Bump version: 1.1.0 → 1.1.1

Include version in setup.py too
Add ASDF .tool-versions file
2025-07-04 16:50:34 +02:00 · 2022-09-06 08:17:47 +10:00 · 2022-09-06 08:17:36 +10:00 · 2022-09-06 08:06:34 +10:00 · 2022-09-06 08:04:28 +10:00 · 2022-09-06 07:53:59 +10:00
54 changed files with 1579 additions and 1356 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: pip
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '31 21 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/pythonpackage.yml
+++ b/.github/workflows/pythonpackage.yml
@ -5,11 +5,11 @@ name: Python package

 on:
  push:
-    branches: [ master, tproxy_mark_param ]
+    branches: [ master ]
  pull_request:
-    branches: [ master, tproxy_mark_param ]
+    branches: [ master ]
  workflow_dispatch:
-    branches: [ tproxy_mark_param ]
+    branches: [ master ]

 jobs:
  build:
@ -17,12 +17,12 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: ["3.8", "3.9", "3.10"]

    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install dependencies
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,5 @@
-/sshuttle/version.py
 /tmp/
+/.coverage
 /.cache/
 /.eggs/
 /.tox/
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@ -0,0 +1,15 @@
+version: 2
+
+build:
+  os: ubuntu-20.04
+  tools:
+    python: "3.9"
+
+sphinx:
+  configuration: docs/conf.py
+
+python:
+  install:
+    - requirements: requirements.txt
+    - method: setuptools
+      path: .
--- a/.tool-versions
+++ b/.tool-versions
@ -0,0 +1 @@
+python 3.10.6
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -1,12 +1,9 @@
 ==========
 Change log
 ==========
-All notable changes to this project will be documented in this file. The format
-is based on `Keep a Changelog`_ and this project
-adheres to `Semantic Versioning`_.
+Release notes now moved to https://github.com/sshuttle/sshuttle/releases/

-.. _`Keep a Changelog`: http://keepachangelog.com/
-.. _`Semantic Versioning`: http://semver.org/
+These are the old release notes.


