<    %s gethostbyaddr failed on remote host' % ip)
        pass


 def _check_dns(hostname):
-    debug2(' > dns: %s\n' % hostname)
+    debug2(' > dns: %s' % hostname)
    try:
        ip = socket.gethostbyname(hostname)
-        debug3('<    %s\n' % ip)
+        debug3('<    %s' % ip)
        check_host(ip)
        found_host(hostname, ip)
    except (socket.gaierror, UnicodeError):
@ -124,139 +152,35 @@ def _check_dns(hostname):


 def _check_netstat():
-    debug2(' > netstat\n')
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
+    debug2(' > netstat')
    argv = ['netstat', '-n']
    try:
        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
-                              env=env)
+                              env=get_env())
        content = p.stdout.read().decode("ASCII")
        p.wait()
    except OSError:
        _, e = sys.exc_info()[:2]
-        log('%r failed: %r\n' % (argv, e))
+        log('%r failed: %r' % (argv, e))
        return

+    # The same IPs may appear multiple times. Consolidate them so the
+    # debug message doesn't print the same IP repeatedly.
+    ip_list = []
    for ip in re.findall(r'\d+\.\d+\.\d+\.\d+', content):
-        debug3('<    %s\n' % ip)
+        if ip not in ip_list:
+            ip_list.append(ip)
+
+    for ip in sorted(ip_list):
+        debug3('<    %s' % ip)
        check_host(ip)


-def _check_smb(hostname):
-    return
-    global _smb_ok
-    if not _smb_ok:
-        return
-    debug2(' > smb: %s\n' % hostname)
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    argv = ['smbclient', '-U', '%', '-L', hostname]
-    try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
-                              env=env)
-        lines = p.stdout.readlines()
-        p.wait()
-    except OSError:
-        _, e = sys.exc_info()[:2]
-        log('%r failed: %r\n' % (argv, e))
-        _smb_ok = False
-        return
-
-    lines.reverse()
-
-    # junk at top
-    while lines:
-        line = lines.pop().strip()
-        if re.match(r'Server\s+', line):
-            break
-
-    # server list section:
-    #    Server   Comment
-    #    ------   -------
-    while lines:
-        line = lines.pop().strip()
-        if not line or re.match(r'-+\s+-+', line):
-            continue
-        if re.match(r'Workgroup\s+Master', line):
-            break
-        words = line.split()
-        hostname = words[0].lower()
-        debug3('<    %s\n' % hostname)
-        check_host(hostname)
-
-    # workgroup list section:
-    #   Workgroup  Master
-    #   ---------  ------
-    while lines:
-        line = lines.pop().strip()
-        if re.match(r'-+\s+', line):
-            continue
-        if not line:
-            break
-        words = line.split()
-        (workgroup, hostname) = (words[0].lower(), words[1].lower())
-        debug3('<    group(%s) -> %s\n' % (workgroup, hostname))
-        check_host(hostname)
-        check_workgroup(workgroup)
-
-    if lines:
-        assert(0)
-
-
-def _check_nmb(hostname, is_workgroup, is_master):
-    return
-    global _nmb_ok
-    if not _nmb_ok:
-        return
-    debug2(' > n%d%d: %s\n' % (is_workgroup, is_master, hostname))
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
-    try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
-                              env=env)
-        lines = p.stdout.readlines()
-        rv = p.wait()
-    except OSError:
-        _, e = sys.exc_info()[:2]
-        log('%r failed: %r\n' % (argv, e))
-        _nmb_ok = False
-        return
-    if rv:
-        log('%r returned %d\n' % (argv, rv))
-        return
-    for line in lines:
-        m = re.match(r'(\d+\.\d+\.\d+\.\d+) (\w+)<\w\w>\n', line)
-        if m:
-            g = m.groups()
-            (ip, name) = (g[0], g[1].lower())
-            debug3('<    %s -> %s\n' % (name, ip))
-            if is_workgroup:
-                _enqueue(_check_smb, ip)
-            else:
-                found_host(name, ip)
-                check_host(name)
-
-
 def check_host(hostname):
    if _is_ip(hostname):
        _enqueue(_check_revdns, hostname)
    else:
        _enqueue(_check_dns, hostname)
-    _enqueue(_check_smb, hostname)
-    _enqueue(_check_nmb, hostname, False, False)
-
-
-def check_workgroup(hostname):
-    _enqueue(_check_nmb, hostname, True, False)
-    _enqueue(_check_nmb, hostname, True, True)


 def _enqueue(op, *args):
@ -275,12 +199,9 @@ def _stdin_still_ok(timeout):


 def hw_main(seed_hosts, auto_hosts):
-    if helpers.verbose >= 2:
-        helpers.logprefix = 'HH: '
-    else:
-        helpers.logprefix = 'hostwatch: '
+    helpers.logprefix = 'HH: '

-    debug1('Starting hostwatch with Python version %s\n'
+    debug1('Starting hostwatch with Python version %s'
           % platform.python_version())

    for h in seed_hosts:
@ -292,18 +213,22 @@ def hw_main(seed_hosts, auto_hosts):
        _enqueue(_check_netstat)
        check_host('localhost')
        check_host(socket.gethostname())
-        check_workgroup('workgroup')
-        check_workgroup('-')

    while 1:
        now = time.time()
+        # For each item in the queue
        for t, last_polled in list(queue.items()):
            (op, args) = t
            if not _stdin_still_ok(0):
                break
+
+            # Determine if we need to run.
            maxtime = POLL_TIME
+            # netstat runs more often than other jobs
            if op == _check_netstat:
                maxtime = NETSTAT_POLL_TIME
+
+            # Check if this jobs needs to run.
            if now - last_polled > maxtime:
                queue[t] = time.time()
                op(*args)
@ -313,5 +238,5 @@ def hw_main(seed_hosts, auto_hosts):
                break

        # FIXME: use a smarter timeout based on oldest last_polled
-        if not _stdin_still_ok(1):
+        if not _stdin_still_ok(1):  # sleeps for up to 1 second
            break
--- a/sshuttle/linux.py
+++ b/sshuttle/linux.py
@ -1,14 +1,13 @@
-import os
 import socket
 import subprocess as ssubprocess
-from sshuttle.helpers import log, debug1, Fatal, family_to_string
+from sshuttle.helpers import log, debug1, Fatal, family_to_string, get_env


 def nonfatal(func, *args):
    try:
        func(*args)
    except Fatal as e:
-        log('error: %s\n' % e)
+        log('error: %s' % e)


 def ipt_chain_exists(family, table, name):
@ -18,13 +17,9 @@ def ipt_chain_exists(family, table, name):
        cmd = 'iptables'
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
-    argv = [cmd, '-t', table, '-nL']
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
+    argv = [cmd, '-w', '-t', table, '-nL']
    try:
-        output = ssubprocess.check_output(argv, env=env)
+        output = ssubprocess.check_output(argv, env=get_env())
        for line in output.decode('ASCII').split('\n'):
            if line.startswith('Chain %s ' % name):
                return True
@ -34,17 +29,13 @@ def ipt_chain_exists(family, table, name):

 def ipt(family, table, *args):
    if family == socket.AF_INET6:
-        argv = ['ip6tables', '-t', table] + list(args)
+        argv = ['ip6tables', '-w', '-t', table] + list(args)
    elif family == socket.AF_INET:
-        argv = ['iptables', '-t', table] + list(args)
+        argv = ['iptables', '-w', '-t', table] + list(args)
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
-    debug1('>> %s\n' % ' '.join(argv))
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    rv = ssubprocess.call(argv, env=env)
+    debug1('%s' % ' '.join(argv))
+    rv = ssubprocess.call(argv, env=get_env())
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))

@ -54,33 +45,7 @@ def nft(family, table, action, *args):
        argv = ['nft', action, 'inet', table] + list(args)
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
-    debug1('>> %s\n' % ' '.join(argv))
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    rv = ssubprocess.call(argv, env=env)
+    debug1('%s' % ' '.join(argv))
+    rv = ssubprocess.call(argv, env=get_env())
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
-
-
-_no_ttl_module = False
-
-
-def ipt_ttl(family, *args):
-    global _no_ttl_module
-    if not _no_ttl_module:
-        # we avoid infinite loops by generating server-side connections
-        # with ttl 63.  This makes the client side not recapture those
-        # connections, in case client == server.
-        try:
-            argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '63']
-            ipt(family, *argsplus)
-        except Fatal:
-            ipt(family, *args)
-            # we only get here if the non-ttl attempt succeeds
-            log('sshuttle: warning: your iptables is missing '
-                'the ttl module.\n')
-            _no_ttl_module = True
-    else:
-        ipt(family, *args)
--- a/sshuttle/methods/init.py
+++ b/sshuttle/methods/init.py
@ -1,26 +1,33 @@
-import os
 import importlib
 import socket
 import struct
 import errno
+import ipaddress
 from sshuttle.helpers import Fatal, debug3


 def original_dst(sock):
    try:
+        family = sock.family
        SO_ORIGINAL_DST = 80
-        SOCKADDR_MIN = 16
-        sockaddr_in = sock.getsockopt(socket.SOL_IP,
-                                      SO_ORIGINAL_DST, SOCKADDR_MIN)
-        (proto, port, a, b, c, d) = struct.unpack('!HHBBBB', sockaddr_in[:8])
-        # FIXME: decoding is IPv4 only.
-        assert(socket.htons(proto) == socket.AF_INET)
-        ip = '%d.%d.%d.%d' % (a, b, c, d)
-        return (ip, port)
+
+        if family == socket.AF_INET:
+            SOCKADDR_MIN = 16
+            sockaddr_in = sock.getsockopt(socket.SOL_IP,
+                                          SO_ORIGINAL_DST, SOCKADDR_MIN)
+            port, raw_ip = struct.unpack_from('!2xH4s', sockaddr_in[:8])
+            ip = str(ipaddress.IPv4Address(raw_ip))
+        elif family == socket.AF_INET6:
+            sockaddr_in = sock.getsockopt(41, SO_ORIGINAL_DST, 64)
+            port, raw_ip = struct.unpack_from("!2xH4x16s", sockaddr_in)
+            ip = str(ipaddress.IPv6Address(raw_ip))
+        else:
+            raise Fatal("fw: Unknown family type.")
    except socket.error as e:
        if e.args[0] == errno.ENOPROTOOPT:
            return sock.getsockname()
        raise
+    return (ip, port)


 class Features(object):
@ -38,26 +45,33 @@ class BaseMethod(object):
    @staticmethod
    def get_supported_features():
        result = Features()
+        result.ipv4 = True
        result.ipv6 = False
        result.udp = False
        result.dns = True
        result.user = False
        return result

+    @staticmethod
+    def is_supported():
+        """Returns true if it appears that this method will work on this
+        machine."""
+        return False
+
    @staticmethod
    def get_tcp_dstip(sock):
        return original_dst(sock)

    @staticmethod
    def recv_udp(udp_listener, bufsize):
-        debug3('Accept UDP using recvfrom.\n')
+        debug3('Accept UDP using recvfrom.')
        data, srcip = udp_listener.recvfrom(bufsize)
        return (srcip, None, data)

    def send_udp(self, sock, srcip, dstip, data):
        if srcip is not None:
-            Fatal("Method %s send_udp does not support setting srcip to %r"
-                  % (self.name, srcip))
+            raise Fatal("Method %s send_udp does not support setting srcip to %r"
+                        % (self.name, srcip))
        sock.sendto(data, dstip)

    def setup_tcp_listener(self, tcp_listener):
@ -68,14 +82,14 @@ class BaseMethod(object):

    def assert_features(self, features):
        avail = self.get_supported_features()
-        for key in ["udp", "dns", "ipv6", "user"]:
+        for key in ["udp", "dns", "ipv6", "ipv4", "user"]:
            if getattr(features, key) and not getattr(avail, key):
                raise Fatal(
-                    "Feature %s not supported with method %s.\n" %
+                    "Feature %s not supported with method %s." %
                    (key, self.name))

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        raise NotImplementedError()

    def restore_firewall(self, port, family, udp, user):
@ -86,30 +100,21 @@ class BaseMethod(object):
        return False


-def _program_exists(name):
-    paths = (os.getenv('PATH') or os.defpath).split(os.pathsep)
-    for p in paths:
-        fn = '%s/%s' % (p, name)
-        if os.path.exists(fn):
-            return not os.path.isdir(fn) and os.access(fn, os.X_OK)
-
-
 def get_method(method_name):
    module = importlib.import_module("sshuttle.methods.%s" % method_name)
    return module.Method(method_name)


 def get_auto_method():
-    if _program_exists('iptables'):
-        method_name = "nat"
-    elif _program_exists('nft'):
-        method_name = "nft"
-    elif _program_exists('pfctl'):
-        method_name = "pf"
-    elif _program_exists('ipfw'):
-        method_name = "ipfw"
-    else:
-        raise Fatal(
-            "can't find either iptables, nft or pfctl; check your PATH")
+    debug3("Selecting a method automatically...")
+    # Try these methods, in order:
+    methods_to_try = ["nat", "nft", "pf", "ipfw"]
+    for m in methods_to_try:
+        method = get_method(m)
+        if method.is_supported():
+            debug3("Method '%s' was automatically selected." % m)
+            return method

-    return get_method(method_name)
+    raise Fatal("Unable to automatically find a supported method. Check that "
+                "the appropriate programs are in your PATH. We tried "
+                "methods: %s" % str(methods_to_try))
--- a/sshuttle/methods/ipfw.py
+++ b/sshuttle/methods/ipfw.py
@ -1,79 +1,43 @@
 import os
 import subprocess as ssubprocess
 from sshuttle.methods import BaseMethod
-from sshuttle.helpers import log, debug1, debug3, \
-    Fatal, family_to_string
+from sshuttle.helpers import log, debug1, debug2, debug3, \
+    Fatal, family_to_string, get_env, which

-recvmsg = None
-try:
-    # try getting recvmsg from python
-    import socket as pythonsocket
-    getattr(pythonsocket.socket, "recvmsg")
-    socket = pythonsocket
-    recvmsg = "python"
-except AttributeError:
-    # try getting recvmsg from socket_ext library
-    try:
-        import socket_ext
-        getattr(socket_ext.socket, "recvmsg")
-        socket = socket_ext
-        recvmsg = "socket_ext"
-    except ImportError:
-        import socket
+import socket