 1.0.5 - 2020-12-29
@ -133,7 +130,7 @@ Fixed

 Added
 ~~~~~
-* doas support as replacmeent for sudo on OpenBSD.
+* doas support as replacement for sudo on OpenBSD.
 * Added ChromeOS section to documentation (#262)
 * Add --no-sudo-pythonpath option

--- a/README.rst
+++ b/README.rst
@ -46,6 +46,14 @@ Obtaining sshuttle

      dnf install sshuttle

+- openSUSE::
+
+      zypper in sshuttle
+
+- Gentoo::
+
+      emerge -av net-proxy/sshuttle
+
 - NixOS::

      nix-env -iA nixos.sshuttle
@ -67,6 +75,11 @@ Obtaining sshuttle
      # pkg
      pkg install py36-sshuttle

+- macOS, via MacPorts::
+
+      sudo port selfupdate
+      sudo port install sshuttle
+
 It is also possible to install into a virtualenv as a non-root user.

 - From PyPI::
--- a/bin/sudoers-add
+++ b/bin/sudoers-add
@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-# William Mantly <wmantly@gmail.com>
-# MIT License
-# https://github.com/wmantly/sudoers-add
-
-NEWLINE=$'\n'
-CONTENT=""
-ME="$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")"
-
-if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
-	echo "Usage: $ME [file_path] [sudoers-file-name]"
-	echo "Usage: [content] | $ME sudoers-file-name"
-	echo "This will take a sudoers config validate it and add it to /etc/sudoers.d/{sudoers-file-name}"
-	echo "The config can come from a file, first usage example or piped in second example."
-
-	exit 0
-fi
-
-if [ "$1" == "" ]; then
-	(>&2 echo "This command take at lest one argument. See $ME --help")
-
-	exit 1	
-fi
-
-if [ "$2" == "" ]; then
-	FILE_NAME=$1
-	shift
-else
-	FILE_NAME=$2
-fi
-
-if [[ $EUID -ne 0 ]]; then
-	echo "This script must be run as root"
-
-	exit 1
-fi
-
-while read -r line
-do
-	CONTENT+="${line}${NEWLINE}"
-done < "${1:-/dev/stdin}"
-
-if [ "$CONTENT" == "" ]; then
-	(>&2 echo "No config content specified. See $ME --help")
-	exit 1
-fi
-
-if [ "$FILE_NAME" == "" ]; then
-	(>&2 echo "No sudoers file name specified. See $ME --help")
-	exit 1
-fi
-
-# Make a temp file to hold the sudoers config
-umask 077
-TEMP_FILE=$(mktemp)
-echo "$CONTENT" > "$TEMP_FILE"
-
-# Make sure the content is valid
-visudo_STDOUT=$(visudo -c -f "$TEMP_FILE" 2>&1)
-visudo_code=$?
-# The temp file is no longer needed
-rm "$TEMP_FILE"
-
-if [ $visudo_code -eq 0 ]; then
-	echo "$CONTENT" > "/etc/sudoers.d/$FILE_NAME"
-	chmod 0440 "/etc/sudoers.d/$FILE_NAME"
-	echo "The sudoers file /etc/sudoers.d/$FILE_NAME has been successfully created!"
-
-	exit 0
-else
-	echo "Invalid sudoers config!"
-	echo "$visudo_STDOUT"
-
-	exit 1
-fi
-
--- a/docs/chromeos.rst
+++ b/docs/chromeos.rst
@ -9,4 +9,3 @@ stretch/Debian 9 VM, you can then install sshuttle as on any Linux box and
 it just works, as do xterms and ssvncviewer etc.

 https://www.reddit.com/r/Crostini/wiki/getstarted/crostini-setup-guide
-
--- a/docs/how-it-works.rst
+++ b/docs/how-it-works.rst
@ -34,4 +34,3 @@ sshuttle assembles the TCP stream locally, multiplexes it statefully over
 an ssh session, and disassembles it back into packets at the other end.  So
 it never ends up doing TCP-over-TCP.  It's just data-over-TCP, which is
 safe.
-
--- a/docs/index.rst
+++ b/docs/index.rst
@ -26,4 +26,3 @@ Indices and tables

 * :ref:`genindex`
 * :ref:`search`
-
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -5,7 +5,7 @@ Installation

      pip install sshuttle

- Debain package manager::
+- Debian package manager::

      sudo apt install sshuttle

@ -19,6 +19,5 @@ Installation
 Optionally after installation
 -----------------------------

- Add to sudoers file::
+- Install sudoers configuration. For details, see the "Sudoers File" section in :doc:`usage`

-      sshuttle --sudoers
--- a/docs/manpage.rst
+++ b/docs/manpage.rst
@ -4,14 +4,14 @@ sshuttle

 Synopsis
 --------
-**sshuttle** [*options*] [**-r** *[username@]sshserver[:port]*] \<*subnets* ...\>
+**sshuttle** [*options*] **-r** *[username@]sshserver[:port]* \<*subnets* ...\>


 Description
 -----------
 :program:`sshuttle` allows you to create a VPN connection from your
-machine to any remote server that you can connect to via
-ssh, as long as that server has python 3.6 or higher.
+machine to any remote server that you can connect to via ssh, as long
+as that server has a sufficiently new Python installation.

 To work, you must have root access on the local machine,
 but you can have a normal account on the server.
@ -32,21 +32,22 @@ Options

    A list of subnets to route over the VPN, in the form
    ``a.b.c.d[/width][port[-port]]``. Valid examples are 1.2.3.4 (a
-    single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4),
-    1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0
-    netmask), and 0/0 ('just route everything through the
-    VPN'). Any of the previous examples are also valid if you append
-    a port or a port range, so 1.2.3.4:8000 will only tunnel traffic
-    that has as the destination port 8000 of 1.2.3.4 and
-    1.2.3.0/24:8000-9000 will tunnel traffic going to any port between
-    8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet.
-    A hostname can be provided instead of an IP address. If the
-    hostname resolves to multiple IPs, all of the IPs are included.
-    If a width is provided with a hostname that the width is applied
-    to all of the hostnames IPs (if they are all either IPv4 or IPv6).
-    Widths cannot be supplied to hostnames that resolve to both IPv4
-    and IPv6. Valid examples are example.com, example.com:8000,
-    example.com/24, example.com/24:8000 and example.com:8000-9000.
+    single IP address) and 1.2.3.4/32 (equivalent to 1.2.3.4),
+    1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0 netmask).
+    Specify subnets 0/0 to match all IPv4 addresses and ::/0 to match
+    all IPv6 addresses. Any of the previous examples are also valid if
+    you append a port or a port range, so 1.2.3.4:8000 will only
+    tunnel traffic that has as the destination port 8000 of 1.2.3.4
+    and 1.2.3.0/24:8000-9000 will tunnel traffic going to any port
+    between 8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24
+    subnet. A hostname can be provided instead of an IP address. If
+    the hostname resolves to multiple IPs, all of the IPs are
+    included. If a width is provided with a hostname, the width is
+    applied to all of the hostnames IPs (if they are all either IPv4
+    or IPv6). Widths cannot be supplied to hostnames that resolve to
+    both IPv4 and IPv6. Valid examples are example.com,
+    example.com:8000, example.com/24, example.com/24:8000 and
+    example.com:8000-9000.

 .. option:: --method <auto|nat|nft|tproxy|pf|ipfw>

@ -88,6 +89,13 @@ Options
    few subnets over the VPN, you probably would prefer to
    keep using your local DNS server for everything else.

+    :program:`sshuttle` tries to store a cache of the hostnames in
+    ~/.sshuttle.hosts on the remote host. Similarly, it tries to read
+    the file when you later reconnect to the host with --auto-hosts
+    enabled to quickly populate the host list. When troubleshooting
+    this feature, try removing this file on the remote host when
+    sshuttle is not running.
+
 .. option:: -N, --auto-nets

    In addition to the subnets provided on the command
@ -141,7 +149,10 @@ Options
    The remote hostname and optional username and ssh
    port number to use for connecting to the remote server.
    For example, example.com, testuser@example.com,
-    testuser@example.com:2222, or example.com:2244.
+    testuser@example.com:2222, or example.com:2244. This
+    hostname is passed to ssh, so it will recognize any
+    aliases and settings you may have configured in
+    ~/.ssh/config.

 .. option:: -x <subnet>, --exclude=<subnet>

@ -174,7 +185,7 @@ Options

    A comma-separated list of hostnames to use to
    initialize the :option:`--auto-hosts` scan algorithm.
-    :option:`--auto-hosts` does things like poll local SMB servers
+    :option:`--auto-hosts` does things like poll netstat output
    for lists of local hostnames, but can speed things up
    if you use this option to give it a few names to start
    from.
@ -231,8 +242,8 @@ Options

 .. option:: --disable-ipv6

-    Disable IPv6 support for methods that support it (nft, tproxy, and
-    pf).
+    Disable IPv6 support for methods that support it (nat, nft,
+    tproxy, and pf).

 .. option:: --firewall

@ -251,32 +262,28 @@ Options
    makes it a lot easier to debug and test the :option:`--auto-hosts`
    feature.

-.. option:: --sudoers
-
-    sshuttle will auto generate the proper sudoers.d config file and add it.
-    Once this is completed, sshuttle will exit and tell the user if
-    it succeed or not. Do not call this options with sudo, it may generate a
-    incorrect config file.
-
 .. option:: --sudoers-no-modify

-    sshuttle will auto generate the proper sudoers.d config and print it to
-    stdout. The option will not modify the system at all.
+    sshuttle prints a configuration to stdout which allows a user to
+    run sshuttle without a password. This option is INSECURE because,
+    with some cleverness, it also allows the user to run any command
+    as root without a password. The output also includes a suggested
+    method for you to install the configuration.
+
+    Use --sudoers-user to modify the user that it applies to.

 .. option:: --sudoers-user

-    Set the user name or group with %group_name for passwordless operation.
-    Default is the current user.set ALL for all users. Only works with
-    --sudoers or --sudoers-no-modify option.
+    Set the user name or group with %group_name for passwordless
+    operation. Default is the current user. Set to ALL for all users
+    (NOT RECOMMENDED: See note about security in --sudoers-no-modify
+    documentation above). Only works with the --sudoers-no-modify
+    option.

-.. option:: --sudoers-filename
+.. option:: -t <mark>, --tmark=<mark>

-    Set the file name for the sudoers.d file to be added. Default is
-    "sshuttle_auto". Only works with --sudoers.
-
-.. option:: -t, --tmark
-
-    Transproxy optional traffic mark with provided MARK value.
+    An option used by the tproxy method: Use the specified traffic
+    mark. The mark must be a hexadecimal value. Defaults to 0x01.

 .. option:: --version

@ -305,54 +312,107 @@ Arguments read from a file must be one per line, as shown below::
    --option2
    value2

+The configuration file supports comments for human-readable
+annotations. For example::
+
+    # company-internal API
+    8.8.8.8/32
+    # home IoT
+    192.168.63.0/24
+

 Examples
 --------
-Test locally by proxying all local connections, without using ssh::

-    $ sshuttle -v 0/0
+Use the following command to route all IPv4 TCP traffic through remote
+(-r) host example.com (and possibly other traffic too, depending on
+the selected --method). The 0/0 subnet, short for 0.0.0.0/0, matches
+all IPv4 addresses. The ::/0 subnet, matching all IPv6 addresses could
+be added to the example. We also exclude (-x) example.com:22 so that
+we can establish ssh connections from our local machine to the remote
+host without them being routed through sshuttle. Excluding the remote
+host may be necessary on some machines for sshuttle to work properly.
+Press Ctrl+C to exit. To also route DNS queries through sshuttle, try
+adding --dns. Add or remove -v options to see more or less
+information::

-    Starting sshuttle proxy.
-    Listening on ('0.0.0.0', 12300).
+    $ sshuttle -r example.com -x example.com:22 0/0
+
+    Starting sshuttle proxy (version ...).
    [local sudo] Password:
-    firewall manager ready.
-    c : connecting to server...
-     s: available routes:
-     s:   192.168.42.0/24
-    c : connected.
-    firewall manager: starting transproxy.
-    c : Accept: 192.168.42.106:50035 -> 192.168.42.121:139.
-    c : Accept: 192.168.42.121:47523 -> 77.141.99.22:443.
-        ...etc...
+    fw: Starting firewall with Python version 3.9.5
+    fw: ready method name nat.
+    c : IPv6 disabled since it isn't supported by method nat.
+    c : Method: nat
+    c : IPv4: on
+    c : IPv6: off (not available with nat method)
+    c : UDP : off (not available with nat method)
+    c : DNS : off (available)
+    c : User: off (available)
+    c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
+    c :   (<AddressFamily.AF_INET: 2>, '0.0.0.0', 0, 0, 0)
+    c : Subnets to exclude from forwarding:
+    c :   (<AddressFamily.AF_INET: 2>, '...', 32, 22, 22)
+    c :   (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
+    c : TCP redirector listening on ('127.0.0.1', 12299).
+    c : Starting client with Python version 3.9.5
+    c : Connecting to server...
+    user@example.com's password:
+     s: Starting server with Python version 3.6.8
+     s: latency control setting = True
+     s: auto-nets:False
+    c : Connected to server.
+    fw: setting up.
+    fw: iptables -w -t nat -N sshuttle-12299
+    fw: iptables -w -t nat -F sshuttle-12299
+    ...
+    Accept: 192.168.42.121:60554 -> 77.141.99.22:22.
    ^C
-    firewall manager: undoing changes.
-    KeyboardInterrupt
    c : Keyboard interrupt: exiting.
-    c : SW#8:192.168.42.121:47523: deleting
-    c : SW#6:192.168.42.106:50035: deleting
+    c : SW'unknown':Mux#1: deleting (1 remain)
+    c : SW#7:192.168.42.121:60554: deleting (0 remain)

-Test connection to a remote server, with automatic hostname
+
+Connect to a remote server, with automatic hostname
 and subnet guessing::

-    $ sshuttle -vNHr example.org
-
-    Starting sshuttle proxy.
-    Listening on ('0.0.0.0', 12300).
-    firewall manager ready.
-    c : connecting to server...
+    $ sshuttle -vNHr example.com -x example.com:22
+    Starting sshuttle proxy (version ...).
+    [local sudo] Password:
+    fw: Starting firewall with Python version 3.9.5
+    fw: ready method name nat.
+    c : IPv6 disabled since it isn't supported by method nat.
+    c : Method: nat
+    c : IPv4: on
+    c : IPv6: off (not available with nat method)
+    c : UDP : off (not available with nat method)
+    c : DNS : off (available)
+    c : User: off (available)
+    c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
+    c : NOTE: Additional subnets to forward may be added below by --auto-nets.
+    c : Subnets to exclude from forwarding:
+    c :   (<AddressFamily.AF_INET: 2>, '...', 32, 22, 22)
+    c :   (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
+    c : TCP redirector listening on ('127.0.0.1', 12300).
+    c : Starting client with Python version 3.9.5
+    c : Connecting to server...
+    user@example.com's password:
+     s: Starting server with Python version 3.6.8
+     s: latency control setting = True
+     s: auto-nets:True
+    c : Connected to server.
+    c : seed_hosts: []
     s: available routes:
     s:   77.141.99.0/24
-    c : connected.
-    c : seed_hosts: []
-    firewall manager: starting transproxy.
-    hostwatch: Found: testbox1: 1.2.3.4
-    hostwatch: Found: mytest2: 5.6.7.8
-    hostwatch: Found: domaincontroller: 99.1.2.3
+    fw: setting up.
+    fw: iptables -w -t nat -N sshuttle-12300
+    fw: iptables -w -t nat -F sshuttle-12300
+    ...
    c : Accept: 192.168.42.121:60554 -> 77.141.99.22:22.
    ^C
-    firewall manager: undoing changes.
    c : Keyboard interrupt: exiting.
-    c : SW#6:192.168.42.121:60554: deleting
+    c : SW'unknown':Mux#1: deleting (1 remain)
+    c : SW#7:192.168.42.121:60554: deleting (0 remain)

 Run :program:`sshuttle` with a `/etc/sshuttle.conf` configuration file::

@ -376,9 +436,7 @@ Example configuration file::
 Discussion
 ----------
 When it starts, :program:`sshuttle` creates an ssh session to the
-server specified by the ``-r`` option.  If ``-r`` is omitted,
-it will start both its client and server locally, which is
-sometimes useful for testing.
+server specified by the ``-r`` option.

 After connecting to the remote server, :program:`sshuttle` uploads its
 (python) source code to the remote end and executes it
@ -397,7 +455,7 @@ Packet-level forwarding (eg. using the tun/tap devices on
 Linux) seems elegant at first, but it results in
 several problems, notably the 'tcp over tcp' problem.  The
 tcp protocol depends fundamentally on packets being dropped
-in order to implement its congestion control agorithm; if
+in order to implement its congestion control algorithm; if
 you pass tcp packets through a tcp-based tunnel (such as
 ssh), the inner tcp packets will never be dropped, and so
 the inner tcp stream's congestion control will be
--- a/docs/requirements.rst
+++ b/docs/requirements.rst
@ -6,7 +6,7 @@ Client side Requirements

 - sudo, or root access on your client machine.
  (The server doesn't need admin access.)
- Python 3.6 or greater.
+- Python 3.8 or greater.


 Linux with NAT method
@ -15,10 +15,12 @@ Supports:

 * IPv4 TCP
 * IPv4 DNS
+* IPv6 TCP
+* IPv6 DNS

 Requires:

-* iptables DNAT, REDIRECT, and ttl modules.
+* iptables DNAT and REDIRECT modules. ip6tables for IPv6.

 Linux with nft method
 ~~~~~~~~~~~~~~~~~~~~~
@ -38,11 +40,11 @@ Linux with TPROXY method
 Supports:

 * IPv4 TCP
-* IPv4 UDP (requires ``recvmsg`` - see below)
-* IPv6 DNS (requires ``recvmsg`` - see below)
+* IPv4 UDP
+* IPv4 DNS
 * IPv6 TCP
-* IPv6 UDP (requires ``recvmsg`` - see below)
-* IPv6 DNS (requires ``recvmsg`` - see below)
+* IPv6 UDP
+* IPv6 DNS


 MacOS / FreeBSD / OpenBSD / pfSense
@ -70,7 +72,7 @@ cmd.exe with Administrator access. See :doc:`windows` for more information.
 Server side Requirements
 ------------------------

- Python 3.6 or greater.
+- Python 3.8 or greater.