 IP_BINDANY = 24
 IP_RECVDSTADDR = 7
 SOL_IPV6 = 41
 IPV6_RECVDSTADDR = 74

-if recvmsg == "python":
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP python using recvmsg.\n')
-        data, ancdata, _, srcip = listener.recvmsg(4096,
-                                                   socket.CMSG_SPACE(4))
-        dstip = None
-        for cmsg_level, cmsg_type, cmsg_data in ancdata:
-            if cmsg_level == socket.SOL_IP and cmsg_type == IP_RECVDSTADDR:
-                port = 53
-                ip = socket.inet_ntop(socket.AF_INET, cmsg_data[0:4])
-                dstip = (ip, port)
-                break
-        return (srcip, dstip, data)
-elif recvmsg == "socket_ext":
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, _ = listener.recvmsg((bufsize,),
-                                                 socket.CMSG_SPACE(4))
-        dstip = None
-        for a in adata:
-            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_RECVDSTADDR:
-                port = 53
-                ip = socket.inet_ntop(socket.AF_INET, a.cmsg_data[0:4])
-                dstip = (ip, port)
-                break
-        return (srcip, dstip, data[0])
-else:
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using recvfrom.\n')
-        data, srcip = listener.recvfrom(bufsize)
-        return (srcip, None, data)
+
+def recv_udp(listener, bufsize):
+    debug3('Accept UDP python using recvmsg.')
+    data, ancdata, _, srcip = listener.recvmsg(4096,
+                                               socket.CMSG_SPACE(4))
+    dstip = None
+    for cmsg_level, cmsg_type, cmsg_data in ancdata:
+        if cmsg_level == socket.SOL_IP and cmsg_type == IP_RECVDSTADDR:
+            port = 53
+            ip = socket.inet_ntop(socket.AF_INET, cmsg_data[0:4])
+            dstip = (ip, port)
+            break
+    return (srcip, dstip, data)


 def ipfw_rule_exists(n):
-    argv = ['ipfw', 'list']
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    argv = ['ipfw', 'list', '%d' % n]
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())

    found = False
    for line in p.stdout:
        if line.startswith(b'%05d ' % n):
-            if not ('ipttl 63' in line or 'check-state' in line):
-                log('non-sshuttle ipfw rule: %r\n' % line.strip())
+            if 'check-state :sshuttle' not in line:
+                log('non-sshuttle ipfw rule: %r' % line.strip())
                raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
            found = True
+            break
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
@ -85,14 +49,10 @@ _oldctls = {}

 def _fill_oldctls(prefix):
    argv = ['sysctl', prefix]
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
    for line in p.stdout:
        line = line.decode()
-        assert(line[-1] == '\n')
+        assert line[-1] == '\n'
        (k, v) = line[:-1].split(': ', 1)
        _oldctls[k] = v.strip()
    rv = p.wait()
@ -104,8 +64,8 @@ def _fill_oldctls(prefix):

 def _sysctl_set(name, val):
    argv = ['sysctl', '-w', '%s=%s' % (name, val)]
-    debug1('>> %s\n' % ' '.join(argv))
-    return ssubprocess.call(argv, stdout=open(os.devnull, 'w'))
+    debug1('>> %s' % ' '.join(argv))
+    return ssubprocess.call(argv, stdout=open(os.devnull, 'w'), env=get_env())
    # No env: No output. (Or error that won't be parsed.)


@ -114,18 +74,18 @@ _changedctls = []

 def sysctl_set(name, val, permanent=False):
    PREFIX = 'net.inet.ip'
-    assert(name.startswith(PREFIX + '.'))
+    assert name.startswith(PREFIX + '.')
    val = str(val)
    if not _oldctls:
        _fill_oldctls(PREFIX)
    if not (name in _oldctls):
-        debug1('>> No such sysctl: %r\n' % name)
+        debug1('>> No such sysctl: %r' % name)
        return False
    oldval = _oldctls[name]
    if val != oldval:
        rv = _sysctl_set(name, val)
        if rv == 0 and permanent:
-            debug1('>>   ...saving permanently in /etc/sysctl.conf\n')
+            debug1('>>   ...saving permanently in /etc/sysctl.conf')
            f = open('/etc/sysctl.conf', 'a')
            f.write('\n'
                    '# Added by sshuttle\n'
@ -138,8 +98,8 @@ def sysctl_set(name, val, permanent=False):

 def ipfw(*args):
    argv = ['ipfw', '-q'] + list(args)
-    debug1('>> %s\n' % ' '.join(argv))
-    rv = ssubprocess.call(argv)
+    debug1('>> %s' % ' '.join(argv))
+    rv = ssubprocess.call(argv, env=get_env())
    # No env: No output. (Or error that won't be parsed.)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
@ -147,8 +107,8 @@ def ipfw(*args):

 def ipfw_noexit(*args):
    argv = ['ipfw', '-q'] + list(args)
-    debug1('>> %s\n' % ' '.join(argv))
-    ssubprocess.call(argv)
+    debug1('>> %s' % ' '.join(argv))
+    ssubprocess.call(argv, env=get_env())
    # No env: No output. (Or error that won't be parsed.)


@ -169,7 +129,7 @@ class Method(BaseMethod):
        if not dstip:
            debug1(
                   "-- ignored UDP from %r: "
-                   "couldn't determine destination IP address\n" % (srcip,))
+                   "couldn't determine destination IP address" % (srcip,))
            return None
        return srcip, dstip, data

@ -177,15 +137,14 @@ class Method(BaseMethod):
        if not srcip:
            debug1(
               "-- ignored UDP to %r: "
-               "couldn't determine source IP address\n" % (dstip,))
+               "couldn't determine source IP address" % (dstip,))
            return

-        # debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
+        # debug3('Sending SRC: %r DST: %r' % (srcip, dstip))
        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
        sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
        sender.bind(srcip)
        sender.sendto(data, dstip)
        sender.close()
@ -197,7 +156,7 @@ class Method(BaseMethod):
        #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        # IPv6 not supported
        if family not in [socket.AF_INET]:
            raise Exception(
@ -215,8 +174,7 @@ class Method(BaseMethod):
        if subnets or dnsport:
            sysctl_set('net.inet.ip.fw.enable', 1)

-        ipfw('add', '1', 'check-state', 'ip',
-             'from', 'any', 'to', 'any')
+        ipfw('add', '1', 'check-state', ':sshuttle')

        ipfw('add', '1', 'skipto', '2',
             'tcp',
@ -224,7 +182,7 @@ class Method(BaseMethod):
        ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
             'tcp',
             'from', 'any', 'to', 'table(126)',
-             'not', 'ipttl', '63', 'keep-state', 'setup')
+             'setup', 'keep-state', ':sshuttle')

        ipfw_noexit('table', '124', 'flush')
        dnscount = 0
@ -235,29 +193,34 @@ class Method(BaseMethod):
            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
                 'udp',
                 'from', 'any', 'to', 'table(124)',
-                 'not', 'ipttl', '63')
+                 'keep-state', ':sshuttle')
        ipfw('add', '1', 'allow',
             'udp',
-             'from', 'any', 'to', 'any',
-             'ipttl', '63')
+             'from', 'any', 'to', 'any')

        if subnets:
            # create new subnet entries
-            for _, swidth, sexclude, snet in sorted(subnets,
-                                                    key=lambda s: s[1],
-                                                    reverse=True):
+            for _, swidth, sexclude, snet, fport, lport \
+                    in sorted(subnets, key=lambda s: s[1], reverse=True):
                if sexclude:
                    ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
-            else:
-                ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))
+                else:
+                    ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))

    def restore_firewall(self, port, family, udp, user):
        if family not in [socket.AF_INET]:
            raise Exception(
-                'Address family "%s" unsupported by tproxy method'
+                'Address family "%s" unsupported by ipfw method'
                % family_to_string(family))

        ipfw_noexit('delete', '1')
        ipfw_noexit('table', '124', 'flush')
        ipfw_noexit('table', '125', 'flush')
        ipfw_noexit('table', '126', 'flush')
+
+    def is_supported(self):
+        if which("ipfw"):
+            return True
+        debug2("ipfw method not supported because 'ipfw' command is "
+               "missing.")
+        return False
--- a/sshuttle/methods/nat.py
+++ b/sshuttle/methods/nat.py
@ -1,7 +1,7 @@
 import socket
 from sshuttle.firewall import subnet_weight
-from sshuttle.helpers import family_to_string
-from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists, nonfatal
+from sshuttle.helpers import family_to_string, which, debug2
+from sshuttle.linux import ipt, ipt_chain_exists, nonfatal
 from sshuttle.methods import BaseMethod


@ -13,23 +13,18 @@ class Method(BaseMethod):
    # recently-started one will win (because we use "-I OUTPUT 1" instead of
    # "-A OUTPUT").
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
-        # only ipv4 supported with NAT
-        if family != socket.AF_INET:
+                       user, tmark):
+        if family != socket.AF_INET and family != socket.AF_INET6:
            raise Exception(
                'Address family "%s" unsupported by nat method_name'
                % family_to_string(family))
        if udp:
            raise Exception("UDP not supported by nat method_name")
-
        table = "nat"

        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        def _ipm(*args):
            return ipt(family, "mangle", *args)

@ -50,17 +45,19 @@ class Method(BaseMethod):
        _ipt('-I', 'OUTPUT', '1', *args)
        _ipt('-I', 'PREROUTING', '1', *args)

-        # Firstly we always skip all LOCAL addtrype address, i.e. avoid
-        # tunnelling the traffic designated to all local TCP/IP addresses.
+        # Redirect DNS traffic as requested. This includes routing traffic
+        # to localhost DNS servers through sshuttle.
+        for _, ip in [i for i in nslist if i[0] == family]:
+            _ipt('-A', chain, '-j', 'REDIRECT',
+                 '--dest', '%s' % ip,
+                 '-p', 'udp',
+                 '--dport', '53',
+                 '--to-ports', str(dnsport))
+
+        # Don't route any remaining local traffic through sshuttle.
        _ipt('-A', chain, '-j', 'RETURN',
             '-m', 'addrtype',
-             '--dst-type', 'LOCAL',
-             '!', '-p', 'udp')
-        # Skip LOCAL traffic if it's not DNS.
-        _ipt('-A', chain, '-j', 'RETURN',
-             '-m', 'addrtype',
-             '--dst-type', 'LOCAL',
-             '-p', 'udp', '!', '--dport', '53')
+             '--dst-type', 'LOCAL')

        # create new subnet entries.
        for _, swidth, sexclude, snet, fport, lport \
@ -74,20 +71,13 @@ class Method(BaseMethod):
                     '--dest', '%s/%s' % (snet, swidth),
                     *tcp_ports)
            else:
-                _ipt_ttl('-A', chain, '-j', 'REDIRECT',
-                         '--dest', '%s/%s' % (snet, swidth),
-                         *(tcp_ports + ('--to-ports', str(port))))
-
-        for _, ip in [i for i in nslist if i[0] == family]:
-            _ipt_ttl('-A', chain, '-j', 'REDIRECT',
-                     '--dest', '%s/32' % ip,
-                     '-p', 'udp',
-                     '--dport', '53',
-                     '--to-ports', str(dnsport))
+                _ipt('-A', chain, '-j', 'REDIRECT',
+                     '--dest', '%s/%s' % (snet, swidth),
+                     *(tcp_ports + ('--to-ports', str(port))))

    def restore_firewall(self, port, family, udp, user):
        # only ipv4 supported with NAT
-        if family != socket.AF_INET:
+        if family != socket.AF_INET and family != socket.AF_INET6:
            raise Exception(
                'Address family "%s" unsupported by nat method_name'
                % family_to_string(family))
@ -99,9 +89,6 @@ class Method(BaseMethod):
        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        def _ipm(*args):
            return ipt(family, "mangle", *args)

@ -123,4 +110,12 @@ class Method(BaseMethod):
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.user = True
+        result.ipv6 = True
        return result
+
+    def is_supported(self):
+        if which("iptables"):
+            return True
+        debug2("nat method not supported because 'iptables' command "
+               "is missing.")
+        return False
--- a/sshuttle/methods/nft.py
+++ b/sshuttle/methods/nft.py
@ -2,6 +2,7 @@ import socket
 from sshuttle.firewall import subnet_weight
 from sshuttle.linux import nft, nonfatal
 from sshuttle.methods import BaseMethod
+from sshuttle.helpers import debug2, which


 class Method(BaseMethod):
@ -12,11 +13,14 @@ class Method(BaseMethod):
    # recently-started one will win (because we use "-I OUTPUT 1" instead of
    # "-A OUTPUT").
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        if udp:
            raise Exception("UDP not supported by nft")

-        table = 'sshuttle-%s' % port
+        if family == socket.AF_INET:
+            table = 'sshuttle-ipv4-%s' % port
+        if family == socket.AF_INET6:
+            table = 'sshuttle-ipv6-%s' % port

        def _nft(action, *args):
            return nft(family, table, action, *args)
@ -34,43 +38,77 @@ class Method(BaseMethod):
        _nft('add rule', 'output jump %s' % chain)
        _nft('add rule', 'prerouting jump %s' % chain)

+        # setup_firewall() gets called separately for ipv4 and ipv6. Make sure
+        # we only handle the version that we expect to.
+        if family == socket.AF_INET:
+            _nft('add rule', chain, 'meta', 'nfproto', '!=', 'ipv4', 'return')
+        else:
+            _nft('add rule', chain, 'meta', 'nfproto', '!=', 'ipv6', 'return')
+
+        # Strings to use below to simplify our code
+        if family == socket.AF_INET:
+            ip_version_l = 'ipv4'
+            ip_version = 'ip'
+        elif family == socket.AF_INET6:
+            ip_version_l = 'ipv6'
+            ip_version = 'ip6'
+
+        # Redirect DNS traffic as requested. This includes routing traffic
+        # to localhost DNS servers through sshuttle.
+        for _, ip in [i for i in nslist if i[0] == family]:
+            _nft('add rule', chain, ip_version,
+                 'daddr %s' % ip, 'udp dport 53',
+                 ('redirect to :' + str(dnsport)))
+
+        # Don't route any remaining local traffic through sshuttle
+        _nft('add rule', chain, 'fib daddr type local return')
+
        # create new subnet entries.
        for _, swidth, sexclude, snet, fport, lport \
                in sorted(subnets, key=subnet_weight, reverse=True):
-            tcp_ports = ('ip', 'protocol', 'tcp')
+
+            # match using nfproto as described at
+            # https://superuser.com/questions/1560376/match-ipv6-protocol-using-nftables
            if fport and fport != lport:
-                tcp_ports = \
-                    tcp_ports + \
-                    ('tcp', 'dport', '{ %d-%d }' % (fport, lport))
+                tcp_ports = ('meta', 'nfproto', ip_version_l, 'tcp',
+                             'dport', '{ %d-%d }' % (fport, lport))
            elif fport and fport == lport:
-                tcp_ports = tcp_ports + ('tcp', 'dport', '%d' % (fport))
+                tcp_ports = ('meta', 'nfproto', ip_version_l, 'tcp',
+                             'dport', '%d' % (fport))
+            else:
+                tcp_ports = ('meta', 'nfproto', ip_version_l,
+                             'meta', 'l4proto', 'tcp')

            if sexclude:
                _nft('add rule', chain, *(tcp_ports + (
-                     'ip daddr %s/%s' % (snet, swidth), 'return')))
+                     ip_version, 'daddr %s/%s' % (snet, swidth), 'return')))
            else:
                _nft('add rule', chain, *(tcp_ports + (
-                     'ip daddr %s/%s' % (snet, swidth), 'ip ttl != 63',
-                     ('redirect to :' + str(port)))))
-
-        for _, ip in [i for i in nslist if i[0] == family]:
-            if family == socket.AF_INET:
-                _nft('add rule', chain, 'ip protocol udp ip daddr %s' % ip,
-                     'udp dport { 53 }', 'ip ttl != 63',
-                     ('redirect to :' + str(dnsport)))
-            elif family == socket.AF_INET6:
-                _nft('add rule', chain, 'ip6 protocol udp ip6 daddr %s' % ip,
-                     'udp dport { 53 }', 'ip ttl != 63',
-                     ('redirect to :' + str(dnsport)))
+                    ip_version, 'daddr %s/%s' % (snet, swidth),
+                    ('redirect to :' + str(port)))))

    def restore_firewall(self, port, family, udp, user):
        if udp:
            raise Exception("UDP not supported by nft method_name")

-        table = 'sshuttle-%s' % port
+        if family == socket.AF_INET:
+            table = 'sshuttle-ipv4-%s' % port
+        if family == socket.AF_INET6:
+            table = 'sshuttle-ipv6-%s' % port

        def _nft(action, *args):
            return nft(family, table, action, *args)

        # basic cleanup/setup of chains
        nonfatal(_nft, 'delete table', '')
+
+    def get_supported_features(self):
+        result = super(Method, self).get_supported_features()
+        result.ipv6 = True
+        return result
+
+    def is_supported(self):
+        if which("nft"):
+            return True
+        debug2("nft method not supported because 'nft' command is missing.")
+        return False
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@ -11,7 +11,8 @@ from fcntl import ioctl
 from ctypes import c_char, c_uint8, c_uint16, c_uint32, Union, Structure, \
    sizeof, addressof, memmove
 from sshuttle.firewall import subnet_weight
-from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string
+from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, \
+     family_to_string, get_env, which
 from sshuttle.methods import BaseMethod


@ -179,7 +180,7 @@ class FreeBsd(Generic):
        return freebsd

    def enable(self):
-        returncode = ssubprocess.call(['kldload', 'pf'])
+        returncode = ssubprocess.call(['kldload', 'pf'], env=get_env())
        # No env: No output.
        super(FreeBsd, self).enable()
        if returncode == 0:
@ -189,7 +190,7 @@ class FreeBsd(Generic):
        super(FreeBsd, self).disable(anchor)
        if _pf_context['loaded_by_sshuttle'] and \
                _pf_context['started_by_sshuttle'] == 0:
-            ssubprocess.call(['kldunload', 'pf'])
+            ssubprocess.call(['kldunload', 'pf'], env=get_env())
            # No env: No output.

    def add_anchors(self, anchor):
@ -272,7 +273,7 @@ class OpenBsd(Generic):
    def add_anchors(self, anchor):
        # before adding anchors and rules we must override the skip lo
        # that comes by default in openbsd pf.conf so the rules we will add,
-        # which rely on translating/filtering  packets on lo, can work
+        # which rely on translating/filtering packets on lo, can work
        if self.has_skip_loopback():
            pfctl('-f /dev/stdin', b'match on lo\n')
        super(OpenBsd, self).add_anchors(anchor)
@ -352,7 +353,7 @@ class Darwin(FreeBsd):
    def add_anchors(self, anchor):
        # before adding anchors and rules we must override the skip lo
        # that in some cases ends up in the chain so the rules we will add,
-        # which rely on translating/filtering  packets on lo, can work
+        # which rely on translating/filtering packets on lo, can work
        if self.has_skip_loopback():
            pfctl('-f /dev/stdin', b'pass on lo\n')
        super(Darwin, self).add_anchors(anchor)
@ -385,18 +386,17 @@ else:

 def pfctl(args, stdin=None):
    argv = ['pfctl'] + shlex.split(args)
-    debug1('>> %s\n' % ' '.join(argv))
-
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
+    debug1('>> %s' % ' '.join(argv))
    p = ssubprocess.Popen(argv, stdin=ssubprocess.PIPE,
                          stdout=ssubprocess.PIPE,
                          stderr=ssubprocess.PIPE,
-                          env=env)
+                          env=get_env())
    o = p.communicate(stdin)
    if p.returncode:
+        log('%r returned %d, stdout and stderr follows: ' %
+            (argv, p.returncode))
+        log("stdout:\n%s" % o[0].decode("ascii"))
+        log("stderr:\n%s" % o[1].decode("ascii"))
        raise Fatal('%r returned %d' % (argv, p.returncode))

    return o
@ -448,7 +448,7 @@ class Method(BaseMethod):
        return sock.getsockname()

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
@ -495,3 +495,9 @@ class Method(BaseMethod):
            return True
        else:
            return False
+
+    def is_supported(self):
+        if which("pfctl"):
+            return True
+        debug2("pf method not supported because 'pfctl' command is missing.")
+        return False
--- a/sshuttle/methods/tproxy.py
+++ b/sshuttle/methods/tproxy.py
@ -1,26 +1,12 @@
 import struct
 from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string
-from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists
+from sshuttle.linux import ipt, ipt_chain_exists
 from sshuttle.methods import BaseMethod
-from sshuttle.helpers import debug1, debug3, Fatal
+from sshuttle.helpers import debug1, debug2, debug3, Fatal, which

-recvmsg = None
-try:
-    # try getting recvmsg from python
-    import socket as pythonsocket
-    getattr(pythonsocket.socket, "recvmsg")
-    socket = pythonsocket
-    recvmsg = "python"
-except AttributeError:
-    # try getting recvmsg from socket_ext library
-    try:
-        import socket_ext
-        getattr(socket_ext.socket, "recvmsg")
-        socket = socket_ext
-        recvmsg = "socket_ext"
-    except ImportError:
-        import socket
+import socket
+import os


 IP_TRANSPARENT = 19
@ -30,75 +16,37 @@ SOL_IPV6 = 41
 IPV6_ORIGDSTADDR = 74
 IPV6_RECVORIGDSTADDR = IPV6_ORIGDSTADDR

-if recvmsg == "python":
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP python using recvmsg.\n')
-        data, ancdata, _, srcip = listener.recvmsg(
-            4096, socket.CMSG_SPACE(24))
-        dstip = None
-        family = None
-        for cmsg_level, cmsg_type, cmsg_data in ancdata:
-            if cmsg_level == socket.SOL_IP and cmsg_type == IP_ORIGDSTADDR:
-                family, port = struct.unpack('=HH', cmsg_data[0:4])
-                port = socket.htons(port)
-                if family == socket.AF_INET:
-                    start = 4
-                    length = 4
-                else:
-                    raise Fatal("Unsupported socket type '%s'" % family)
-                ip = socket.inet_ntop(family, cmsg_data[start:start + length])
-                dstip = (ip, port)
-                break
-            elif cmsg_level == SOL_IPV6 and cmsg_type == IPV6_ORIGDSTADDR:
-                family, port = struct.unpack('=HH', cmsg_data[0:4])
-                port = socket.htons(port)
-                if family == socket.AF_INET6:
-                    start = 8
-                    length = 16
-                else:
-                    raise Fatal("Unsupported socket type '%s'" % family)
-                ip = socket.inet_ntop(family, cmsg_data[start:start + length])
-                dstip = (ip, port)
-                break
-        return (srcip, dstip, data)
-elif recvmsg == "socket_ext":
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, _ = listener.recvmsg(
-            (bufsize,), socket.CMSG_SPACE(24))
-        dstip = None
-        family = None
-        for a in adata:
-            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_ORIGDSTADDR:
-                family, port = struct.unpack('=HH', a.cmsg_data[0:4])
-                port = socket.htons(port)
-                if family == socket.AF_INET:
-                    start = 4
-                    length = 4
-                else:
-                    raise Fatal("Unsupported socket type '%s'" % family)
-                ip = socket.inet_ntop(
-                    family, a.cmsg_data[start:start + length])
-                dstip = (ip, port)
-                break
-            elif a.cmsg_level == SOL_IPV6 and a.cmsg_type == IPV6_ORIGDSTADDR:
-                family, port = struct.unpack('=HH', a.cmsg_data[0:4])
-                port = socket.htons(port)
-                if family == socket.AF_INET6:
-                    start = 8
-                    length = 16
-                else:
-                    raise Fatal("Unsupported socket type '%s'" % family)
-                ip = socket.inet_ntop(
-                    family, a.cmsg_data[start:start + length])
-                dstip = (ip, port)
-                break
-        return (srcip, dstip, data[0])
-else:
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using recvfrom.\n')
-        data, srcip = listener.recvfrom(bufsize)
-        return (srcip, None, data)
+
+def recv_udp(listener, bufsize):
+    debug3('Accept UDP python using recvmsg.')
+    data, ancdata, _, srcip = listener.recvmsg(
+        4096, socket.CMSG_SPACE(24))
+    dstip = None
+    family = None
+    for cmsg_level, cmsg_type, cmsg_data in ancdata:
+        if cmsg_level == socket.SOL_IP and cmsg_type == IP_ORIGDSTADDR:
+            family, port = struct.unpack('=HH', cmsg_data[0:4])
+            port = socket.htons(port)
+            if family == socket.AF_INET:
+                start = 4
+                length = 4
+            else:
+                raise Fatal("Unsupported socket type '%s'" % family)
+            ip = socket.inet_ntop(family, cmsg_data[start:start + length])
+            dstip = (ip, port)
+            break
+        elif cmsg_level == SOL_IPV6 and cmsg_type == IPV6_ORIGDSTADDR:
+            family, port = struct.unpack('=HH', cmsg_data[0:4])
+            port = socket.htons(port)
+            if family == socket.AF_INET6:
+                start = 8
+                length = 16
+            else:
+                raise Fatal("Unsupported socket type '%s'" % family)
+            ip = socket.inet_ntop(family, cmsg_data[start:start + length])
+            dstip = (ip, port)
+            break
+    return (srcip, dstip, data)


 class Method(BaseMethod):
@ -106,12 +54,8 @@ class Method(BaseMethod):
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.ipv6 = True
-        if recvmsg is None:
-            result.udp = False
-            result.dns = False
-        else:
-            result.udp = True
-            result.dns = True
+        result.udp = True
+        result.dns = True
        return result

    def get_tcp_dstip(self, sock):
@ -126,6 +70,15 @@ class Method(BaseMethod):
            return None
        return srcip, dstip, data

+    def setsockopt_error(self, e):
+        """The tproxy method needs root permissions to successfully
+        set the IP_TRANSPARENT option on sockets. This method is
+        called when we receive a PermissionError when trying to do
+        so."""
+        raise Fatal("Insufficient permissions for tproxy method.\n"
+                    "Your effective UID is %d, not 0. Try rerunning as root.\n"
+                    % os.geteuid())
+
    def send_udp(self, sock, srcip, dstip, data):
        if not srcip:
            debug1(
@ -134,16 +87,26 @@ class Method(BaseMethod):
            return
        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-        sender.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        try:
+            sender.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        except PermissionError as e:
+            self.setsockopt_error(e)
        sender.bind(srcip)
        sender.sendto(data, dstip)
        sender.close()

    def setup_tcp_listener(self, tcp_listener):
-        tcp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        try:
+            tcp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        except PermissionError as e:
+            self.setsockopt_error(e)

    def setup_udp_listener(self, udp_listener):
-        udp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        try:
+            udp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        except PermissionError as e:
+            self.setsockopt_error(e)
+
        if udp_listener.v4 is not None:
            udp_listener.v4.setsockopt(
                socket.SOL_IP, IP_RECVORIGDSTADDR, 1)
@ -151,7 +114,7 @@ class Method(BaseMethod):
            udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
@ -162,12 +125,9 @@ class Method(BaseMethod):
        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        def _ipt_proto_ports(proto, fport, lport):
            return proto + ('--dport', '%d:%d' % (fport, lport)) \
-                    if fport else proto
+                if fport else proto

        mark_chain = 'sshuttle-m-%s' % port
        tproxy_chain = 'sshuttle-t-%s' % port
@ -184,7 +144,23 @@ class Method(BaseMethod):
        _ipt('-F', tproxy_chain)
        _ipt('-I', 'OUTPUT', '1', '-j', mark_chain)
        _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain)
-        _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', '1')
+
+        # Don't have packets sent to any of our local IP addresses go
+        # through the tproxy or mark chains.
+        #
+        # Without this fix, if a large subnet is redirected through
+        # sshuttle (i.e., 0/0), then the user may be unable to receive
+        # UDP responses or connect to their own machine using an IP
+        # besides (127.0.0.1). Prior to including these lines, the
+        # documentation reminded the user to use -x to exclude their
+        # own IP addresses to receive UDP responses if they are
+        # redirecting a large subnet through sshuttle (i.e., 0/0).
+        _ipt('-A', tproxy_chain, '-j', 'RETURN', '-m', 'addrtype',
+             '--dst-type', 'LOCAL')
+        _ipt('-A', mark_chain, '-j', 'RETURN', '-m', 'addrtype',
+             '--dst-type', 'LOCAL')
+
+        _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', tmark)
        _ipt('-A', divert_chain, '-j', 'ACCEPT')
        _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
             '-m', 'tcp', '-p', 'tcp')
@ -194,11 +170,11 @@ class Method(BaseMethod):
                 '-m', 'udp', '-p', 'udp')