 Additional Suggested Software
--- a/docs/tproxy.rst
+++ b/docs/tproxy.rst
@ -1,6 +1,6 @@
 TPROXY
 ======
-TPROXY is the only method that has full support of IPv6 and UDP.
+TPROXY is the only method that supports UDP.

 There are some things you need to consider for TPROXY to work:

@ -12,7 +12,8 @@ There are some things you need to consider for TPROXY to work:
      ip -6 route add local default dev lo table 100
      ip -6 rule add fwmark {TMARK} lookup 100

-  where {TMARK} is the identifier mark passed with -t or --tmark flag (default value is 1).
+  where {TMARK} is the identifier mark passed with -t or --tmark flag
+  as a hexadecimal string (default value is '0x01').

 - The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
  routes manually. e.g. by adding ``'::/0'`` to the end of the command line.
@ -25,11 +26,6 @@ There are some things you need to consider for TPROXY to work:
  Otherwise sshuttle may attempt to intercept the ssh packets, which will not
  work. Use the ``--exclude`` parameter for this.

- Similarly, UDP return packets (including DNS) could get intercepted and
-  bounced back. This is the case if you have a broad subnet such as
-  ``0.0.0.0/0`` or ``::/0`` that includes the IP address of the client. Use the
-  ``--exclude`` parameter for this.
-
 - You need the ``--method=tproxy`` parameter, as above.

 - The routes for the outgoing packets must already exist. For example, if your
--- a/docs/trivia.rst
+++ b/docs/trivia.rst
@ -33,4 +33,3 @@ That project I did for Slipstream was what first gave me the idea to merge
 the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
 program that was the best of all worlds.  And here we are, at last.
 You're welcome.
-
--- a/docs/usage.rst
+++ b/docs/usage.rst
@ -11,6 +11,10 @@ Forward all traffic::
    sshuttle -r username@sshserver 0.0.0.0/0

 - Use the :option:`sshuttle -r` parameter to specify a remote server.
+  One some systems, you may also need to use the :option:`sshuttle -x`
+  parameter to exclude sshserver or sshserver:22 so that your local
+  machine can communicate directly to sshserver without it being
+  redirected by sshuttle.

 - By default sshuttle will automatically choose a method to use. Override with
  the :option:`sshuttle --method` parameter.
@ -67,44 +71,23 @@ admin access on the server.

 Sudoers File
 ------------
-sshuttle can auto-generate the proper sudoers.d file using the current user 
-for Linux and OSX. Doing this will allow sshuttle to run without asking for
-the local sudo password and to give users who do not have sudo access
-ability to run sshuttle::

-  sshuttle --sudoers
+sshuttle can generate a sudoers.d file for Linux and MacOS. This
+allows one or more users to run sshuttle without entering the
+local sudo password. **WARNING:** This option is *insecure*
+because, with some cleverness, it also allows these users to run any
+command (via the --ssh-cmd option) as root without a password.

-DO NOT run this command with sudo, it will ask for your sudo password when
-it is needed.
-
-A costume user or group can be set with the :
-option:`sshuttle --sudoers --sudoers-username {user_descriptor}` option. Valid
-values for this vary based on how your system is configured. Values such as 
-usernames, groups pre-pended with `%` and sudoers user aliases will work. See
-the sudoers manual for more information on valid user specif actions.
-The options must be used with `--sudoers`::
-
-  sshuttle --sudoers --sudoers-user mike
-  sshuttle --sudoers --sudoers-user %sudo
-
-The name of the file to be added to sudoers.d can be configured as well. This
-is mostly not necessary but can be useful for giving more than one user
-access to sshuttle. The default is `sshuttle_auto`::
-
-  sshuttle --sudoer --sudoers-filename sshuttle_auto_mike
-  sshuttle --sudoer --sudoers-filename sshuttle_auto_tommy
-
-You can also see what configuration will be added to your system without
-modifying anything. This can be helpfull is the auto feature does not work, or
-you want more control. This option also works with `--sudoers-username`.
-`--sudoers-filename` has no effect with this option::
+To print a sudo configuration file and see a suggested way to install it, run::

  sshuttle --sudoers-no-modify

-This will simply sprint the generated configuration to STDOUT. Example::
+A custom user or group can be set with the 
+:option:`sshuttle --sudoers-no-modify --sudoers-user {user_descriptor}`
+option. Valid values for this vary based on how your system is configured.
+Values such as usernames, groups pre-pended with `%` and sudoers user 
+aliases will work. See the sudoers manual for more information on valid
+user specif actions. The option must be used with `--sudoers-no-modify`::

-  08:40 PM william$ sshuttle --sudoers-no-modify
-
-  Cmnd_Alias SSHUTTLE304 = /usr/bin/env PYTHONPATH=/usr/local/lib/python2.7/dist-packages/sshuttle-0.78.5.dev30+gba5e6b5.d20180909-py2.7.egg /usr/bin/python /usr/local/bin/sshuttle --method auto --firewall
-
-  william ALL=NOPASSWD: SSHUTTLE304
+  sshuttle --sudoers-no-modify --sudoers-user mike
+  sshuttle --sudoers-no-modify --sudoers-user %sudo
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@ -1,7 +1,6 @@
 -r requirements.txt
-attrs==20.3.0
-pytest==6.2.1
-pytest-cov==2.10.1
-mock==4.0.3
-flake8==3.8.4
-pyflakes==2.2.0
+pytest==7.1.3
+pytest-cov==3.0.0
+flake8==5.0.4
+pyflakes==2.5.0
+bump2version==1.0.1
--- a/requirements.txt
+++ b/requirements.txt
@ -1,2 +1 @@
-setuptools-scm==5.0.1
-psutil
+Sphinx==5.1.1
--- a/4
+++ b/4
@ -1,7 +1,7 @@
 #!/usr/bin/env sh
 set -e
-export PYTHONPATH="$(dirname $0):$PYTHONPATH"
-export PATH="$(dirname $0)/bin:$PATH"
+export PYTHONPATH="$(dirname "$0"):$PYTHONPATH"
+export PATH="$(dirname "$0")/bin:$PATH"

 python_best_version() {
  if [ -x "$(command -v python3)" ] &&
--- a/setup.cfg
+++ b/setup.cfg
@ -1,3 +1,10 @@
+[bumpversion]
+current_version = 1.1.1
+
+[bumpversion:file:setup.py]
+
+[bumpversion:file:sshuttle/version.py]
+
 [aliases]
 test = pytest

@ -12,6 +19,7 @@ identity=0x1784577F811F6EAC
 count = true
 show-source = true
 statistics = true
+max-line-length = 128

 [tool:pytest]
 addopts = --cov=sshuttle --cov-branch --cov-report=term-missing
--- a/setup.py
+++ b/setup.py
@ -20,20 +20,9 @@
 from setuptools import setup, find_packages


-def version_scheme(version):
-    from setuptools_scm.version import guess_next_dev_version
-    version = guess_next_dev_version(version)
-    return version.lstrip("v")
-
-
 setup(
    name="sshuttle",
-    use_scm_version={
-        'write_to': "sshuttle/version.py",
-        'version_scheme': version_scheme,
-    },
-    setup_requires=['setuptools_scm'],
-    # version=version,
+    version='1.1.1',
    url='https://github.com/sshuttle/sshuttle',
    author='Brian May',
    author_email='brian@linuxpenguins.xyz',
@ -46,30 +35,26 @@ setup(
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Developers",
        "Intended Audience :: End Users/Desktop",
-        "License :: OSI Approved :: "
+        "License :: OSI Approved :: " +
            "GNU Lesser General Public License v2 or later (LGPLv2+)",
        "Operating System :: OS Independent",
-        "Programming Language :: Python :: 3.6",
-        "Programming Language :: Python :: 3.7",
        "Programming Language :: Python :: 3.8",
        "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.10",
        "Topic :: System :: Networking",
    ],
-    scripts=['bin/sudoers-add'],
    entry_points={
        'console_scripts': [
            'sshuttle = sshuttle.cmdline:main',
        ],
    },
-    python_requires='>=3.6',
+    python_requires='>=3.8',
    install_requires=[
-        'psutil',
    ],
    tests_require=[
        'pytest',
        'pytest-cov',
        'pytest-runner',
-        'mock',
        'flake8',
    ],
    keywords="ssh vpn",
--- a/sshuttle/assembler.py
+++ b/sshuttle/assembler.py
@ -1,8 +1,12 @@
 import sys
 import zlib
 import types
+import platform

 verbosity = verbosity  # noqa: F821 must be a previously defined global
+if verbosity > 0:
+    sys.stderr.write(' s: Running server on remote host with %s (version %s)\n'
+                     % (sys.executable, platform.python_version()))
 z = zlib.decompressobj()
 while 1:
    name = sys.stdin.readline().strip()
@ -14,7 +18,7 @@ while 1:
            name = name.decode("ASCII")
        nbytes = int(sys.stdin.readline())
        if verbosity >= 2:
-            sys.stderr.write(' s: assembling %r (%d bytes)\n'
+            sys.stderr.write(' s: assembling %r (%d bytes)\r\n'
                             % (name, nbytes))
        content = z.decompress(sys.stdin.read(nbytes))

@ -40,5 +44,6 @@ sshuttle.helpers.verbose = verbosity

 import sshuttle.cmdline_options as options  # noqa: E402
 from sshuttle.server import main  # noqa: E402
-main(options.latency_control, options.auto_hosts, options.to_nameserver,
+main(options.latency_control, options.latency_buffer_size,
+     options.auto_hosts, options.to_nameserver,
     options.auto_nets)
--- a/sshuttle/client.py
+++ b/sshuttle/client.py
@ -6,7 +6,6 @@ import subprocess as ssubprocess
 import os
 import sys
 import platform
-import psutil

 import sshuttle.helpers as helpers
 import sshuttle.ssnet as ssnet
@ -23,28 +22,17 @@ try:
 except ImportError:
    getpwnam = None

-try:
-    # try getting recvmsg from python
-    import socket as pythonsocket
-    getattr(pythonsocket.socket, "recvmsg")
-    socket = pythonsocket
-except AttributeError:
-    # try getting recvmsg from socket_ext library
-    try:
-        import socket_ext
-        getattr(socket_ext.socket, "recvmsg")
-        socket = socket_ext
-    except ImportError:
 import socket

 _extra_fd = os.open(os.devnull, os.O_RDONLY)


 def got_signal(signum, frame):
-    log('exiting on signal %d\n' % signum)
+    log('exiting on signal %d' % signum)
    sys.exit(1)


+# Filename of the pidfile created by the sshuttle client.
 _pidname = None


@ -57,7 +45,7 @@ def check_daemon(pidfile):
        if e.errno == errno.ENOENT:
            return  # no pidfile, ok
        else:
-            raise Fatal("c : can't read %s: %s" % (_pidname, e))
+            raise Fatal("can't read %s: %s" % (_pidname, e))
    if not oldpid:
        os.unlink(_pidname)
        return  # invalid pidfile, ok
@ -80,13 +68,25 @@ def check_daemon(pidfile):


 def daemonize():
+    # Try to open the pidfile prior to forking. If there is a problem,
+    # the client can then exit with a proper exit status code and
+    # message.
+    try:
+        outfd = os.open(_pidname, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o666)
+    except PermissionError:
+        # User will have to look in syslog for error message since
+        # --daemon implies --syslog, all output gets redirected to
+        # syslog.
+        raise Fatal("failed to create/write pidfile %s" % _pidname)
+
+    # Create a daemon process with a new session id.
    if os.fork():
        os._exit(0)
    os.setsid()
    if os.fork():
        os._exit(0)

-    outfd = os.open(_pidname, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o666)
+    # Write pid to the pidfile.
    try:
        os.write(outfd, b'%d\n' % os.getpid())
    finally:
@ -123,14 +123,14 @@ class MultiListener:
        self.bind_called = False

    def setsockopt(self, level, optname, value):
-        assert(self.bind_called)
+        assert self.bind_called
        if self.v6:
            self.v6.setsockopt(level, optname, value)
        if self.v4:
            self.v4.setsockopt(level, optname, value)

    def add_handler(self, handlers, callback, method, mux):
-        assert(self.bind_called)
+        assert self.bind_called
        socks = []
        if self.v6:
            socks.append(self.v6)
@ -145,14 +145,14 @@ class MultiListener:
        )

    def listen(self, backlog):
-        assert(self.bind_called)
+        assert self.bind_called
        if self.v6:
            self.v6.listen(backlog)
        if self.v4:
            try:
                self.v4.listen(backlog)
            except socket.error as e:
-                # on some systems v4 bind will fail if the v6 suceeded,
+                # on some systems v4 bind will fail if the v6 succeeded,
                # in this case the v6 socket will receive v4 too.
                if e.errno == errno.EADDRINUSE and self.v6:
                    self.v4 = None
@ -160,11 +160,26 @@ class MultiListener:
                    raise e

    def bind(self, address_v6, address_v4):
-        assert(not self.bind_called)
+        assert not self.bind_called
        self.bind_called = True
        if address_v6 is not None:
            self.v6 = socket.socket(socket.AF_INET6, self.type, self.proto)
+            try:
                self.v6.bind(address_v6)
+            except OSError as e:
+                if e.errno == errno.EADDRNOTAVAIL:
+                    # On an IPv6 Linux machine, this situation occurs
+                    # if you run the following prior to running
+                    # sshuttle:
+                    #
+                    # echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
+                    # echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
+                    raise Fatal("Could not bind to an IPv6 socket with "
+                                "address %s and port %s. "
+                                "Potential workaround: Run sshuttle "
+                                "with '--disable-ipv6'."
+                                % (str(address_v6[0]), str(address_v6[1])))
+                raise e
        else:
            self.v6 = None
        if address_v4 is not None:
@ -174,22 +189,22 @@ class MultiListener:
            self.v4 = None

    def print_listening(self, what):
-        assert(self.bind_called)
+        assert self.bind_called
        if self.v6:
            listenip = self.v6.getsockname()
-            debug1('%s listening on %r.\n' % (what, listenip))
-            debug2('%s listening with %r.\n' % (what, self.v6))
+            debug1('%s listening on %r.' % (what, listenip))
+            debug2('%s listening with %r.' % (what, self.v6))
        if self.v4:
            listenip = self.v4.getsockname()
-            debug1('%s listening on %r.\n' % (what, listenip))
-            debug2('%s listening with %r.\n' % (what, self.v4))
+            debug1('%s listening on %r.' % (what, listenip))
+            debug2('%s listening with %r.' % (what, self.v4))


 class FirewallClient:

    def __init__(self, method_name, sudo_pythonpath):
        self.auto_nets = []
-        python_path = os.path.dirname(os.path.dirname(__file__))
+
        argvbase = ([sys.executable, sys.argv[0]] +
                    ['-v'] * (helpers.verbose or 0) +
                    ['--method', method_name] +
@ -197,54 +212,106 @@ class FirewallClient:
        if ssyslog._p:
            argvbase += ['--syslog']

-        # Determine how to prefix the command in order to elevate privileges.
-        if platform.platform().startswith('OpenBSD'):
-            elev_prefix = ['doas']  # OpenBSD uses built in `doas`
+        # A list of commands that we can try to run to start the firewall.
+        argv_tries = []
+
+        if os.getuid() == 0:  # No need to elevate privileges
+            argv_tries.append(argvbase)
        else:
-            elev_prefix = ['sudo', '-p', '[local sudo] Password: ']
+            # Linux typically uses sudo; OpenBSD uses doas. However, some
+            # Linux distributions are starting to use doas.
+            sudo_cmd = ['sudo', '-p', '[local sudo] Password: ']
+            doas_cmd = ['doas']

-        # Look for binary and switch to absolute path if we can find
-        # it.
-        path = which(elev_prefix[0])
-        if path:
-            elev_prefix[0] = path
+            # For clarity, try to replace executable name with the
+            # full path.
+            doas_path = which("doas")
+            if doas_path:
+                doas_cmd[0] = doas_path
+            sudo_path = which("sudo")
+            if sudo_path:
+                sudo_cmd[0] = sudo_path

+            # sudo_pythonpath indicates if we should set the
+            # PYTHONPATH environment variable when elevating
+            # privileges. This can be adjusted with the
+            # --no-sudo-pythonpath option.
            if sudo_pythonpath:
-            elev_prefix += ['/usr/bin/env',
-                            'PYTHONPATH=%s' % python_path]
-        argv_tries = [elev_prefix + argvbase, argvbase]
+                pp_prefix = ['/usr/bin/env',
+                             'PYTHONPATH=%s' %
+                             os.path.dirname(os.path.dirname(__file__))]
+                sudo_cmd = sudo_cmd + pp_prefix
+                doas_cmd = doas_cmd + pp_prefix

-        # we can't use stdin/stdout=subprocess.PIPE here, as we normally would,
-        # because stupid Linux 'su' requires that stdin be attached to a tty.
-        # Instead, attach a *bidirectional* socket to its stdout, and use
-        # that for talking in both directions.
+            # Final order should be: sudo/doas command, env
+            # pythonpath, and then argvbase (sshuttle command).
+            sudo_cmd = sudo_cmd + argvbase
+            doas_cmd = doas_cmd + argvbase
+
+            # If we can find doas and not sudo or if we are on
+            # OpenBSD, try using doas first.
+            if (doas_path and not sudo_path) or \
+               platform.platform().startswith('OpenBSD'):
+                argv_tries = [doas_cmd, sudo_cmd, argvbase]
+            else:
+                argv_tries = [sudo_cmd, doas_cmd, argvbase]
+
+        # Try all commands in argv_tries in order. If a command
+        # produces an error, try the next one. If command is
+        # successful, set 'success' variable and break.
+        success = False
+        for argv in argv_tries:
+            # we can't use stdin/stdout=subprocess.PIPE here, as we
+            # normally would, because stupid Linux 'su' requires that
+            # stdin be attached to a tty. Instead, attach a
+            # *bidirectional* socket to its stdout, and use that for
+            # talking in both directions.
            (s1, s2) = socket.socketpair()

            def setup():
                # run in the child process
                s2.close()
-        if os.getuid() == 0:
-            argv_tries = argv_tries[-1:]  # last entry only
-        for argv in argv_tries:
+
            try:
-                if argv[0] == 'su':
-                    sys.stderr.write('[local su] ')
+                debug1("Starting firewall manager with command: %r" % argv)
                self.p = ssubprocess.Popen(argv, stdout=s1, preexec_fn=setup)
                # No env: Talking to `FirewallClient.start`, which has no i18n.
-                break
            except OSError as e:
-                log('Spawning firewall manager: %r\n' % argv)
-                raise Fatal(e)
+                # This exception will occur if the program isn't
+                # present or isn't executable.
+                debug1('Unable to start firewall manager. Popen failed. '
+                       'Command=%r Exception=%s' % (argv, e))
+                continue
+
            self.argv = argv
            s1.close()
            self.pfile = s2.makefile('rwb')
            line = self.pfile.readline()
-        self.check()
+
+            rv = self.p.poll()   # Check if process is still running
+            if rv:
+                # We might get here if program runs and exits before
+                # outputting anything. For example, someone might have
+                # entered the wrong password to elevate privileges.
+                debug1('Unable to start firewall manager. '
+                       'Process exited too early. '
+                       '%r returned %d' % (self.argv, rv))
+                continue
+
            if line[0:5] != b'READY':
-            raise Fatal('%r expected READY, got %r' % (self.argv, line))
+                debug1('Unable to start firewall manager. '
+                       'Expected READY, got %r. '
+                       'Command=%r' % (line, self.argv))
+                continue
+
            method_name = line[6:-1]
            self.method = get_method(method_name.decode("ASCII"))
            self.method.set_firewall(self)
+            success = True
+            break
+
+        if not success:
+            raise Fatal("All attempts to elevate privileges failed.")

    def setup(self, subnets_include, subnets_exclude, nslist,
              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp,
@ -297,7 +364,8 @@ class FirewallClient:
        else:
            user = b'%d' % self.user