        for _, ip in [i for i in nslist if i[0] == family]:
-            _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
+            _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark,
                 '--dest', '%s/32' % ip,
                 '-m', 'udp', '-p', 'udp', '--dport', '53')
            _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                 '--tproxy-mark', '0x1/0x1',
+                 '--tproxy-mark', tmark,
                 '--dest', '%s/32' % ip,
                 '-m', 'udp', '-p', 'udp', '--dport', '53',
                 '--on-port', str(dnsport))
@ -218,12 +194,12 @@ class Method(BaseMethod):
                     '-m', 'tcp',
                     *tcp_ports)
            else:
-                _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
+                _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark,
                     '--dest', '%s/%s' % (snet, swidth),
                     '-m', 'tcp',
                     *tcp_ports)
                _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                     '--tproxy-mark', '0x1/0x1',
+                     '--tproxy-mark', tmark,
                     '--dest', '%s/%s' % (snet, swidth),
                     '-m', 'tcp',
                     *(tcp_ports + ('--on-port', str(port))))
@ -242,12 +218,12 @@ class Method(BaseMethod):
                         '-m', 'udp',
                         *udp_ports)
                else:
-                    _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
+                    _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark,
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp',
                         *udp_ports)
                    _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                         '--tproxy-mark', '0x1/0x1',
+                         '--tproxy-mark', tmark,
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp',
                         *(udp_ports + ('--on-port', str(port))))
@ -263,9 +239,6 @@ class Method(BaseMethod):
        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        mark_chain = 'sshuttle-m-%s' % port
        tproxy_chain = 'sshuttle-t-%s' % port
        divert_chain = 'sshuttle-d-%s' % port
@ -284,3 +257,10 @@ class Method(BaseMethod):
        if ipt_chain_exists(family, table, divert_chain):
            _ipt('-F', divert_chain)
            _ipt('-X', divert_chain)
+
+    def is_supported(self):
+        if which("iptables") and which("ip6tables"):
+            return True
+        debug2("tproxy method not supported because 'iptables' "
+               "or 'ip6tables' commands are missing.\n")
+        return False
--- a/sshuttle/options.py
+++ b/sshuttle/options.py
@ -28,29 +28,73 @@ def parse_subnetport_file(s):
 # 1.2.3.4/5:678, 1.2.3.4:567, 1.2.3.4/16 or just 1.2.3.4
 # [1:2::3/64]:456, [1:2::3]:456, 1:2::3/64 or just 1:2::3
 # example.com:123 or just example.com
+#
+# In addition, the port number can be specified as a range:
+# 1.2.3.4:8000-8080.
+#
+# Can return multiple matches if the domain name used in the request
+# has multiple IP addresses.
 def parse_subnetport(s):
+
    if s.count(':') > 1:
-        rx = r'(?:\[?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
+        rx = r'(?:\[?(?:\*\.)?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
    else:
-        rx = r'([\w\.\-]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
+        rx = r'((?:\*\.)?[\w\.\-]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'

    m = re.match(rx, s)
    if not m:
        raise Fatal('%r is not a valid address/mask:port format' % s)

-    addr, width, fport, lport = m.groups()
+    # Ports range from fport to lport. If only one port is specified,
+    # fport is defined and lport is None.
+    #
+    # cidr is the mask defined with the slash notation
+    host, cidr, fport, lport = m.groups()
    try:
-        addrinfo = socket.getaddrinfo(addr, 0, 0, socket.SOCK_STREAM)
+        addrinfo = socket.getaddrinfo(host, 0, 0, socket.SOCK_STREAM)
    except socket.gaierror:
-        raise Fatal('Unable to resolve address: %s' % addr)
+        raise Fatal('Unable to resolve address: %s' % host)

-    family, _, _, _, addr = min(addrinfo)
-    max_width = 32 if family == socket.AF_INET else 128
-    width = int(width or max_width)
-    if not 0 <= width <= max_width:
-        raise Fatal('width %d is not between 0 and %d' % (width, max_width))
+    # If the address is a domain with multiple IPs and a mask is also
+    # provided, proceed cautiously:
+    if cidr is not None:
+        addr_v6 = [a for a in addrinfo if a[0] == socket.AF_INET6]
+        addr_v4 = [a for a in addrinfo if a[0] == socket.AF_INET]

-    return (family, addr[0], width, int(fport or 0), int(lport or fport or 0))
+        # Refuse to proceed if IPv4 and IPv6 addresses are present:
+        if len(addr_v6) > 0 and len(addr_v4) > 0:
+            raise Fatal("%s has IPv4 and IPv6 addresses, so the mask "
+                        "of /%s is not supported. Specify the IP "
+                        "addresses directly if you wish to specify "
+                        "a mask." % (host, cidr))
+
+        # Warn if a domain has multiple IPs of the same type (IPv4 vs
+        # IPv6) and the mask is applied to all of the IPs.
+        if len(addr_v4) > 1 or len(addr_v6) > 1:
+            print("WARNING: %s has multiple IP addresses. The "
+                  "mask of /%s is applied to all of the addresses."
+                  % (host, cidr))
+
+    rv = []
+    for a in addrinfo:
+        family, _, _, _, addr = a
+
+        # Largest possible slash value we can use with this IP:
+        max_cidr = 32 if family == socket.AF_INET else 128
+
+        if cidr is None:  # if no mask, use largest mask
+            cidr_to_use = max_cidr
+        else:   # verify user-provided mask is appropriate
+            cidr_to_use = int(cidr)
+            if not 0 <= cidr_to_use <= max_cidr:
+                raise Fatal('Slash in CIDR notation (/%d) is '
+                            'not between 0 and %d'
+                            % (cidr_to_use, max_cidr))
+
+        rv.append((family, addr[0], cidr_to_use,
+                   int(fport or 0), int(lport or fport or 0)))
+
+    return rv


 # 1.2.3.4:567 or just 1.2.3.4 or just 567
@ -69,20 +113,26 @@ def parse_ipport(s):
    if not m:
        raise Fatal('%r is not a valid IP:port format' % s)

-    ip, port = m.groups()
-    ip = ip or '0.0.0.0'
+    host, port = m.groups()
+    host = host or '0.0.0.0'
    port = int(port or 0)

    try:
-        addrinfo = socket.getaddrinfo(ip, port, 0, socket.SOCK_STREAM)
+        addrinfo = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM)
    except socket.gaierror:
-        raise Fatal('%r is not a valid IP:port format' % s)
+        raise Fatal('Unable to resolve address: %s' % host)
+
+    if len(addrinfo) > 1:
+        print("WARNING: Host %s has more than one IP, only using one of them."
+              % host)

    family, _, _, _, addr = min(addrinfo)
+    # Note: addr contains (ip, port)
    return (family,) + addr[:2]


 def parse_list(lst):
+    """Parse a comma separated string into a list."""
    return re.split(r'[\s,]+', lst.strip()) if lst else []


@ -97,9 +147,33 @@ class Concat(Action):
        setattr(namespace, self.dest, curr_value + values)


-parser = ArgumentParser(
+# Override one function in the ArgumentParser so that we can have
+# better control for how we parse files containing arguments. We
+# expect one argument per line, but strip whitespace/quotes from the
+# beginning/end of the lines.
+class MyArgumentParser(ArgumentParser):
+    def convert_arg_line_to_args(self, arg_line):
+        # Ignore comments
+        if arg_line.startswith("#"):
+            return []
+
+        # strip whitespace at beginning and end of line
+        arg_line = arg_line.strip()
+
+        # When copying parameters from the command line to a file,
+        # some users might copy the quotes they used on the command
+        # line into the config file. We ignore these if the line
+        # starts and ends with the same quote.
+        if arg_line.startswith("'") and arg_line.endswith("'") or \
+           arg_line.startswith('"') and arg_line.endswith('"'):
+            arg_line = arg_line[1:-1]
+
+        return [arg_line]
+
+
+parser = MyArgumentParser(
    prog="sshuttle",
-    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>",
+    usage="%(prog)s [-l [ip:]port] -r [user@]sshserver[:port] <subnets...>",
    fromfile_prefix_chars="@"
 )
 parser.add_argument(
@ -147,6 +221,7 @@ parser.add_argument(
    type=parse_list,
    help="""
    capture and forward DNS requests made to the following servers
+    (comma separated)
    """
 )
 parser.add_argument(
@ -207,7 +282,7 @@ parser.add_argument(
    action="count",
    default=0,
    help="""
-    increase debug message verbosity
+    increase debug message verbosity (can be used more than once)
    """
 )
 parser.add_argument(
@ -321,18 +396,15 @@ parser.add_argument(
    (internal use only)
    """
 )
-parser.add_argument(
-    "--sudoers",
-    action="store_true",
-    help="""
-    Add sshuttle to the sudoers for this user
-    """
-)
 parser.add_argument(
    "--sudoers-no-modify",
    action="store_true",
    help="""
-    Prints the sudoers config to STDOUT and DOES NOT modify anything.
+    Prints a sudo configuration to STDOUT which allows a user to
+    run sshuttle without a password. This option is INSECURE because,
+    with some cleverness, it also allows the user to run any command
+    as root without a password. The output also includes a suggested
+    method for you to install the configuration.
    """
 )
 parser.add_argument(
@ -340,16 +412,7 @@ parser.add_argument(
    default="",
    help="""
    Set the user name or group with %%group_name for passwordless operation.
-    Default is the current user.set ALL for all users. Only works with
-    --sudoers or --sudoers-no-modify option.
-    """
-)
-parser.add_argument(
-    "--sudoers-filename",
-    default="sshuttle_auto",
-    help="""
-    Set the file name for the sudoers.d file to be added. Default is
-    "sshuttle_auto". Only works with --sudoers or --sudoers-no-modify option.
+    Default is the current user. Only works with the --sudoers-no-modify option.
    """
 )
 parser.add_argument(
@ -360,3 +423,12 @@ parser.add_argument(
    do not set PYTHONPATH when invoking sudo
    """
 )
+parser.add_argument(
+    "-t", "--tmark",
+    metavar="[MARK]",
+    default="0x01",
+    help="""
+    tproxy optional traffic mark with provided MARK value in
+    hexadecimal (default '0x01')
+    """
+)
--- a/sshuttle/sdnotify.py
+++ b/sshuttle/sdnotify.py
@ -1,3 +1,13 @@
+"""When sshuttle is run via a systemd service file, we can communicate
+to systemd about the status of the sshuttle process. In particular, we
+can send READY status to tell systemd that sshuttle has completed
+startup and send STOPPING to indicate that sshuttle is beginning
+shutdown.
+
+For details, see:
+https://www.freedesktop.org/software/systemd/man/sd_notify.html
+"""
+
 import socket
 import os

@ -5,6 +15,7 @@ from sshuttle.helpers import debug1


 def _notify(message):
+    """Send a notification message to systemd."""
    addr = os.environ.get("NOTIFY_SOCKET", None)

    if not addr or len(addr) == 1 or addr[0] not in ('/', '@'):
@ -15,7 +26,7 @@ def _notify(message):
    try:
        sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
    except (OSError, IOError) as e:
-        debug1("Error creating socket to notify systemd: %s\n" % e)
+        debug1("Error creating socket to notify systemd: %s" % e)
        return False

    if not message:
@ -26,21 +37,27 @@ def _notify(message):
    try:
        return (sock.sendto(message, addr) > 0)
    except (OSError, IOError) as e:
-        debug1("Error notifying systemd: %s\n" % e)
+        debug1("Error notifying systemd: %s" % e)
        return False


 def send(*messages):
+    """Send multiple messages to systemd."""
    return _notify(b'\n'.join(messages))


 def ready():
+    """Constructs a message that is appropriate to send upon completion of
+sshuttle startup."""
    return b"READY=1"


 def stop():
+    """Constructs a message that is appropriate to send when sshuttle is
+beginning to shutdown."""
    return b"STOPPING=1"


 def status(message):
+    """Constructs a status message to be sent to systemd."""
    return b"STATUS=%s" % message.encode('utf8')
--- a/sshuttle/server.py
+++ b/sshuttle/server.py
@ -5,8 +5,7 @@ import traceback
 import time
 import sys
 import os
-import platform
-from shutil import which
+

 import sshuttle.ssnet as ssnet
 import sshuttle.helpers as helpers
@ -14,7 +13,7 @@ import sshuttle.hostwatch as hostwatch
 import subprocess as ssubprocess
 from sshuttle.ssnet import Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal, \
-    resolvconf_random_nameserver
+    resolvconf_random_nameserver, which, get_env


 def _ipmatch(ipstr):
@ -35,7 +34,6 @@ def _ipmatch(ipstr):
        elif g[3] is None:
            ips += '.0'
            width = min(width, 24)
-        ips = ips
        return (struct.unpack('!I', socket.inet_aton(ips))[0], width)


@ -82,11 +80,7 @@ def _route_iproute(line):

 def _list_routes(argv, extract_route):
    # FIXME: IPv4 only
-    env = {
-        'PATH': os.environ['PATH'],
-        'LC_ALL': "C",
-    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
    routes = []
    for line in p.stdout:
        if not line.strip():
@ -100,8 +94,7 @@ def _list_routes(argv, extract_route):
            (socket.AF_INET, socket.inet_ntoa(struct.pack('!I', ip)), width))
    rv = p.wait()
    if rv != 0:
-        log('WARNING: %r returned %d\n' % (argv, rv))
-        log('WARNING: That prevents --auto-nets from working.\n')
+        log('WARNING: %r returned %d' % (argv, rv))

    return routes

@ -112,7 +105,8 @@ def list_routes():
    elif which('netstat'):
        routes = _list_routes(['netstat', '-rn'], _route_netstat)
    else:
-        log('WARNING: Neither ip nor netstat were found on the server.\n')
+        log('WARNING: Neither "ip" nor "netstat" were found on the server. '
+            '--auto-nets feature will not work.')
        routes = []

    for (family, ip, width) in routes:
@ -139,7 +133,7 @@ def start_hostwatch(seed_hosts, auto_hosts):
                s1.close()
                rv = hostwatch.hw_main(seed_hosts, auto_hosts) or 0
            except Exception:
-                log('%s\n' % _exc_dump())
+                log('%s' % _exc_dump())
                rv = 98
        finally:
            os._exit(rv)
@ -187,7 +181,7 @@ class DnsProxy(Handler):
        self.tries += 1

        if self.to_nameserver is None:
-            _, peer = resolvconf_random_nameserver()
+            _, peer = resolvconf_random_nameserver(False)
            port = 53
        else:
            peer = self.to_ns_peer
@ -195,12 +189,11 @@ class DnsProxy(Handler):

        family, sockaddr = self._addrinfo(peer, port)
        sock = socket.socket(family, socket.SOCK_DGRAM)
-        sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
        sock.connect(sockaddr)

        self.peers[sock] = peer

-        debug2('DNS: sending to %r:%d (try %d)\n' % (peer, port, self.tries))
+        debug2('DNS: sending to %r:%d (try %d)' % (peer, port, self.tries))
        try:
            sock.send(self.request)
            self.socks.append(sock)
@ -210,11 +203,11 @@ class DnsProxy(Handler):
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
-                debug2('DNS send to %r: %s\n' % (peer, e))
+                debug2('DNS send to %r: %s' % (peer, e))
                self.try_send()
                return
            else:
-                log('DNS send to %r: %s\n' % (peer, e))
+                log('DNS send to %r: %s' % (peer, e))
                return

    def callback(self, sock):
@ -231,13 +224,13 @@ class DnsProxy(Handler):
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
-                debug2('DNS recv from %r: %s\n' % (peer, e))
+                debug2('DNS recv from %r: %s' % (peer, e))
                self.try_send()
                return
            else:
-                log('DNS recv from %r: %s\n' % (peer, e))
+                log('DNS recv from %r: %s' % (peer, e))
                return
-        debug2('DNS response: %d bytes\n' % len(data))
+        debug2('DNS response: %d bytes' % len(data))
        self.mux.send(self.chan, ssnet.CMD_DNS_RESPONSE, data)
        self.ok = False