-        self.pfile.write(b'GO %d %s\n' % (udp, user))
+        self.pfile.write(b'GO %d %s %s %d\n' %
+                         (udp, user, bytes(self.tmark, 'ascii'), os.getpid()))
        self.pfile.flush()

        line = self.pfile.readline()
@ -306,8 +374,8 @@ class FirewallClient:
            raise Fatal('%r expected STARTED, got %r' % (self.argv, line))

    def sethostip(self, hostname, ip):
-        assert(not re.search(br'[^-\w\.]', hostname))
-        assert(not re.search(br'[^0-9.]', ip))
+        assert not re.search(br'[^-\w\.]', hostname)
+        assert not re.search(br'[^0-9.]', ip)
        self.pfile.write(b'HOST %s,%s\n' % (hostname, ip))
        self.pfile.flush()

@ -326,23 +394,23 @@ def expire_connections(now, mux):
    remove = []
    for chan, timeout in dnsreqs.items():
        if timeout < now:
-            debug3('expiring dnsreqs channel=%d\n' % chan)
+            debug3('expiring dnsreqs channel=%d' % chan)
            remove.append(chan)
            del mux.channels[chan]
    for chan in remove:
        del dnsreqs[chan]
-    debug3('Remaining DNS requests: %d\n' % len(dnsreqs))
+    debug3('Remaining DNS requests: %d' % len(dnsreqs))

    remove = []
    for peer, (chan, timeout) in udp_by_src.items():
        if timeout < now:
-            debug3('expiring UDP channel channel=%d peer=%r\n' % (chan, peer))
+            debug3('expiring UDP channel channel=%d peer=%r' % (chan, peer))
            mux.send(chan, ssnet.CMD_UDP_CLOSE, b'')
            remove.append(peer)
            del mux.channels[chan]
    for peer in remove:
        del udp_by_src[peer]
-    debug3('Remaining UDP channels: %d\n' % len(udp_by_src))
+    debug3('Remaining UDP channels: %d' % len(udp_by_src))


 def onaccept_tcp(listener, method, mux, handlers):
@ -351,7 +419,7 @@ def onaccept_tcp(listener, method, mux, handlers):
        sock, srcip = listener.accept()
    except socket.error as e:
        if e.args[0] in [errno.EMFILE, errno.ENFILE]:
-            debug1('Rejected incoming connection: too many open files!\n')
+            debug1('Rejected incoming connection: too many open files!')
            # free up an fd so we can eat the connection
            os.close(_extra_fd)
            try:
@ -364,15 +432,15 @@ def onaccept_tcp(listener, method, mux, handlers):
            raise

    dstip = method.get_tcp_dstip(sock)
-    debug1('Accept TCP: %s:%r -> %s:%r.\n' % (srcip[0], srcip[1],
+    debug1('Accept TCP: %s:%r -> %s:%r.' % (srcip[0], srcip[1],
                                            dstip[0], dstip[1]))
    if dstip[1] == sock.getsockname()[1] and islocal(dstip[0], sock.family):
-        debug1("-- ignored: that's my address!\n")
+        debug1("-- ignored: that's my address!")
        sock.close()
        return
    chan = mux.next_channel()
    if not chan:
-        log('warning: too many open channels.  Discarded connection.\n')
+        log('warning: too many open channels.  Discarded connection.')
        sock.close()
        return
    mux.send(chan, ssnet.CMD_TCP_CONNECT, b'%d,%s,%d' %
@ -385,7 +453,7 @@ def onaccept_tcp(listener, method, mux, handlers):
 def udp_done(chan, data, method, sock, dstip):
    (src, srcport, data) = data.split(b",", 2)
    srcip = (src, int(srcport))
-    debug3('doing send from %r to %r\n' % (srcip, dstip,))
+    debug3('doing send from %r to %r' % (srcip, dstip,))
    method.send_udp(sock, srcip, dstip, data)


@ -395,7 +463,7 @@ def onaccept_udp(listener, method, mux, handlers):
    if t is None:
        return
    srcip, dstip, data = t
-    debug1('Accept UDP: %r -> %r.\n' % (srcip, dstip,))
+    debug1('Accept UDP: %r -> %r.' % (srcip, dstip,))
    if srcip in udp_by_src:
        chan, _ = udp_by_src[srcip]
    else:
@ -412,7 +480,7 @@ def onaccept_udp(listener, method, mux, handlers):


 def dns_done(chan, data, method, sock, srcip, dstip, mux):
-    debug3('dns_done: channel=%d src=%r dst=%r\n' % (chan, srcip, dstip))
+    debug3('dns_done: channel=%d src=%r dst=%r' % (chan, srcip, dstip))
    del mux.channels[chan]
    del dnsreqs[chan]
    method.send_udp(sock, srcip, dstip, data)
@ -427,9 +495,9 @@ def ondns(listener, method, mux, handlers):
    # dstip is None if we are using a method where we can't determine
    # the destination IP of the DNS request that we captured from the client.
    if dstip is None:
-        debug1('DNS request from %r: %d bytes\n' % (srcip, len(data)))
+        debug1('DNS request from %r: %d bytes' % (srcip, len(data)))
    else:
-        debug1('DNS request from %r to %r: %d bytes\n' %
+        debug1('DNS request from %r to %r: %d bytes' %
               (srcip, dstip, len(data)))
    chan = mux.next_channel()
    dnsreqs[chan] = now + 30
@ -440,30 +508,31 @@ def ondns(listener, method, mux, handlers):


 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
-          python, latency_control,
+          python, latency_control, latency_buffer_size,
          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon,
          to_nameserver):

    helpers.logprefix = 'c : '
-    debug1('Starting client with Python version %s\n'
+    debug1('Starting client with Python version %s'
           % platform.python_version())

    method = fw.method

    handlers = []
-    debug1('Connecting to server...\n')
+    debug1('Connecting to server...')

    try:
        (serverproc, serversock) = ssh.connect(
            ssh_cmd, remotename, python,
            stderr=ssyslog._p and ssyslog._p.stdin,
            options=dict(latency_control=latency_control,
+                         latency_buffer_size=latency_buffer_size,
                         auto_hosts=auto_hosts,
                         to_nameserver=to_nameserver,
                         auto_nets=auto_nets))
    except socket.error as e:
        if e.args[0] == errno.EPIPE:
-            raise Fatal("c : failed to establish ssh session (1)")
+            raise Fatal("failed to establish ssh session (1)")
        else:
            raise
    mux = Mux(serversock.makefile("rb"), serversock.makefile("wb"))
@ -481,22 +550,99 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        initstring = serversock.recv(len(expected))
    except socket.error as e:
        if e.args[0] == errno.ECONNRESET:
-            raise Fatal("c : failed to establish ssh session (2)")
+            raise Fatal("failed to establish ssh session (2)")
        else:
            raise

+    # Returns None if process is still running (or returns exit code)
    rv = serverproc.poll()
-    if rv:
-        raise Fatal('c : server died with error code %d' % rv)
+    if rv is not None:
+        errmsg = "server died with error code %d\n" % rv
+
+        # Our fatal exceptions return exit code 99
+        if rv == 99:
+            errmsg += "This error code likely means that python started and " \
+                "the sshuttle server started. However, the sshuttle server " \
+                "may have raised a 'Fatal' exception after it started."
+        elif rv == 98:
+            errmsg += "This error code likely means that we were able to " \
+                "run python on the server, but that the program continued " \
+                "to the line after we call python's exec() to execute " \
+                "sshuttle's server code. Try specifying the python " \
+                "executable to user on the server by passing --python " \
+                "to sshuttle."
+
+        # This error should only be possible when --python is not specified.
+        elif rv == 97 and not python:
+            errmsg += "This error code likely means that either we " \
+                "couldn't find python3 or python in the PATH on the " \
+                "server or that we do not have permission to run 'exec' in " \
+                "the /bin/sh shell on the server. Try specifying the " \
+                "python executable to use on the server by passing " \
+                "--python to sshuttle."
+
+        # POSIX sh standards says error code 127 is used when you try
+        # to execute a program that does not exist. See section 2.8.2
+        # of
+        # https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_08
+        elif rv == 127:
+            if python:
+                errmsg += "This error code likely means that we were not " \
+                    "able to execute the python executable that specified " \
+                    "with --python. You specified '%s'.\n" % python
+                if python.startswith("/"):
+                    errmsg += "\nTip for users in a restricted shell on the " \
+                        "server: The server may refuse to run programs " \
+                        "specified with an absolute path. Try specifying " \
+                        "just the name of the python executable. However, " \
+                        "if python is not in your PATH and you cannot " \
+                        "run programs specified with an absolute path, " \
+                        "it is possible that sshuttle will not work."
+            else:
+                errmsg += "This error code likely means that we were unable " \
+                    "to execute /bin/sh on the remote server. This can " \
+                    "happen if /bin/sh does not exist on the server or if " \
+                    "you are in a restricted shell that does not allow you " \
+                    "to run programs specified with an absolute path. " \
+                    "Try rerunning sshuttle with the --python parameter."
+
+        # When the redirected subnet includes the remote ssh host, the
+        # firewall rules can interrupt the ssh connection to the
+        # remote machine. This issue impacts some Linux machines. The
+        # user sees that the server dies with a broken pipe error and
+        # code 255.
+        #
+        # The solution to this problem is to exclude the remote
+        # server.
+        #
+        # There are many github issues from users encountering this
+        # problem. Most of the discussion on the topic is here:
+        # https://github.com/sshuttle/sshuttle/issues/191
+        elif rv == 255:
+            errmsg += "It might be possible to resolve this error by " \
+                "excluding the server that you are ssh'ing to. For example, " \
+                "if you are running 'sshuttle -v -r example.com 0/0' to " \
+                "redirect all traffic through example.com, then try " \
+                "'sshuttle -v -r example.com -x example.com 0/0' to " \
+                "exclude redirecting the connection to example.com itself " \
+                "(i.e., sshuttle's firewall rules may be breaking the " \
+                "ssh connection that it previously established). " \
+                "Alternatively, you may be able to use 'sshuttle -v -r " \
+                "example.com -x example.com:22 0/0' to redirect " \
+                "everything except ssh connections between your machine " \
+                "and example.com."
+
+        raise Fatal(errmsg)

    if initstring != expected:
-        raise Fatal('c : expected server init string %r; got %r'
+        raise Fatal('expected server init string %r; got %r'
                    % (expected, initstring))
-    log('Connected to server.\n')
+    log('Connected to server.')
    sys.stdout.flush()
+
    if daemon:
        daemonize()
-        log('daemonizing (%s).\n' % _pidname)
+        log('daemonizing (%s).' % _pidname)

    def onroutes(routestr):
        if auto_nets:
@ -508,11 +654,11 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                width = int(width)
                ip = ip.decode("ASCII")
                if family == socket.AF_INET6 and tcp_listener.v6 is None:
-                    debug2("Ignored auto net %d/%s/%d\n" % (family, ip, width))
+                    debug2("Ignored auto net %d/%s/%d" % (family, ip, width))
                if family == socket.AF_INET and tcp_listener.v4 is None:
-                    debug2("Ignored auto net %d/%s/%d\n" % (family, ip, width))
+                    debug2("Ignored auto net %d/%s/%d" % (family, ip, width))
                else:
-                    debug2("Adding auto net %d/%s/%d\n" % (family, ip, width))
+                    debug2("Adding auto net %d/%s/%d" % (family, ip, width))
                    fw.auto_nets.append((family, ip, width, 0, 0))