@ -251,16 +244,14 @@ class UdpProxy(Handler):
        self.mux = mux
        self.chan = chan
        self.sock = sock
-        if family == socket.AF_INET:
-            self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)

    def send(self, dstip, data):
-        debug2('UDP: sending to %r port %d\n' % dstip)
+        debug2('UDP: sending to %r port %d' % dstip)
        try:
            self.sock.sendto(data, dstip)
        except socket.error:
            _, e = sys.exc_info()[:2]
-            log('UDP send to %r port %d: %s\n' % (dstip[0], dstip[1], e))
+            log('UDP send to %r port %d: %s' % (dstip[0], dstip[1], e))
            return

    def callback(self, sock):
@ -268,150 +259,157 @@ class UdpProxy(Handler):
            data, peer = sock.recvfrom(4096)
        except socket.error:
            _, e = sys.exc_info()[:2]
-            log('UDP recv from %r port %d: %s\n' % (peer[0], peer[1], e))
+            log('UDP recv from %r port %d: %s' % (peer[0], peer[1], e))
            return
-        debug2('UDP response: %d bytes\n' % len(data))
+        debug2('UDP response: %d bytes' % len(data))
        hdr = b("%s,%r," % (peer[0], peer[1]))
        self.mux.send(self.chan, ssnet.CMD_UDP_DATA, hdr + data)


-def main(latency_control, auto_hosts, to_nameserver, auto_nets):
-    debug1('Starting server with Python version %s\n'
-           % platform.python_version())
-
-    if helpers.verbose >= 1:
+def main(latency_control, latency_buffer_size, auto_hosts, to_nameserver,
+         auto_nets):
+    try:
        helpers.logprefix = ' s: '
-    else:
-        helpers.logprefix = 'server: '
-    debug1('latency control setting = %r\n' % latency_control)

-    # synchronization header
-    sys.stdout.write('\0\0SSHUTTLE0001')
-    sys.stdout.flush()
+        debug1('latency control setting = %r' % latency_control)
+        if latency_buffer_size:
+            import sshuttle.ssnet as ssnet
+            ssnet.LATENCY_BUFFER_SIZE = latency_buffer_size

-    handlers = []
-    mux = Mux(sys.stdin, sys.stdout)
-    handlers.append(mux)
+        # synchronization header
+        sys.stdout.write('\0\0SSHUTTLE0001')
+        sys.stdout.flush()

-    debug1('auto-nets:' + str(auto_nets) + '\n')
-    if auto_nets:
-        routes = list(list_routes())
-        debug1('available routes:\n')
+        handlers = []
+        mux = Mux(sys.stdin, sys.stdout)
+        handlers.append(mux)
+
+        debug1('auto-nets:' + str(auto_nets))
+        if auto_nets:
+            routes = list(list_routes())
+            debug1('available routes:')
+            for r in routes:
+                debug1('  %d/%s/%d' % r)
+        else:
+            routes = []
+
+        routepkt = ''
        for r in routes:
-            debug1('  %d/%s/%d\n' % r)
-    else:
-        routes = []
+            routepkt += '%d,%s,%d\n' % r
+        mux.send(0, ssnet.CMD_ROUTES, b(routepkt))

-    routepkt = ''
-    for r in routes:
-        routepkt += '%d,%s,%d\n' % r
-    mux.send(0, ssnet.CMD_ROUTES, b(routepkt))
+        hw = Hostwatch()
+        hw.leftover = b('')

-    hw = Hostwatch()
-    hw.leftover = b('')
-
-    def hostwatch_ready(sock):
-        assert(hw.pid)
-        content = hw.sock.recv(4096)
-        if content:
-            lines = (hw.leftover + content).split(b('\n'))
-            if lines[-1]:
-                # no terminating newline: entry isn't complete yet!
-                hw.leftover = lines.pop()
-                lines.append(b(''))
+        def hostwatch_ready(sock):
+            assert hw.pid
+            content = hw.sock.recv(4096)
+            if content:
+                lines = (hw.leftover + content).split(b('\n'))
+                if lines[-1]:
+                    # no terminating newline: entry isn't complete yet!
+                    hw.leftover = lines.pop()
+                    lines.append(b(''))
+                else:
+                    hw.leftover = b('')
+                mux.send(0, ssnet.CMD_HOST_LIST, b('\n').join(lines))
            else:
-                hw.leftover = b('')
-            mux.send(0, ssnet.CMD_HOST_LIST, b('\n').join(lines))
-        else:
-            raise Fatal('hostwatch process died')
+                raise Fatal('hostwatch process died')

-    def got_host_req(data):
-        if not hw.pid:
-            (hw.pid, hw.sock) = start_hostwatch(
-                    data.decode("ASCII").strip().split(), auto_hosts)
-            handlers.append(Handler(socks=[hw.sock],
-                                    callback=hostwatch_ready))
-    mux.got_host_req = got_host_req
+        def got_host_req(data):
+            if not hw.pid:
+                (hw.pid, hw.sock) = start_hostwatch(
+                        data.decode("ASCII").strip().split(), auto_hosts)
+                handlers.append(Handler(socks=[hw.sock],
+                                        callback=hostwatch_ready))
+        mux.got_host_req = got_host_req

-    def new_channel(channel, data):
-        (family, dstip, dstport) = data.decode("ASCII").split(',', 2)
-        family = int(family)
-        # AF_INET is the same constant on Linux and BSD but AF_INET6
-        # is different. As the client and server can be running on
-        # different platforms we can not just set the socket family
-        # to what comes in the wire.
-        if family != socket.AF_INET:
-            family = socket.AF_INET6
-        dstport = int(dstport)
-        outwrap = ssnet.connect_dst(family, dstip, dstport)
-        handlers.append(Proxy(MuxWrapper(mux, channel), outwrap))
-    mux.new_channel = new_channel
-
-    dnshandlers = {}
-
-    def dns_req(channel, data):
-        debug2('Incoming DNS request channel=%d.\n' % channel)
-        h = DnsProxy(mux, channel, data, to_nameserver)
-        handlers.append(h)
-        dnshandlers[channel] = h
-    mux.got_dns_req = dns_req
-
-    udphandlers = {}
-
-    def udp_req(channel, cmd, data):
-        debug2('Incoming UDP request channel=%d, cmd=%d\n' % (channel, cmd))
-        if cmd == ssnet.CMD_UDP_DATA:
-            (dstip, dstport, data) = data.split(b(','), 2)
+        def new_channel(channel, data):
+            (family, dstip, dstport) = data.decode("ASCII").split(',', 2)
+            family = int(family)
+            # AF_INET is the same constant on Linux and BSD but AF_INET6
+            # is different. As the client and server can be running on
+            # different platforms we can not just set the socket family
+            # to what comes in the wire.
+            if family != socket.AF_INET:
+                family = socket.AF_INET6
            dstport = int(dstport)
-            debug2('is incoming UDP data. %r %d.\n' % (dstip, dstport))
-            h = udphandlers[channel]
-            h.send((dstip, dstport), data)
-        elif cmd == ssnet.CMD_UDP_CLOSE:
-            debug2('is incoming UDP close\n')
-            h = udphandlers[channel]
-            h.ok = False
-            del mux.channels[channel]
+            outwrap = ssnet.connect_dst(family, dstip, dstport)
+            handlers.append(Proxy(MuxWrapper(mux, channel), outwrap))
+        mux.new_channel = new_channel

-    def udp_open(channel, data):
-        debug2('Incoming UDP open.\n')
-        family = int(data)
-        mux.channels[channel] = lambda cmd, data: udp_req(channel, cmd, data)
-        if channel in udphandlers:
-            raise Fatal('UDP connection channel %d already open' % channel)
-        else:
-            h = UdpProxy(mux, channel, family)
+        dnshandlers = {}
+
+        def dns_req(channel, data):
+            debug2('Incoming DNS request channel=%d.' % channel)
+            h = DnsProxy(mux, channel, data, to_nameserver)
            handlers.append(h)
-            udphandlers[channel] = h
-    mux.got_udp_open = udp_open
+            dnshandlers[channel] = h
+        mux.got_dns_req = dns_req

-    while mux.ok:
-        if hw.pid:
-            assert(hw.pid > 0)
-            (rpid, rv) = os.waitpid(hw.pid, os.WNOHANG)
-            if rpid:
-                raise Fatal(
-                    'hostwatch exited unexpectedly: code 0x%04x\n' % rv)
+        udphandlers = {}

-        ssnet.runonce(handlers, mux)
-        if latency_control:
-            mux.check_fullness()
+        def udp_req(channel, cmd, data):
+            debug2('Incoming UDP request channel=%d, cmd=%d' %
+                   (channel, cmd))
+            if cmd == ssnet.CMD_UDP_DATA:
+                (dstip, dstport, data) = data.split(b(','), 2)
+                dstport = int(dstport)
+                debug2('is incoming UDP data. %r %d.' % (dstip, dstport))
+                h = udphandlers[channel]
+                h.send((dstip, dstport), data)
+            elif cmd == ssnet.CMD_UDP_CLOSE:
+                debug2('is incoming UDP close')
+                h = udphandlers[channel]
+                h.ok = False
+                del mux.channels[channel]

-        if dnshandlers:
-            now = time.time()
-            remove = []
-            for channel, h in dnshandlers.items():
-                if h.timeout < now or not h.ok:
-                    debug3('expiring dnsreqs channel=%d\n' % channel)
-                    remove.append(channel)
-                    h.ok = False
-            for channel in remove:
-                del dnshandlers[channel]
-        if udphandlers:
-            remove = []
-            for channel, h in udphandlers.items():
-                if not h.ok:
-                    debug3('expiring UDP channel=%d\n' % channel)
-                    remove.append(channel)
-                    h.ok = False
-            for channel in remove:
-                del udphandlers[channel]
+        def udp_open(channel, data):
+            debug2('Incoming UDP open.')
+            family = int(data)
+            mux.channels[channel] = lambda cmd, data: udp_req(channel, cmd,
+                                                              data)
+            if channel in udphandlers:
+                raise Fatal('UDP connection channel %d already open' %
+                            channel)
+            else:
+                h = UdpProxy(mux, channel, family)
+                handlers.append(h)
+                udphandlers[channel] = h
+        mux.got_udp_open = udp_open
+
+        while mux.ok:
+            if hw.pid:
+                assert hw.pid > 0
+                (rpid, rv) = os.waitpid(hw.pid, os.WNOHANG)
+                if rpid:
+                    raise Fatal(
+                        'hostwatch exited unexpectedly: code 0x%04x' % rv)
+
+            ssnet.runonce(handlers, mux)
+            if latency_control:
+                mux.check_fullness()
+
+            if dnshandlers:
+                now = time.time()
+                remove = []
+                for channel, h in dnshandlers.items():
+                    if h.timeout < now or not h.ok:
+                        debug3('expiring dnsreqs channel=%d' % channel)
+                        remove.append(channel)
+                        h.ok = False
+                for channel in remove:
+                    del dnshandlers[channel]
+            if udphandlers:
+                remove = []
+                for channel, h in udphandlers.items():
+                    if not h.ok:
+                        debug3('expiring UDP channel=%d' % channel)
+                        remove.append(channel)
+                        h.ok = False
+                for channel in remove:
+                    del udphandlers[channel]
+
+    except Fatal as e:
+        log('fatal: %s' % e)
+        sys.exit(99)
--- a/sshuttle/ssh.py
+++ b/sshuttle/ssh.py
@ -12,7 +12,7 @@ import ipaddress
 from urllib.parse import urlparse

 import sshuttle.helpers as helpers
-from sshuttle.helpers import debug2
+from sshuttle.helpers import debug2, which, get_path, Fatal


 def get_module_source(name):
@ -43,6 +43,8 @@ def parse_hostport(rhostport):
    """
    # leave use of default port to ssh command to prevent overwriting
    # ports configured in ~/.ssh/config when no port is given
+    if rhostport is None or len(rhostport) == 0:
+        return None, None, None, None
    port = None
    username = None
    password = None
@ -59,11 +61,11 @@ def parse_hostport(rhostport):
    if ":" in host:
        # IPv6 address and/or got a port specified

-        # If it is an IPv6 adress with port specification,
+        # If it is an IPv6 address with port specification,
        # then it will look like: [::1]:22

        try:
-            # try to parse host as an IP adress,
+            # try to parse host as an IP address,
            # if that works it is an IPv6 address
            host = str(ipaddress.ip_address(host))
        except ValueError:
@ -101,11 +103,21 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
                empackage(z, 'sshuttle.server') +
                b"\n")

+    # If the exec() program calls sys.exit(), it should exit python
+    # and the sys.exit(98) call won't be reached (so we try to only
+    # exit that way in the server). However, if the code that we
+    # exec() simply returns from main, then we will return from
+    # exec(). If the server's python process dies, it should stop
+    # executing and also won't reach sys.exit(98).
+    #
+    # So, we shouldn't reach sys.exit(98) and we certainly shouldn't
+    # reach it immediately after trying to start the server.
    pyscript = r"""
                import sys, os;
                verbosity=%d;
                sys.stdin = os.fdopen(0, "rb");
-                exec(compile(sys.stdin.read(%d), "assembler.py", "exec"))
+                exec(compile(sys.stdin.read(%d), "assembler.py", "exec"));
+                sys.exit(98);
                """ % (helpers.verbose or 0, len(content))
    pyscript = re.sub(r'\s+', ' ', pyscript.strip())

@ -125,8 +137,47 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
        if python:
            pycmd = "'%s' -c '%s'" % (python, pyscript)
        else:
+            # By default, we run the following code in a shell.
+            # However, with restricted shells and other unusual
+            # situations, there can be trouble. See the RESTRICTED
+            # SHELL section in "man bash" for more information. The
+            # code makes many assumptions:
+            #
+            # (1) That /bin/sh exists and that we can call it.
+            # Restricted shells often do *not* allow you to run
+            # programs specified with an absolute path like /bin/sh.
+            # Either way, if there is trouble with this, it should
+            # return error code 127.
+            #
+            # (2) python3 or python exists in the PATH and is
+            # executable. If they aren't, then exec won't work (see (4)
+            # below).
+            #
+            # (3) In /bin/sh, that we can redirect stderr in order to
+            # hide the version that "python3 -V" might print (some
+            # restricted shells don't allow redirection, see
+            # RESTRICTED SHELL section in 'man bash'). However, if we
+            # are in a restricted shell, we'd likely have trouble with
+            # assumption (1) above.
+            #
+            # (4) The 'exec' command should work except if we failed
+            # to exec python because it doesn't exist or isn't
+            # executable OR if exec isn't allowed (some restricted
+            # shells don't allow exec). If the exec succeeded, it will
+            # not return and not get to the "exit 97" command. If exec
+            # does return, we exit with code 97.
+            #
+            # Specifying the exact python program to run with --python
+            # avoids many of the issues above. However, if
+            # you have a restricted shell on remote, you may only be
+            # able to run python if it is in your PATH (and you can't
+            # run programs specified with an absolute path). In that
+            # case, sshuttle might not work at all since it is not
+            # possible to run python on the remote machine---even if
+            # it is present.
            pycmd = ("P=python3; $P -V 2>%s || P=python; "
-                     "exec \"$P\" -c %s") % (os.devnull, quote(pyscript))
+                     "exec \"$P\" -c %s; exit 97") % \
+                (os.devnull, quote(pyscript))
            pycmd = ("/bin/sh -c {}".format(quote(pycmd)))

        if password is not None:
@ -139,6 +190,17 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
            argv = (sshl +
                    portl +
                    [rhost, '--', pycmd])
+
+    # Our which() function searches for programs in get_path()
+    # directories (which include PATH). This step isn't strictly
+    # necessary if ssh is already in the user's PATH, but it makes the
+    # error message friendlier if the user incorrectly passes in a
+    # custom ssh command that we cannot find.
+    abs_path = which(argv[0])
+    if abs_path is None:
+        raise Fatal("Failed to find '%s' in path %s" % (argv[0], get_path()))
+    argv[0] = abs_path
+
    (s1, s2) = socket.socketpair()

    def setup():
@ -146,7 +208,8 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
        s2.close()
    s1a, s1b = os.dup(s1.fileno()), os.dup(s1.fileno())
    s1.close()
-    debug2('executing: %r\n' % argv)
+
+    debug2('executing: %r' % argv)
    p = ssubprocess.Popen(argv, stdin=s1a, stdout=s1b, preexec_fn=setup,
                          close_fds=True, stderr=stderr)
    os.close(s1a)
--- a/sshuttle/ssnet.py
+++ b/sshuttle/ssnet.py
@ -83,7 +83,7 @@ def _nb_clean(func, *args):
        if e.errno not in (errno.EWOULDBLOCK, errno.EAGAIN):
            raise
        else:
-            debug3('%s: err was: %s\n' % (func.__name__, e))
+            debug3('%s: err was: %s' % (func.__name__, e))
            return None


@ -111,7 +111,7 @@ class SockWrapper:
    def __init__(self, rsock, wsock, connect_to=None, peername=None):
        global _swcount
        _swcount += 1
-        debug3('creating new SockWrapper (%d now exist)\n' % _swcount)
+        debug3('creating new SockWrapper (%d now exist)' % _swcount)
        self.exc = None
        self.rsock = rsock
        self.wsock = wsock
@ -124,9 +124,9 @@ class SockWrapper:
    def __del__(self):
        global _swcount
        _swcount -= 1
-        debug1('%r: deleting (%d remain)\n' % (self, _swcount))
+        debug1('%r: deleting (%d remain)' % (self, _swcount))
        if self.exc:
-            debug1('%r: error was: %s\n' % (self, self.exc))
+            debug1('%r: error was: %s' % (self, self.exc))

    def __repr__(self):
        if self.rsock == self.wsock:
@ -148,14 +148,14 @@ class SockWrapper:
        if not self.connect_to:
            return  # already connected
        self.rsock.setblocking(False)
-        debug3('%r: trying connect to %r\n' % (self, self.connect_to))
+        debug3('%r: trying connect to %r' % (self, self.connect_to))
        try:
            self.rsock.connect(self.connect_to)
            # connected successfully (Linux)
            self.connect_to = None
        except socket.error:
            _, e = sys.exc_info()[:2]
-            debug3('%r: connect result: %s\n' % (self, e))
+            debug3('%r: connect result: %s' % (self, e))
            if e.args[0] == errno.EINVAL:
                # this is what happens when you call connect() on a socket
                # that is now connected but returned EINPROGRESS last time,
@ -165,7 +165,7 @@ class SockWrapper:
                realerr = self.rsock.getsockopt(socket.SOL_SOCKET,
                                                socket.SO_ERROR)
                e = socket.error(realerr, os.strerror(realerr))
-                debug3('%r: fixed connect result: %s\n' % (self, e))
+                debug3('%r: fixed connect result: %s' % (self, e))
            if e.args[0] in [errno.EINPROGRESS, errno.EALREADY]:
                pass  # not connected yet
            elif e.args[0] == 0:
@ -191,13 +191,13 @@ class SockWrapper:

    def noread(self):
        if not self.shut_read:
-            debug2('%r: done reading\n' % self)
+            debug2('%r: done reading' % self)
            self.shut_read = True
            # self.rsock.shutdown(SHUT_RD)  # doesn't do anything anyway

    def nowrite(self):
        if not self.shut_write:
-            debug2('%r: done writing\n' % self)
+            debug2('%r: done writing' % self)
            self.shut_write = True
            try:
                self.wsock.shutdown(SHUT_WR)
@ -218,7 +218,7 @@ class SockWrapper:
        except OSError:
            _, e = sys.exc_info()[:2]
            if e.errno == errno.EPIPE:
-                debug1('%r: uwrite: got EPIPE\n' % self)
+                debug1('%r: uwrite: got EPIPE' % self)
                self.nowrite()
                return 0
            else:
@ -227,7 +227,7 @@ class SockWrapper:
                return 0

    def write(self, buf):
-        assert(buf)
+        assert buf
        return self.uwrite(buf)

    def uread(self):
@ -275,12 +275,12 @@ class Handler:
            _add(r, i)

    def callback(self, sock):
-        log('--no callback defined-- %r\n' % self)
+        log('--no callback defined-- %r' % self)
        (r, _, _) = select.select(self.socks, [], [], 0)
        for s in r:
            v = s.recv(4096)
            if not v:
-                log('--closed-- %r\n' % self)
+                log('--closed-- %r' % self)
                self.socks = []
                self.ok = False

@ -377,7 +377,7 @@ class Mux(Handler):
        # for b in self.outbuf:
        #    (s1,s2,c) = struct.unpack('!ccH', b[:4])
        #    ob.append(c)
-        # log('outbuf: %d %r\n' % (self.amount_queued(), ob))
+        # log('outbuf: %d %r' % (self.amount_queued(), ob))

    def send(self, channel, cmd, data):
        assert isinstance(data, bytes)
@ -385,32 +385,32 @@ class Mux(Handler):
        p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) \
            + data
        self.outbuf.append(p)
-        debug2(' > channel=%d cmd=%s len=%d (fullness=%d)\n'
+        debug2(' > channel=%d cmd=%s len=%d (fullness=%d)'
               % (channel, cmd_to_name.get(cmd, hex(cmd)),
                  len(data), self.fullness))
        self.fullness += len(data)

    def got_packet(self, channel, cmd, data):
-        debug2('<  channel=%d cmd=%s len=%d\n'
+        debug2('<  channel=%d cmd=%s len=%d'
               % (channel, cmd_to_name.get(cmd, hex(cmd)), len(data)))
        if cmd == CMD_PING:
            self.send(0, CMD_PONG, data)
        elif cmd == CMD_PONG:
-            debug2('received PING response\n')
+            debug2('received PING response')
            self.too_full = False
            self.fullness = 0
        elif cmd == CMD_EXIT:
            self.ok = False
        elif cmd == CMD_TCP_CONNECT:
-            assert(not self.channels.get(channel))
+            assert not self.channels.get(channel)
            if self.new_channel:
                self.new_channel(channel, data)
        elif cmd == CMD_DNS_REQ:
-            assert(not self.channels.get(channel))
+            assert not self.channels.get(channel)
            if self.got_dns_req:
                self.got_dns_req(channel, data)
        elif cmd == CMD_UDP_OPEN:
-            assert(not self.channels.get(channel))
+            assert not self.channels.get(channel)
            if self.got_udp_open:
                self.got_udp_open(channel, data)
        elif cmd == CMD_ROUTES:
@ -431,7 +431,7 @@ class Mux(Handler):
        else:
            callback = self.channels.get(channel)
            if not callback:
-                log('warning: closed channel %d got cmd=%s len=%d\n'
+                log('warning: closed channel %d got cmd=%s len=%d'
                    % (channel, cmd_to_name.get(cmd, hex(cmd)), len(data)))
            else:
                callback(cmd, data)
@ -443,10 +443,10 @@ class Mux(Handler):
            # python < 3.5
            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_GETFL)
            flags |= os.O_NONBLOCK
-            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_SETFL, flags)
+            fcntl.fcntl(self.wfile.fileno(), fcntl.F_SETFL, flags)
        if self.outbuf and self.outbuf[0]:
            wrote = _nb_clean(os.write, self.wfile.fileno(), self.outbuf[0])
-            debug2('mux wrote: %r/%d\n' % (wrote, len(self.outbuf[0])))
+            debug2('mux wrote: %r/%d' % (wrote, len(self.outbuf[0])))
            if wrote:
                self.outbuf[0] = self.outbuf[0][wrote:]
        while self.outbuf and not self.outbuf[0]:
@ -459,13 +459,16 @@ class Mux(Handler):
            # python < 3.5
            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_GETFL)
            flags |= os.O_NONBLOCK
-            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_SETFL, flags)
+            fcntl.fcntl(self.rfile.fileno(), fcntl.F_SETFL, flags)
        try:
-            read = _nb_clean(os.read, self.rfile.fileno(), LATENCY_BUFFER_SIZE)
+            # If LATENCY_BUFFER_SIZE is inappropriately large, we will
+            # get a MemoryError here. Read no more than 1MiB.
+            read = _nb_clean(os.read, self.rfile.fileno(),
+                             min(1048576, LATENCY_BUFFER_SIZE))
        except OSError:
            _, e = sys.exc_info()[:2]
            raise Fatal('other end: %r' % e)
-        # log('<<< %r\n' % b)
+        # log('<<< %r' % b)
        if read == b(''):  # EOF
            self.ok = False
        if read:
@ -473,14 +476,14 @@ class Mux(Handler):

    def handle(self):
        self.fill()
-        # log('inbuf is: (%d,%d) %r\n'
+        # log('inbuf is: (%d,%d) %r'
        #     % (self.want, len(self.inbuf), self.inbuf))
        while 1:
            if len(self.inbuf) >= (self.want or HDR_LEN):
                (s1, s2, channel, cmd, datalen) = \
                    struct.unpack('!ccHHH', self.inbuf[:HDR_LEN])
-                assert(s1 == b('S'))
-                assert(s2 == b('S'))
+                assert s1 == b('S')
+                assert s2 == b('S')
                self.want = datalen + HDR_LEN
            if self.want and len(self.inbuf) >= self.want:
                data = self.inbuf[HDR_LEN:self.want]
@ -511,7 +514,7 @@ class MuxWrapper(SockWrapper):
        self.channel = channel
        self.mux.channels[channel] = self.got_packet
        self.socks = []
-        debug2('new channel: %d\n' % channel)
+        debug2('new channel: %d' % channel)

    def __del__(self):
        self.nowrite()
@ -527,7 +530,7 @@ class MuxWrapper(SockWrapper):

    def setnoread(self):
        if not self.shut_read:
-            debug2('%r: done reading\n' % self)
+            debug2('%r: done reading' % self)
            self.shut_read = True
            self.maybe_close()

@ -538,13 +541,13 @@ class MuxWrapper(SockWrapper):

    def setnowrite(self):
        if not self.shut_write:
-            debug2('%r: done writing\n' % self)
+            debug2('%r: done writing' % self)
            self.shut_write = True
            self.maybe_close()

    def maybe_close(self):
        if self.shut_read and self.shut_write:
-            debug2('%r: closing connection\n' % self)
+            debug2('%r: closing connection' % self)
            # remove the mux's reference to us.  The python garbage collector
            # will then be able to reap our object.
            self.mux.channels[self.channel] = None
@ -581,9 +584,9 @@ class MuxWrapper(SockWrapper):


 def connect_dst(family, ip, port):
-    debug2('Connecting to %s:%d\n' % (ip, port))
+    debug2('Connecting to %s:%d' % (ip, port))
    outsock = socket.socket(family)
-    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
+
    return SockWrapper(outsock, outsock,
                       connect_to=(ip, port),
                       peername='%s:%d' % (ip, port))
@ -599,11 +602,11 @@ def runonce(handlers, mux):

    for s in handlers:
        s.pre_select(r, w, x)
-    debug2('Waiting: %d r=%r w=%r x=%r (fullness=%d/%d)\n'
+    debug2('Waiting: %d r=%r w=%r x=%r (fullness=%d/%d)'
           % (len(handlers), _fds(r), _fds(w), _fds(x),
               mux.fullness, mux.too_full))
    (r, w, x) = select.select(r, w, x)
-    debug2('  Ready: %d r=%r w=%r x=%r\n'
+    debug2('  Ready: %d r=%r w=%r x=%r'
           % (len(handlers), _fds(r), _fds(w), _fds(x)))
    ready = r + w + x
    did = {}
--- a/sshuttle/stresstest.py
+++ b/sshuttle/stresstest.py
@ -1,89 +0,0 @@
-#!/usr/bin/env python
-import socket
-import select
-import struct
-import time
-
-listener = socket.socket()
-listener.bind(('127.0.0.1', 0))
-listener.listen(500)
-
-servers = []
-clients = []
-remain = {}
-
-NUMCLIENTS = 50
-count = 0
-
-
-while 1:
-    if len(clients) < NUMCLIENTS:
-        c = socket.socket()
-        c.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-        c.bind(('0.0.0.0', 0))
-        c.connect(listener.getsockname())
-        count += 1
-        if count >= 16384:
-            count = 1
-        print('cli CREATING %d' % count)
-        b = struct.pack('I', count) + 'x' * count
-        remain[c] = count
-        print('cli  >> %r' % len(b))
-        c.send(b)
-        c.shutdown(socket.SHUT_WR)
-        clients.append(c)
-        r = [listener]
-        time.sleep(0.1)
-    else:
-        r = [listener] + servers + clients
-    print('select(%d)' % len(r))
-    r, w, x = select.select(r, [], [], 5)
-    assert(r)
-    for i in r:
-        if i == listener:
-            s, addr = listener.accept()
-            servers.append(s)
-        elif i in servers:
-            b = i.recv(4096)
-            print('srv <<  %r' % len(b))
-            if i not in remain:
-                assert(len(b) >= 4)
-                want = struct.unpack('I', b[:4])[0]
-                b = b[4:]
-                # i.send('y'*want)
-            else:
-                want = remain[i]
-            if want < len(b):
-                print('weird wanted %d bytes, got %d: %r' % (want, len(b), b))
-                assert(want >= len(b))
-            want -= len(b)
-            remain[i] = want
-            if not b:  # EOF
-                if want:
-                    print('weird: eof but wanted %d more' % want)
-                    assert(want == 0)
-                i.close()
-                servers.remove(i)
-                del remain[i]
-            else:
-                print('srv  >> %r' % len(b))
-                i.send('y' * len(b))
-                if not want:
-                    i.shutdown(socket.SHUT_WR)
-        elif i in clients:
-            b = i.recv(4096)
-            print('cli <<  %r' % len(b))
-            want = remain[i]
-            if want < len(b):
-                print('weird wanted %d bytes, got %d: %r' % (want, len(b), b))
-                assert(want >= len(b))
-            want -= len(b)
-            remain[i] = want
-            if not b:  # EOF
-                if want:
-                    print('weird: eof but wanted %d more' % want)
-                    assert(want == 0)
-                i.close()
-                clients.remove(i)
-                del remain[i]
-listener.accept()
--- a/sshuttle/sudoers.py
+++ b/sshuttle/sudoers.py
@ -2,63 +2,45 @@ import os
 import sys
 import getpass
 from uuid import uuid4
-from subprocess import Popen, PIPE
-from sshuttle.helpers import log, debug1
-from distutils import spawn