        # we definitely want to do this *after* starting ssh, or we might end
@ -532,7 +678,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        sdnotify.send(sdnotify.ready(), sdnotify.status('Connected'))

    def onhostlist(hostlist):
-        debug2('got host list: %r\n' % hostlist)
+        debug2('got host list: %r' % hostlist)
        for line in hostlist.strip().split():
            if line:
                name, ip = line.split(b',', 1)
@ -548,7 +694,7 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        dns_listener.add_handler(handlers, ondns, method, mux)

    if seed_hosts is not None:
-        debug1('seed_hosts: %r\n' % seed_hosts)
+        debug1('seed_hosts: %r' % seed_hosts)
        mux.send(0, ssnet.CMD_HOST_REQ, str.encode('\n'.join(seed_hosts)))

    def check_ssh_alive():
@ -556,7 +702,9 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
            # poll() won't tell us when process exited since the
            # process is no longer our child (it returns 0 all the
            # time).
-            if not psutil.pid_exists(serverproc.pid):
+            try:
+                os.kill(serverproc.pid, 0)
+            except OSError:
                raise Fatal('ssh connection to server (pid %d) exited.' %
                            serverproc.pid)
        else:
@ -574,40 +722,47 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,


 def main(listenip_v6, listenip_v4,
-         ssh_cmd, remotename, python, latency_control, dns, nslist,
+         ssh_cmd, remotename, python, latency_control,
+         latency_buffer_size, dns, nslist,
         method_name, seed_hosts, auto_hosts, auto_nets,
         subnets_include, subnets_exclude, daemon, to_nameserver, pidfile,
         user, sudo_pythonpath, tmark):

    if not remotename:
-        print("WARNING: You must specify -r/--remote to securely route "
-              "traffic to a remote machine. Running without -r/--remote "
-              "is only recommended for testing.")
+        raise Fatal("You must use -r/--remote to specify a remote "
+                    "host to route traffic through.")

    if daemon:
        try:
            check_daemon(pidfile)
        except Fatal as e:
-            log("%s\n" % e)
+            log("%s" % e)
            return 5
-    debug1('Starting sshuttle proxy (version %s).\n' % __version__)
+    debug1('Starting sshuttle proxy (version %s).' % __version__)
    helpers.logprefix = 'c : '

    fw = FirewallClient(method_name, sudo_pythonpath)

-    # If --dns is used, store the IP addresses that the client
-    # normally uses for DNS lookups in nslist. The firewall needs to
-    # redirect packets outgoing to this server to the remote host
+    # nslist is the list of name severs to intercept. If --dns is
+    # used, we add all DNS servers in resolv.conf. Otherwise, the list
+    # can be populated with the --ns-hosts option (which is already
+    # stored in nslist). This list is used to setup the firewall so it
+    # can redirect packets outgoing to this server to the remote host
    # instead.
    if dns:
        nslist += resolvconf_nameservers(True)
+
+    # If we are intercepting DNS requests, we tell the remote host
+    # where it should send the DNS requests to with the --to-ns
+    # option.
+    if len(nslist) > 0:
        if to_nameserver is not None:
            to_nameserver = "%s@%s" % tuple(to_nameserver[1:])
-    else:
-        # option doesn't make sense if we aren't proxying dns
+    else:  # if we are not intercepting DNS traffic
+        # ...and the user specified a server to send DNS traffic to.
        if to_nameserver and len(to_nameserver) > 0:
-            print("WARNING: --to-ns option is ignored because --dns was not "
-                  "used.")
+            print("WARNING: --to-ns option is ignored unless "
+                  "--dns or --ns-hosts is used.")
        to_nameserver = None

    # Get family specific subnet lists. Also, the user may not specify
@ -643,14 +798,14 @@ def main(listenip_v6, listenip_v4,
    #    "auto" when listen address is unspecified.
    #    The user specified address if provided by user
    if listenip_v6 is None:
-        debug1("IPv6 disabled by --disable-ipv6\n")
+        debug1("IPv6 disabled by --disable-ipv6")
    if listenip_v6 == "auto":
        if avail.ipv6:
-            debug1("IPv6 enabled: Using default IPv6 listen address ::1\n")
+            debug1("IPv6 enabled: Using default IPv6 listen address ::1")
            listenip_v6 = ('::1', 0)
        else:
            debug1("IPv6 disabled since it isn't supported by method "
-                   "%s.\n" % fw.method.name)
+                   "%s." % fw.method.name)
            listenip_v6 = None

    # Make final decision about enabling IPv6:
@ -722,9 +877,9 @@ def main(listenip_v6, listenip_v4,
                msg += "(available)"
            else:
                msg += "(not available with %s method)" % fw.method.name
-        debug1(msg + "\n")
+        debug1(msg)

-    debug1("Method: %s\n" % fw.method.name)
+    debug1("Method: %s" % fw.method.name)
    feature_status("IPv4", required.ipv4, avail.ipv4)
    feature_status("IPv6", required.ipv6, avail.ipv6)
    feature_status("UDP ", required.udp, avail.udp)
@ -744,20 +899,20 @@ def main(listenip_v6, listenip_v4,
    # because we do that below when we have identified the ports to
    # listen on.
    debug1("Subnets to forward through remote host (type, IP, cidr mask "
-           "width, startPort, endPort):\n")
+           "width, startPort, endPort):")
    for i in subnets_include:
-        debug1("  "+str(i)+"\n")
+        debug1("  "+str(i))
    if auto_nets:
        debug1("NOTE: Additional subnets to forward may be added below by "
-               "--auto-nets.\n")
-    debug1("Subnets to exclude from forwarding:\n")
+               "--auto-nets.")
+    debug1("Subnets to exclude from forwarding:")
    for i in subnets_exclude:
-        debug1("  "+str(i)+"\n")
+        debug1("  "+str(i))
    if required.dns:
        debug1("DNS requests normally directed at these servers will be "
-               "redirected to remote:\n")
+               "redirected to remote:")
        for i in nslist:
-            debug1("  "+str(i)+"\n")
+            debug1("  "+str(i))

    if listenip_v6 and listenip_v6[1] and listenip_v4 and listenip_v4[1]:
        # if both ports given, no need to search for a spare port
@ -775,7 +930,7 @@ def main(listenip_v6, listenip_v4,
    redirectport_v4 = 0
    bound = False
    for port in ports:
-        debug2('Trying to bind redirector on port %d\n' % port)
+        debug2('Trying to bind redirector on port %d' % port)
        tcp_listener = MultiListener()

        if required.udp:
@ -818,7 +973,7 @@ def main(listenip_v6, listenip_v4,
                raise e

    if not bound:
-        assert(last_e)
+        assert last_e
        raise last_e
    tcp_listener.listen(10)
    tcp_listener.print_listening("TCP redirector")
@ -830,7 +985,7 @@ def main(listenip_v6, listenip_v4,
        # search for spare port for DNS
        ports = range(12300, 9000, -1)
        for port in ports:
-            debug2('Trying to bind DNS redirector on port %d\n' % port)
+            debug2('Trying to bind DNS redirector on port %d' % port)
            if port in used_ports:
                continue

@ -864,7 +1019,7 @@ def main(listenip_v6, listenip_v4,

        dns_listener.print_listening("DNS")
        if not bound:
-            assert(last_e)
+            assert last_e
            raise last_e
    else:
        dnsport_v6 = 0
@ -908,8 +1063,9 @@ def main(listenip_v6, listenip_v4,
    # start the client process
    try:
        return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
-                     python, latency_control, dns_listener,
-                     seed_hosts, auto_hosts, auto_nets, daemon, to_nameserver)
+                     python, latency_control, latency_buffer_size,
+                     dns_listener, seed_hosts, auto_hosts, auto_nets,
+                     daemon, to_nameserver)
    finally:
        try:
            if daemon:
--- a/sshuttle/cmdline.py
+++ b/sshuttle/cmdline.py
@ -1,6 +1,5 @@
 import re
 import socket
-import platform
 import sshuttle.helpers as helpers
 import sshuttle.client as client
 import sshuttle.firewall as firewall
@ -14,20 +13,9 @@ from sshuttle.sudoers import sudoers
 def main():
    opt = parser.parse_args()

-    if opt.sudoers or opt.sudoers_no_modify:
-        if platform.platform().startswith('OpenBSD'):
-            log('Automatic sudoers does not work on BSD')
-            exit(1)
-
-        if not opt.sudoers_filename:
-            log('--sudoers-file must be set or omited.')
-            exit(1)
-
-        sudoers(
-            user_name=opt.sudoers_user,
-            no_modify=opt.sudoers_no_modify,
-            file_name=opt.sudoers_filename
-        )
+    if opt.sudoers_no_modify:
+        # sudoers() calls exit() when it completes
+        sudoers(user_name=opt.sudoers_user)

    if opt.daemon:
        opt.syslog = 1
@ -45,7 +33,8 @@ def main():
                parser.error('exactly zero arguments expected')
            return firewall.main(opt.method, opt.syslog)
        elif opt.hostwatch:
-            return hostwatch.hw_main(opt.subnets, opt.auto_hosts)
+            hostwatch.hw_main(opt.subnets, opt.auto_hosts)
+            return 0
        else:
            # parse_subnetports() is used to create a list of includes
            # and excludes. It is called once for each parameter and
@ -85,6 +74,13 @@ def main():
                ipport_v4 = "auto"
                # parse_ipport6('[::1]:0')
                ipport_v6 = "auto" if not opt.disable_ipv6 else None
+            try:
+                int(opt.tmark, 16)
+            except ValueError:
+                parser.error("--tmark must be a hexadecimal value")
+            opt.tmark = opt.tmark.lower()   # make 'x' in 0x lowercase
+            if not opt.tmark.startswith("0x"):  # accept without 0x prefix
+                opt.tmark = "0x%s" % opt.tmark
            if opt.syslog:
                ssyslog.start_syslog()
                ssyslog.close_stdin()
@ -95,6 +91,7 @@ def main():
                                      remotename,
                                      opt.python,
                                      opt.latency_control,
+                                      opt.latency_buffer_size,
                                      opt.dns,
                                      nslist,
                                      opt.method,
@ -117,9 +114,9 @@ def main():
            return return_code

    except Fatal as e:
-        log('fatal: %s\n' % e)
+        log('fatal: %s' % e)
        return 99
    except KeyboardInterrupt:
        log('\n')
-        log('Keyboard interrupt: exiting.\n')
+        log('Keyboard interrupt: exiting.')
        return 1
--- a/sshuttle/firewall.py
+++ b/sshuttle/firewall.py
@ -1,17 +1,20 @@
 import errno
+import shutil
 import socket
 import signal
 import sys
 import os
 import platform
 import traceback
+import subprocess as ssubprocess

 import sshuttle.ssyslog as ssyslog
 import sshuttle.helpers as helpers
-from sshuttle.helpers import debug1, debug2, Fatal
+from sshuttle.helpers import log, debug1, debug2, Fatal
 from sshuttle.methods import get_auto_method, get_method

 HOSTSFILE = '/etc/hosts'
+sshuttle_pid = None


 def rewrite_etc_hosts(hostmap, port):
@ -28,7 +31,11 @@ def rewrite_etc_hosts(hostmap, port):
        else:
            raise
    if old_content.strip() and not os.path.exists(BAKFILE):
+        try:
            os.link(HOSTSFILE, BAKFILE)
+        except OSError:
+            # file is locked - performing non-atomic copy
+            shutil.copyfile(HOSTSFILE, BAKFILE)
    tmpname = "%s.%d.tmp" % (HOSTSFILE, port)
    f = open(tmpname, 'w')
    for line in old_content.rstrip().split('\n'):
@ -44,33 +51,64 @@ def rewrite_etc_hosts(hostmap, port):
        os.chmod(tmpname, st.st_mode)
    else:
        os.chown(tmpname, 0, 0)
-        os.chmod(tmpname, 0o600)
+        os.chmod(tmpname, 0o644)
+    try:
        os.rename(tmpname, HOSTSFILE)
+    except OSError:
+        # file is locked - performing non-atomic copy
+        log('Warning: Using a non-atomic way to overwrite %s that can corrupt the file if '
+            'multiple processes write to it simultaneously.' % HOSTSFILE)
+        shutil.move(tmpname, HOSTSFILE)


 def restore_etc_hosts(hostmap, port):
    # Only restore if we added hosts to /etc/hosts previously.
    if len(hostmap) > 0:
-        debug2('undoing /etc/hosts changes.\n')
+        debug2('undoing /etc/hosts changes.')
        rewrite_etc_hosts({}, port)


+def firewall_exit(signum, frame):
+    # The typical sshuttle exit is that the main sshuttle process
+    # exits, closes file descriptors it uses, and the firewall process
+    # notices that it can't read from stdin anymore and exits
+    # (cleaning up firewall rules).
+    #
+    # However, in some cases, Ctrl+C might get sent to the firewall
+    # process. This might caused if someone manually tries to kill the
+    # firewall process, or if sshuttle was started using sudo's use_pty option
+    # and they try to exit by pressing Ctrl+C. Here, we forward the
+    # Ctrl+C/SIGINT to the main sshuttle process which should trigger
+    # the typical exit process as described above.
+    global sshuttle_pid
+    if sshuttle_pid:
+        debug1("Relaying SIGINT to sshuttle process %d\n" % sshuttle_pid)
+        os.kill(sshuttle_pid, signal.SIGINT)
+
+
 # Isolate function that needs to be replaced for tests
 def setup_daemon():
    if os.getuid() != 0:
-        raise Fatal('fw: '
-                    'You must be root (or enable su/sudo) to set the firewall')
+        raise Fatal('You must be root (or enable su/sudo) to set the firewall')

    # don't disappear if our controlling terminal or stdout/stderr
    # disappears; we still have to clean up.
    signal.signal(signal.SIGHUP, signal.SIG_IGN)
    signal.signal(signal.SIGPIPE, signal.SIG_IGN)
-    signal.signal(signal.SIGTERM, signal.SIG_IGN)
-    signal.signal(signal.SIGINT, signal.SIG_IGN)
+    signal.signal(signal.SIGTERM, firewall_exit)
+    signal.signal(signal.SIGINT, firewall_exit)

-    # ctrl-c shouldn't be passed along to me.  When the main sshuttle dies,
-    # I'll die automatically.
+    # Calling setsid() here isn't strictly necessary. However, it forces
+    # Ctrl+C to get sent to the main sshuttle process instead of to
+    # the firewall process---which is our preferred way to shutdown.
+    # Nonetheless, if the firewall process receives a SIGTERM/SIGINT
+    # signal, it will relay a SIGINT to the main sshuttle process
+    # automatically.
+    try:
        os.setsid()
+    except OSError:
+        # setsid() fails if sudo is configured with the use_pty option.
+        pass

    # because of limitations of the 'su' command, the *real* stdin/stdout
    # are both attached to stdout initially.  Clone stdout into stdin so we
@ -90,19 +128,50 @@ def subnet_weight(s):
    return (-s[-1] + (s[-2] or -65535), s[1], s[2])


+def flush_systemd_dns_cache():
+    # If the user is using systemd-resolve for DNS resolution, it is
+    # possible for the request to go through systemd-resolve before we
+    # see it...and it may use a cached result instead of sending a
+    # request that we can intercept. When sshuttle starts and stops,
+    # this means that we should clear the cache!
+    #
+    # The command to do this was named systemd-resolve, but changed to
+    # resolvectl in systemd 239.
+    # https://github.com/systemd/systemd/blob/f8eb41003df1a4eab59ff9bec67b2787c9368dbd/NEWS#L3816
+
+    p = None
+    if helpers.which("resolvectl"):
+        debug2("Flushing systemd's DNS resolver cache: "
+               "resolvectl flush-caches")
+        p = ssubprocess.Popen(["resolvectl", "flush-caches"],
+                              stdout=ssubprocess.PIPE, env=helpers.get_env())
+    elif helpers.which("systemd-resolve"):
+        debug2("Flushing systemd's DNS resolver cache: "
+               "systemd-resolve --flush-caches")
+        p = ssubprocess.Popen(["systemd-resolve", "--flush-caches"],
+                              stdout=ssubprocess.PIPE, env=helpers.get_env())
+
+    if p:
+        # Wait so flush is finished and process doesn't show up as defunct.
+        rv = p.wait()
+        if rv != 0:
+            log("Received non-zero return code %d when flushing DNS resolver "
+                "cache." % rv)
+
+
 # This is some voodoo for setting up the kernel's transparent
 # proxying stuff.  If subnets is empty, we just delete our sshuttle rules;
 # otherwise we delete it, then make them from scratch.
 #
 # This code is supposed to clean up after itself by deleting its rules on
 # exit.  In case that fails, it's not the end of the world; future runs will
-# supercede it in the transproxy list, at least, so the leftover rules
+# supersede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
 def main(method_name, syslog):
+    helpers.logprefix = 'fw: '
    stdin, stdout = setup_daemon()
    hostmap = {}
-    helpers.logprefix = 'fw: '
-    debug1('Starting firewall with Python version %s\n'
+    debug1('Starting firewall with Python version %s'
           % platform.python_version())

    if method_name == "auto":
@ -119,7 +188,7 @@ def main(method_name, syslog):
                    "Check that the appropriate programs are in your "
                    "PATH." % method_name)

-    debug1('ready method name %s.\n' % method.name)
+    debug1('ready method name %s.' % method.name)
    stdout.write('READY %s\n' % method.name)
    stdout.flush()

@ -136,14 +205,14 @@ def main(method_name, syslog):
    while 1:
        line = stdin.readline(128)
        if not line:
-            raise Fatal('fw: expected route but got %r' % line)
+            raise Fatal('expected route but got %r' % line)
        elif line.startswith("NSLIST\n"):
            break
        try:
            (family, width, exclude, ip, fport, lport) = \
                line.strip().split(',', 5)
-        except BaseException:
-            raise Fatal('fw: expected route or NSLIST but got %r' % line)
+        except Exception:
+            raise Fatal('expected route or NSLIST but got %r' % line)
        subnets.append((
            int(family),
            int(width),
@ -151,60 +220,63 @@ def main(method_name, syslog):
            ip,
            int(fport),
            int(lport)))
-    debug2('Got subnets: %r\n' % subnets)
+    debug2('Got subnets: %r' % subnets)

    nslist = []
    if line != 'NSLIST\n':
-        raise Fatal('fw: expected NSLIST but got %r' % line)
+        raise Fatal('expected NSLIST but got %r' % line)
    while 1:
        line = stdin.readline(128)
        if not line:
-            raise Fatal('fw: expected nslist but got %r' % line)
+            raise Fatal('expected nslist but got %r' % line)
        elif line.startswith("PORTS "):
            break
        try:
            (family, ip) = line.strip().split(',', 1)
-        except BaseException:
-            raise Fatal('fw: expected nslist or PORTS but got %r' % line)
+        except Exception:
+            raise Fatal('expected nslist or PORTS but got %r' % line)
        nslist.append((int(family), ip))
-        debug2('Got partial nslist: %r\n' % nslist)
-    debug2('Got nslist: %r\n' % nslist)
+        debug2('Got partial nslist: %r' % nslist)
+    debug2('Got nslist: %r' % nslist)

    if not line.startswith('PORTS '):
-        raise Fatal('fw: expected PORTS but got %r' % line)
+        raise Fatal('expected PORTS but got %r' % line)
    _, _, ports = line.partition(" ")
    ports = ports.split(",")
    if len(ports) != 4:
-        raise Fatal('fw: expected 4 ports but got %d' % len(ports))
+        raise Fatal('expected 4 ports but got %d' % len(ports))
    port_v6 = int(ports[0])
    port_v4 = int(ports[1])
    dnsport_v6 = int(ports[2])
    dnsport_v4 = int(ports[3])