-path_to_sshuttle = sys.argv[0]
-path_to_dist_packages = os.path.dirname(os.path.abspath(__file__))[:-9]

-# randomize command alias to avoid collisions
-command_alias = 'SSHUTTLE%(num)s' % {'num': uuid4().hex[-3:].upper()}
+def build_config(user_name):
+    template = '''
+# WARNING: If you intend to restrict a user to only running the
+# sshuttle command as root, THIS CONFIGURATION IS INSECURE.
+# When a user can run sshuttle as root (with or without a password),
+# they can also run other commands as root because sshuttle itself
+# can run a command specified by the user with the --ssh-cmd option.
+
+# INSTRUCTIONS: Add this text to your sudo configuration to run
+# sshuttle without needing to enter a sudo password. To use this
+# configuration, run 'visudo /etc/sudoers.d/sshuttle_auto' as root and
+# paste this text into the editor that it opens. If you want to give
+# multiple users these privileges, you may wish to use use different
+# filenames for each one (i.e., /etc/sudoers.d/sshuttle_auto_john).
+
+# This configuration was initially generated by the
+# 'sshuttle --sudoers-no-modify' command.

-# Template for the sudoers file
-template = '''
 Cmnd_Alias %(ca)s = /usr/bin/env PYTHONPATH=%(dist_packages)s %(py)s %(path)s *

 %(user_name)s ALL=NOPASSWD: %(ca)s
 '''

-
-def build_config(user_name):
    content = template % {
-        'ca': command_alias,
-        'dist_packages': path_to_dist_packages,
+        # randomize command alias to avoid collisions
+        'ca': 'SSHUTTLE%(num)s' % {'num': uuid4().hex[-3:].upper()},
+        'dist_packages': os.path.dirname(os.path.abspath(__file__))[:-9],
        'py': sys.executable,
-        'path': path_to_sshuttle,
+        'path': sys.argv[0],
        'user_name': user_name,
    }

    return content


-def save_config(content, file_name):
-    process = Popen([
-        '/usr/bin/sudo',
-        spawn.find_executable('sudoers-add'),
-        file_name,
-    ], stdout=PIPE, stdin=PIPE)
-
-    process.stdin.write(content.encode())
-
-    streamdata = process.communicate()[0]
-    returncode = process.returncode
-
-    if returncode:
-        log('Failed updating sudoers file.\n')
-        debug1(streamdata)
-        exit(returncode)
-    else:
-        log('Success, sudoers file update.\n')
-        exit(0)
-
-
-def sudoers(user_name=None, no_modify=None, file_name=None):
+def sudoers(user_name=None):
    user_name = user_name or getpass.getuser()
    content = build_config(user_name)
-
-    if no_modify:
-        sys.stdout.write(content)
-        exit(0)
-    else:
-        save_config(content, file_name)
+    sys.stdout.write(content)
+    exit(0)
--- a/sshuttle/version.py
+++ b/sshuttle/version.py
@ -0,0 +1 @@
+__version__ = version = '1.1.1'
--- a/tests/client/test_firewall.py
+++ b/tests/client/test_firewall.py
@ -1,7 +1,11 @@
 import io
+import os
 from socket import AF_INET, AF_INET6

-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call
+
+import pytest
+
 import sshuttle.firewall


@ -15,7 +19,7 @@ NSLIST
 {inet},1.2.3.33
 {inet6},2404:6800:4004:80c::33
 PORTS 1024,1025,1026,1027
-GO 1 -
+GO 1 - 0x01 12345
 HOST 1.2.3.3,existing
 """.format(inet=AF_INET, inet6=AF_INET6))
    stdout = Mock()
@ -55,10 +59,25 @@ def test_rewrite_etc_hosts(tmpdir):
        assert line == ""

    with patch('sshuttle.firewall.HOSTSFILE', new=str(new_hosts)):
-        sshuttle.firewall.restore_etc_hosts(10)
+        sshuttle.firewall.restore_etc_hosts(hostmap, 10)
    assert orig_hosts.computehash() == new_hosts.computehash()


+@patch('os.link')
+@patch('os.rename')
+def test_rewrite_etc_hosts_no_overwrite(mock_link, mock_rename, tmpdir):
+    mock_link.side_effect = OSError
+    mock_rename.side_effect = OSError
+
+    with pytest.raises(OSError):
+        os.link('/test_from', '/test_to')
+
+    with pytest.raises(OSError):
+        os.rename('/test_from', '/test_to')
+
+    test_rewrite_etc_hosts(tmpdir)
+
+
 def test_subnet_weight():
    subnets = [
        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
@ -116,22 +135,26 @@ def test_main(mock_get_method, mock_setup_daemon, mock_rewrite_etc_hosts):
    assert mock_setup_daemon.mock_calls == [call()]
    assert mock_get_method.mock_calls == [
        call('not_auto'),
+        call().is_supported(),
+        call().is_supported().__bool__(),
        call().setup_firewall(
            1024, 1026,
            [(AF_INET6, u'2404:6800:4004:80c::33')],
            AF_INET6,
            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
-                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+             (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
            True,
-            None),
+            None,
+            '0x01'),
        call().setup_firewall(
            1025, 1027,
            [(AF_INET, u'1.2.3.33')],
            AF_INET,
            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
-                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
+             (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
            True,
-            None),
+            None,
+            '0x01'),
        call().restore_firewall(1024, AF_INET6, True, None),
        call().restore_firewall(1025, AF_INET, True, None),
    ]
--- a/tests/client/test_helpers.py
+++ b/tests/client/test_helpers.py
@ -3,7 +3,7 @@ import socket
 from socket import AF_INET, AF_INET6
 import errno

-from mock import patch, call
+from unittest.mock import patch, call
 import sshuttle.helpers


@ -24,19 +24,19 @@ def test_log(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
-        call.write('prefix: abc'),
+        call.write('prefix: abc\r\n'),
        call.flush(),
-        call.write('prefix: message 1\n'),
+        call.write('prefix: message 1\r\n'),
        call.flush(),
-        call.write('prefix: message 2\n'),
-        call.write('---> line2\n'),
-        call.write('---> line3\n'),
+        call.write('prefix: message 2\r\n'),
+        call.write('    line2\r\n'),
+        call.write('    line3\r\n'),
        call.flush(),
-        call.write('prefix: message 3\n'),
-        call.write('---> line2\n'),
-        call.write('---> line3\n'),
+        call.write('prefix: message 3\r\n'),
+        call.write('    line2\r\n'),
+        call.write('    line3\r\n'),
        call.flush(),
    ]

@ -51,7 +51,7 @@ def test_debug1(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
    ]

@ -76,7 +76,7 @@ def test_debug2(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
    ]

@ -101,7 +101,7 @@ def test_debug3(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
    ]

@ -131,7 +131,7 @@ nameserver 2404:6800:4004:80c::3
 nameserver 2404:6800:4004:80c::4
 """)

-    ns = sshuttle.helpers.resolvconf_nameservers()
+    ns = sshuttle.helpers.resolvconf_nameservers(False)
    assert ns == [
        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
@ -156,7 +156,7 @@ nameserver 2404:6800:4004:80c::2
 nameserver 2404:6800:4004:80c::3
 nameserver 2404:6800:4004:80c::4
 """)
-    ns = sshuttle.helpers.resolvconf_random_nameserver()
+    ns = sshuttle.helpers.resolvconf_random_nameserver(False)
    assert ns in [
        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
@ -192,5 +192,4 @@ def test_family_ip_tuple():
 def test_family_to_string():
    assert sshuttle.helpers.family_to_string(AF_INET) == "AF_INET"
    assert sshuttle.helpers.family_to_string(AF_INET6) == "AF_INET6"
-    expected = 'AddressFamily.AF_UNIX'
-    assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == expected
+    assert isinstance(sshuttle.helpers.family_to_string(socket.AF_UNIX), str)
--- a/tests/client/test_methods_nat.py
+++ b/tests/client/test_methods_nat.py
@ -3,7 +3,7 @@ from socket import AF_INET, AF_INET6
 import struct

 import pytest
-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call
 from sshuttle.helpers import Fatal
 from sshuttle.methods import get_method

@ -11,19 +11,29 @@ from sshuttle.methods import get_method
 def test_get_supported_features():
    method = get_method('nat')
    features = method.get_supported_features()
-    assert not features.ipv6
+    assert features.ipv6
    assert not features.udp
    assert features.dns


 def test_get_tcp_dstip():
    sock = Mock()
+    sock.family = AF_INET
    sock.getsockopt.return_value = struct.pack(
        '!HHBBBB', socket.ntohs(AF_INET), 1024, 127, 0, 0, 1)
    method = get_method('nat')
    assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
    assert sock.mock_calls == [call.getsockopt(0, 80, 16)]

+    sock = Mock()
+    sock.family = AF_INET6
+    sock.getsockopt.return_value = struct.pack(
+        '!HH4xBBBBBBBBBBBBBBBB', socket.ntohs(AF_INET6),
+        1024, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1)
+    method = get_method('nft')
+    assert method.get_tcp_dstip(sock) == ('::1', 1024)
+    assert sock.mock_calls == [call.getsockopt(41, 80, 64)]
+

 def test_recv_udp():
    sock = Mock()
@ -71,30 +81,56 @@ def test_assert_features():

 def test_firewall_command():
    method = get_method('nat')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")


@patch('sshuttle.methods.nat.ipt')
-@patch('sshuttle.methods.nat.ipt_ttl')
@patch('sshuttle.methods.nat.ipt_chain_exists')
-def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
+def test_setup_firewall(mock_ipt_chain_exists, mock_ipt):
    mock_ipt_chain_exists.return_value = True
    method = get_method('nat')
    assert method.name == 'nat'

-    with pytest.raises(Exception) as excinfo:
-        method.setup_firewall(
-            1024, 1026,
-            [(AF_INET6, u'2404:6800:4004:80c::33')],
-            AF_INET6,
-            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
-                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
-            True,
-            None)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by nat method_name'
    assert mock_ipt_chain_exists.mock_calls == []
-    assert mock_ipt_ttl.mock_calls == []
+    assert mock_ipt.mock_calls == []
+    method.setup_firewall(
+        1024, 1026,
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
+        AF_INET6,
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
+         (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+        False,
+        None,
+        '0x01')
+
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET6, 'nat', 'sshuttle-1024')
+    ]
+    assert mock_ipt.mock_calls == [
+        call(AF_INET6, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-F', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-X', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-N', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-F', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'REDIRECT',
+             '--dest', u'2404:6800:4004:80c::33', '-p', 'udp',
+             '--dport', '53', '--to-ports', '1026'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'RETURN',
+             '--dest', u'2404:6800:4004:80c::101f/128', '-p', 'tcp',
+             '--dport', '80:80'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'REDIRECT',
+             '--dest', u'2404:6800:4004:80c::/64', '-p', 'tcp',
+             '--to-ports', '1024')
+    ]
+    mock_ipt_chain_exists.reset_mock()
+    mock_ipt.reset_mock()
+
+    assert mock_ipt_chain_exists.mock_calls == []
    assert mock_ipt.mock_calls == []

    with pytest.raises(Exception) as excinfo:
@ -105,10 +141,10 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by nat method_name'
    assert mock_ipt_chain_exists.mock_calls == []
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == []

    method.setup_firewall(
@ -118,18 +154,11 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
            (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET, 'nat', 'sshuttle-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == [
-        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
-             '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
-             '--to-ports', '1025'),
-        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
-             '--dest', u'1.2.3.33/32', '-p', 'udp',
-             '--dport', '53', '--to-ports', '1027')
-    ]
    assert mock_ipt.mock_calls == [
        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
@ -139,30 +168,45 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+             '--dest', u'1.2.3.33', '-p', 'udp',
+             '--dport', '53', '--to-ports', '1027'),
        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
-             '-m', 'addrtype', '--dst-type', 'LOCAL',
-             '!', '-p', 'udp'),
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
-             '-m', 'addrtype', '--dst-type', 'LOCAL',
-             '-p', 'udp', '!', '--dport', '53'),
-        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
-             '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080')
+             '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080'),
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+             '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
+             '--to-ports', '1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    method.restore_firewall(1025, AF_INET, False, None)
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET, 'nat', 'sshuttle-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
-        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j',
+             'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j',
+             'sshuttle-1025'),
        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-X', 'sshuttle-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
+    mock_ipt.reset_mock()
+
+    method.restore_firewall(1025, AF_INET6, False, None)
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET6, 'nat', 'sshuttle-1025')
+    ]
+    assert mock_ipt.mock_calls == [
+        call(AF_INET6, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET6, 'nat', '-D', 'PREROUTING', '-j',
+             'sshuttle-1025'),
+        call(AF_INET6, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET6, 'nat', '-X', 'sshuttle-1025')
+    ]
+    mock_ipt_chain_exists.reset_mock()
    mock_ipt.reset_mock()
--- a/tests/client/test_methods_pf.py
+++ b/tests/client/test_methods_pf.py
@ -2,9 +2,9 @@ import socket
 from socket import AF_INET, AF_INET6

 import pytest
-from mock import Mock, patch, call, ANY
+from unittest.mock import Mock, patch, call, ANY
 from sshuttle.methods import get_method
-from sshuttle.helpers import Fatal
+from sshuttle.helpers import Fatal, get_env
 from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd


@ -92,7 +92,7 @@ def test_assert_features():
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")

    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        AF_INET, socket.IPPROTO_TCP,
@ -115,7 +115,7 @@ def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")

    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        AF_INET, socket.IPPROTO_TCP,
@ -138,7 +138,7 @@ def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")

    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        AF_INET, socket.IPPROTO_TCP,
@ -186,7 +186,8 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
@ -225,7 +226,8 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -238,7 +240,8 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
@ -298,7 +301,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')

    assert mock_pfctl.mock_calls == [
        call('-s all'),
@ -316,7 +320,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
             b'to <dns_servers> port 53 keep state\n'),
        call('-e'),
    ]
-    assert call(['kldload', 'pf']) in mock_subprocess_call.mock_calls
+    assert call(['kldload', 'pf'], env=get_env()) in \
+        mock_subprocess_call.mock_calls
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
@ -329,7 +334,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -342,7 +348,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCBE0441A, ANY),
@ -400,7 +407,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')

    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xcd60441a, ANY),
@ -436,7 +444,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -449,7 +458,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xcd60441a, ANY),
        call(mock_pf_get_dev(), 0xcd60441a, ANY),
--- a/tests/client/test_methods_tproxy.py
+++ b/tests/client/test_methods_tproxy.py
@ -1,13 +1,12 @@
 import socket
 from socket import AF_INET, AF_INET6

-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call

 from sshuttle.methods import get_method


-@patch("sshuttle.methods.tproxy.recvmsg")
-def test_get_supported_features_recvmsg(mock_recvmsg):
+def test_get_supported_features():
    method = get_method('tproxy')
    features = method.get_supported_features()
    assert features.ipv6
@ -15,15 +14,6 @@ def test_get_supported_features_recvmsg(mock_recvmsg):
    assert features.dns


-@patch("sshuttle.methods.tproxy.recvmsg", None)
-def test_get_supported_features_norecvmsg():
-    method = get_method('tproxy')
-    features = method.get_supported_features()
-    assert features.ipv6
-    assert not features.udp
-    assert not features.dns
-
-
 def test_get_tcp_dstip():
    sock = Mock()
    sock.getsockname.return_value = ('127.0.0.1', 1024)
@ -88,13 +78,12 @@ def test_assert_features():

 def test_firewall_command():
    method = get_method('tproxy')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")


@patch('sshuttle.methods.tproxy.ipt')
-@patch('sshuttle.methods.tproxy.ipt_ttl')
@patch('sshuttle.methods.tproxy.ipt_chain_exists')
-def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
+def test_setup_firewall(mock_ipt_chain_exists, mock_ipt):
    mock_ipt_chain_exists.return_value = True
    method = get_method('tproxy')
    assert method.name == 'tproxy'
@ -108,13 +97,13 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        True,
-        None)
+        None,
+        '0x01')
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET6, 'mangle', 'sshuttle-m-1024'),
        call(AF_INET6, 'mangle', 'sshuttle-t-1024'),
        call(AF_INET6, 'mangle', 'sshuttle-d-1024')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
@ -133,18 +122,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
        call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
             'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
-             '--set-mark', '1'),
+             '--set-mark', '0x01'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::33/32',
+             '--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1',
+             '--tproxy-mark', '0x01',
             '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
@ -160,22 +153,23 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
+             '--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
+             '--tproxy-mark', '0x01', '--dest',
+             u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000',
             '--on-port', '1024'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
+             '--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
+             '--tproxy-mark', '0x01', '--dest',
+             u'2404:6800:4004:80c::/64',
             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000',
             '--on-port', '1024')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    method.restore_firewall(1025, AF_INET6, True, None)
@ -184,7 +178,6 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET6, 'mangle', 'sshuttle-t-1025'),
        call(AF_INET6, 'mangle', 'sshuttle-d-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1025'),
@ -196,7 +189,6 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    # IPV4
@ -208,13 +200,13 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        True,
-        None)
+        None,
+        '0x01')
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
        call(AF_INET, 'mangle', 'sshuttle-d-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
@ -233,18 +225,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
             'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
-             '-j', 'MARK', '--set-mark', '1'),
+             '-j', 'MARK', '--set-mark', '0x01'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.33/32',
+             '--set-mark', '0x01', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.33/32',
+             '--tproxy-mark', '0x01', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
@ -259,20 +255,19 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
             '--dport', '80:80'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.0/24',
+             '--set-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
+             '--tproxy-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.0/24',
+             '--set-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
+             '--tproxy-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp', '--on-port', '1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    method.restore_firewall(1025, AF_INET, True, None)
@ -281,7 +276,6 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
        call(AF_INET, 'mangle', 'sshuttle-d-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
@ -293,5 +287,4 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
--- a/tests/client/test_options.py
+++ b/tests/client/test_options.py
@ -1,5 +1,6 @@
 import socket
 from argparse import ArgumentTypeError as Fatal
+from unittest.mock import patch

 import pytest

@ -13,7 +14,6 @@ _ip4_reprs = {
        '3098282570': '184.172.10.74',
        '0xb8.0xac.0x0a.0x4a': '184.172.10.74',
        '0270.0254.0012.0112': '184.172.10.74',
-        'localhost': '127.0.0.1'
 }

 _ip4_swidths = (1, 8, 22, 27, 32)
@ -28,10 +28,27 @@ _ip6_reprs = {
 _ip6_swidths = (48, 64, 96, 115, 128)


+def _mock_getaddrinfo(host, *_):
+    return {
+        "example.com": [
+            (socket.AF_INET6, socket.SOCK_STREAM, 0, '', ('2606:2800:220:1:248:1893:25c8:1946', 0, 0, 0)),
+            (socket.AF_INET, socket.SOCK_STREAM, 0, '', ('93.184.216.34', 0)),
+        ],
+        "my.local": [
+            (socket.AF_INET6, socket.SOCK_STREAM, 0, '', ('::1', 0, 0, 0)),
+            (socket.AF_INET, socket.SOCK_STREAM, 0, '', ('127.0.0.1', 0)),
+        ],
+        "*.blogspot.com": [
+            (socket.AF_INET6, socket.SOCK_STREAM, 0, '', ('2404:6800:4004:821::2001', 0, 0, 0)),
+            (socket.AF_INET, socket.SOCK_STREAM, 0, '', ('142.251.42.129', 0)),
+        ],
+    }.get(host, [])
+
+
 def test_parse_subnetport_ip4():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr) \
-                == (socket.AF_INET, ip, 32, 0, 0)
+                == [(socket.AF_INET, ip, 32, 0, 0)]
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('10.256.0.0')
    assert str(excinfo.value) == 'Unable to resolve address: 10.256.0.0'
@ -42,34 +59,35 @@ def test_parse_subnetport_ip4_with_mask():
        for swidth in _ip4_swidths:
            assert sshuttle.options.parse_subnetport(
                    '/'.join((ip_repr, str(swidth)))
-                    ) == (socket.AF_INET, ip, swidth, 0, 0)
+                    ) == [(socket.AF_INET, ip, swidth, 0, 0)]
    assert sshuttle.options.parse_subnetport('0/0') \
-        == (socket.AF_INET, '0.0.0.0', 0, 0, 0)
+        == [(socket.AF_INET, '0.0.0.0', 0, 0, 0)]
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('10.0.0.0/33')
-    assert str(excinfo.value) == 'width 33 is not between 0 and 32'
+    assert str(excinfo.value) \
+        == 'Slash in CIDR notation (/33) is not between 0 and 32'


 def test_parse_subnetport_ip4_with_port():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80'))) \
-            == (socket.AF_INET, ip, 32, 80, 80)
+            == [(socket.AF_INET, ip, 32, 80, 80)]
        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80-90')))\
-            == (socket.AF_INET, ip, 32, 80, 90)
+            == [(socket.AF_INET, ip, 32, 80, 90)]


 def test_parse_subnetport_ip4_with_mask_and_port():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr + '/32:80') \
-            == (socket.AF_INET, ip, 32, 80, 80)
+            == [(socket.AF_INET, ip, 32, 80, 80)]
        assert sshuttle.options.parse_subnetport(ip_repr + '/16:80-90') \
-            == (socket.AF_INET, ip, 16, 80, 90)
+            == [(socket.AF_INET, ip, 16, 80, 90)]


 def test_parse_subnetport_ip6():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr) \
-                == (socket.AF_INET6, ip, 128, 0, 0)
+                == [(socket.AF_INET6, ip, 128, 0, 0)]


 def test_parse_subnetport_ip6_with_mask():
@ -77,25 +95,84 @@ def test_parse_subnetport_ip6_with_mask():
        for swidth in _ip4_swidths + _ip6_swidths:
            assert sshuttle.options.parse_subnetport(
                    '/'.join((ip_repr, str(swidth)))
-                    ) == (socket.AF_INET6, ip, swidth, 0, 0)
+                    ) == [(socket.AF_INET6, ip, swidth, 0, 0)]
    assert sshuttle.options.parse_subnetport('::/0') \
-        == (socket.AF_INET6, '::', 0, 0, 0)
+        == [(socket.AF_INET6, '::', 0, 0, 0)]
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('fc00::/129')
-    assert str(excinfo.value) == 'width 129 is not between 0 and 128'
+    assert str(excinfo.value) \
+        == 'Slash in CIDR notation (/129) is not between 0 and 128'


 def test_parse_subnetport_ip6_with_port():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80') \
-            == (socket.AF_INET6, ip, 128, 80, 80)
+            == [(socket.AF_INET6, ip, 128, 80, 80)]
        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80-90') \
-            == (socket.AF_INET6, ip, 128, 80, 90)
+            == [(socket.AF_INET6, ip, 128, 80, 90)]


 def test_parse_subnetport_ip6_with_mask_and_port():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/128]:80') \
-            == (socket.AF_INET6, ip, 128, 80, 80)
+            == [(socket.AF_INET6, ip, 128, 80, 80)]
        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90')\
-            == (socket.AF_INET6, ip, 16, 80, 90)
+            == [(socket.AF_INET6, ip, 16, 80, 90)]
+
+
+def test_convert_arg_line_to_args_skips_comments():
+    parser = sshuttle.options.MyArgumentParser()
+    assert parser.convert_arg_line_to_args("# whatever something") == []
+
+
+@patch('sshuttle.options.socket.getaddrinfo', side_effect=_mock_getaddrinfo)
+def test_parse_subnetport_host(mock_getaddrinfo):
+    assert set(sshuttle.options.parse_subnetport('example.com')) \
+        == set([
+            (socket.AF_INET6, '2606:2800:220:1:248:1893:25c8:1946', 128, 0, 0),
+            (socket.AF_INET, '93.184.216.34', 32, 0, 0),
+        ])
+    assert set(sshuttle.options.parse_subnetport('my.local')) \
+        == set([
+            (socket.AF_INET6, '::1', 128, 0, 0),
+            (socket.AF_INET, '127.0.0.1', 32, 0, 0),
+        ])
+    assert set(sshuttle.options.parse_subnetport('*.blogspot.com')) \
+        == set([
+            (socket.AF_INET6, '2404:6800:4004:821::2001', 128, 0, 0),
+            (socket.AF_INET, '142.251.42.129', 32, 0, 0),
+        ])
+
+
+@patch('sshuttle.options.socket.getaddrinfo', side_effect=_mock_getaddrinfo)
+def test_parse_subnetport_host_with_port(mock_getaddrinfo):
+    assert set(sshuttle.options.parse_subnetport('example.com:80')) \
+        == set([
+            (socket.AF_INET6, '2606:2800:220:1:248:1893:25c8:1946', 128, 80, 80),
+            (socket.AF_INET, '93.184.216.34', 32, 80, 80),
+        ])
+    assert set(sshuttle.options.parse_subnetport('example.com:80-90')) \
+        == set([
+            (socket.AF_INET6, '2606:2800:220:1:248:1893:25c8:1946', 128, 80, 90),
+            (socket.AF_INET, '93.184.216.34', 32, 80, 90),
+        ])
+    assert set(sshuttle.options.parse_subnetport('my.local:445')) \
+        == set([
+            (socket.AF_INET6, '::1', 128, 445, 445),
+            (socket.AF_INET, '127.0.0.1', 32, 445, 445),
+        ])
+    assert set(sshuttle.options.parse_subnetport('my.local:445-450')) \
+        == set([
+            (socket.AF_INET6, '::1', 128, 445, 450),
+            (socket.AF_INET, '127.0.0.1', 32, 445, 450),
+        ])
+    assert set(sshuttle.options.parse_subnetport('*.blogspot.com:80')) \
+        == set([
+            (socket.AF_INET6, '2404:6800:4004:821::2001', 128, 80, 80),
+            (socket.AF_INET, '142.251.42.129', 32, 80, 80),
+        ])
+    assert set(sshuttle.options.parse_subnetport('*.blogspot.com:80-90')) \
+        == set([
+            (socket.AF_INET6, '2404:6800:4004:821::2001', 128, 80, 90),
+            (socket.AF_INET, '142.251.42.129', 32, 80, 90),
+        ])
--- a/tests/client/test_sdnotify.py
+++ b/tests/client/test_sdnotify.py
@ -1,6 +1,6 @@
 import socket

-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call

 import sshuttle.sdnotify

--- a/tests/server/test_server.py
+++ b/tests/server/test_server.py
@ -1,7 +1,7 @@
 import io
 import socket

-from mock import patch, Mock
+from unittest.mock import patch, Mock

 import sshuttle.server

--- a/tox.ini
+++ b/tox.ini
@ -1,16 +1,15 @@
 [tox]
 downloadcache = {toxworkdir}/cache/
 envlist =
-    py35,
-    py36,
-    py37,
    py38,
+    py39,
+    py310,

 [testenv]
 basepython =
-    py36: python3.6
-    py37: python3.7
    py38: python3.8
+    py39: python3.9
+    py310: python3.10
 commands =
    pip install -e .
    # actual flake8 test