-    assert(port_v6 >= 0)
-    assert(port_v6 <= 65535)
-    assert(port_v4 >= 0)
-    assert(port_v4 <= 65535)
-    assert(dnsport_v6 >= 0)
-    assert(dnsport_v6 <= 65535)
-    assert(dnsport_v4 >= 0)
-    assert(dnsport_v4 <= 65535)
+    assert port_v6 >= 0
+    assert port_v6 <= 65535
+    assert port_v4 >= 0
+    assert port_v4 <= 65535
+    assert dnsport_v6 >= 0
+    assert dnsport_v6 <= 65535
+    assert dnsport_v4 >= 0
+    assert dnsport_v4 <= 65535

-    debug2('Got ports: %d,%d,%d,%d\n'
+    debug2('Got ports: %d,%d,%d,%d'
           % (port_v6, port_v4, dnsport_v6, dnsport_v4))

    line = stdin.readline(128)
    if not line:
-        raise Fatal('fw: expected GO but got %r' % line)
+        raise Fatal('expected GO but got %r' % line)
    elif not line.startswith("GO "):
-        raise Fatal('fw: expected GO but got %r' % line)
+        raise Fatal('expected GO but got %r' % line)

    _, _, args = line.partition(" ")
-    udp, user = args.strip().split(" ", 1)
+    global sshuttle_pid
+    udp, user, tmark, sshuttle_pid = args.strip().split(" ", 3)
    udp = bool(int(udp))
+    sshuttle_pid = int(sshuttle_pid)
    if user == '-':
        user = None
-    debug2('Got udp: %r, user: %r\n' % (udp, user))
+    debug2('Got udp: %r, user: %r, tmark: %s, sshuttle_pid: %d' %
+           (udp, user, tmark, sshuttle_pid))

    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
@ -212,22 +284,23 @@ def main(method_name, syslog):
    nslist_v4 = [i for i in nslist if i[0] == socket.AF_INET]

    try:
-        debug1('setting up.\n')
+        debug1('setting up.')

        if subnets_v6 or nslist_v6:
-            debug2('setting up IPv6.\n')
+            debug2('setting up IPv6.')
            method.setup_firewall(
                port_v6, dnsport_v6, nslist_v6,
                socket.AF_INET6, subnets_v6, udp,
-                user)
+                user, tmark)

        if subnets_v4 or nslist_v4:
-            debug2('setting up IPv4.\n')
+            debug2('setting up IPv4.')
            method.setup_firewall(
                port_v4, dnsport_v4, nslist_v4,
                socket.AF_INET, subnets_v4, udp,
-                user)
+                user, tmark)

+        flush_systemd_dns_cache()
        stdout.write('STARTED\n')

        try:
@ -245,50 +318,56 @@ def main(method_name, syslog):
            if line.startswith('HOST '):
                (name, ip) = line[5:].strip().split(',', 1)
                hostmap[name] = ip
-                debug2('setting up /etc/hosts.\n')
+                debug2('setting up /etc/hosts.')
                rewrite_etc_hosts(hostmap, port_v6 or port_v4)
            elif line:
                if not method.firewall_command(line):
-                    raise Fatal('fw: expected command, got %r' % line)
+                    raise Fatal('expected command, got %r' % line)
            else:
                break
    finally:
        try:
-            debug1('undoing changes.\n')
-        except BaseException:
+            debug1('undoing changes.')
+        except Exception:
            debug2('An error occurred, ignoring it.')

        try:
            if subnets_v6 or nslist_v6:
-                debug2('undoing IPv6 changes.\n')
+                debug2('undoing IPv6 changes.')
                method.restore_firewall(port_v6, socket.AF_INET6, udp, user)
-        except BaseException:
+        except Exception:
            try:
-                debug1("Error trying to undo IPv6 firewall.\n")
-                for line in traceback.format_exc().splitlines():
-                    debug1("---> %s\n" % line)
-            except BaseException:
+                debug1("Error trying to undo IPv6 firewall.")
+                debug1(traceback.format_exc())
+            except Exception:
                debug2('An error occurred, ignoring it.')

        try:
            if subnets_v4 or nslist_v4:
-                debug2('undoing IPv4 changes.\n')
+                debug2('undoing IPv4 changes.')
                method.restore_firewall(port_v4, socket.AF_INET, udp, user)
-        except BaseException:
+        except Exception:
            try:
-                debug1("Error trying to undo IPv4 firewall.\n")
-                for line in traceback.format_exc().splitlines():
-                    debug1("---> %s\n" % line)
-            except BaseException:
+                debug1("Error trying to undo IPv4 firewall.")
+                debug1(traceback.format_exc())
+            except Exception:
                debug2('An error occurred, ignoring it.')

        try:
            # debug2() message printed in restore_etc_hosts() function.
            restore_etc_hosts(hostmap, port_v6 or port_v4)
-        except BaseException:
+        except Exception:
            try:
-                debug1("Error trying to undo /etc/hosts changes.\n")
-                for line in traceback.format_exc().splitlines():
-                    debug1("---> %s\n" % line)
-            except BaseException:
+                debug1("Error trying to undo /etc/hosts changes.")
+                debug1(traceback.format_exc())
+            except Exception:
                debug2('An error occurred, ignoring it.')
+
+        try:
+            flush_systemd_dns_cache()
+        except Exception:
+            try:
+                debug1("Error trying to flush systemd dns cache.")
+                debug1(traceback.format_exc())
+            except Exception:
+                debug2("An error occurred, ignoring it.")
--- a/sshuttle/helpers.py
+++ b/sshuttle/helpers.py
@ -15,14 +15,22 @@ def log(s):
    global logprefix
    try:
        sys.stdout.flush()
-        if s.find("\n") != -1:
+        # Put newline at end of string if line doesn't have one.
+        if not s.endswith("\n"):
+            s = s+"\n"
+
        prefix = logprefix
        s = s.rstrip("\n")
        for line in s.split("\n"):
-                sys.stderr.write(prefix + line + "\n")
-                prefix = "---> "
-        else:
-            sys.stderr.write(logprefix + s)
+            # We output with \r\n instead of \n because when we use
+            # sudo with the use_pty option, the firewall process, the
+            # other processes printing to the terminal will have the
+            # \n move to the next line, but they will fail to reset
+            # cursor to the beginning of the line. Printing output
+            # with \r\n endings fixes that problem and does not appear
+            # to cause problems elsewhere.
+            sys.stderr.write(prefix + line + "\r\n")
+            prefix = "    "
        sys.stderr.flush()
    except IOError:
        # this could happen if stderr gets forcibly disconnected, eg. because
@ -91,11 +99,11 @@ def resolvconf_nameservers(systemd_resolved):
                words = line.lower().split()
                if len(words) >= 2 and words[0] == 'nameserver':
                    this_file_nsservers.append(family_ip_tuple(words[1]))
-            debug2("Found DNS servers in %s: %s\n" %
+            debug2("Found DNS servers in %s: %s" %
                   (f, [n[1] for n in this_file_nsservers]))
            nsservers += this_file_nsservers
        except OSError as e:
-            debug3("Failed to read %s when looking for DNS servers: %s\n" %
+            debug3("Failed to read %s when looking for DNS servers: %s" %
                   (f, e.strerror))

    return nsservers
@ -215,7 +223,7 @@ def which(file, mode=os.F_OK | os.X_OK):
    path = get_path()
    rv = _which(file, mode, path)
    if rv:
-        debug2("which() found '%s' at %s\n" % (file, rv))
+        debug2("which() found '%s' at %s" % (file, rv))
    else:
-        debug2("which() could not find '%s' in %s\n" % (file, path))
+        debug2("which() could not find '%s' in %s" % (file, path))
    return rv
--- a/sshuttle/hostwatch.py
+++ b/sshuttle/hostwatch.py
@ -15,16 +15,16 @@ POLL_TIME = 60 * 15
 NETSTAT_POLL_TIME = 30
 CACHEFILE = os.path.expanduser('~/.sshuttle.hosts')

+# Have we already failed to write CACHEFILE?
+CACHE_WRITE_FAILED = False

-_nmb_ok = True
-_smb_ok = True
 hostnames = {}
 queue = {}
 try:
    null = open(os.devnull, 'wb')
 except IOError:
    _, e = sys.exc_info()[:2]
-    log('warning: %s\n' % e)
+    log('warning: %s' % e)
    null = os.popen("sh -c 'while read x; do :; done'", 'wb', 4096)


@ -33,7 +33,10 @@ def _is_ip(s):


 def write_host_cache():
+    """If possible, write our hosts file to disk so future connections
+       can reuse the hosts that we already found."""
    tmpname = '%s.%d.tmp' % (CACHEFILE, os.getpid())
+    global CACHE_WRITE_FAILED
    try:
        f = open(tmpname, 'wb')
        for name, ip in sorted(hostnames.items()):
@ -41,33 +44,50 @@ def write_host_cache():
        f.close()
        os.chmod(tmpname, 384)  # 600 in octal, 'rw-------'
        os.rename(tmpname, CACHEFILE)
-    finally:
+        CACHE_WRITE_FAILED = False
+    except (OSError, IOError):
+        # Write message if we haven't yet or if we get a failure after
+        # a previous success.
+        if not CACHE_WRITE_FAILED:
+            log("Failed to write host cache to temporary file "
+                "%s and rename it to %s" % (tmpname, CACHEFILE))
+            CACHE_WRITE_FAILED = True
+
        try:
            os.unlink(tmpname)
-        except BaseException:
+        except Exception:
            pass


 def read_host_cache():
+    """If possible, read the cache file from disk to populate hosts that
+       were found in a previous sshuttle run."""
    try:
        f = open(CACHEFILE)
-    except IOError:
+    except (OSError, IOError):
        _, e = sys.exc_info()[:2]
        if e.errno == errno.ENOENT:
            return
        else:
-            raise
+            log("Failed to read existing host cache file %s on remote host"
+                % CACHEFILE)
+            return
    for line in f:
        words = line.strip().split(',')
        if len(words) == 2:
            (name, ip) = words
            name = re.sub(r'[^-\w\.]', '-', name).strip()
+            # Remove characters that shouldn't be in IP
            ip = re.sub(r'[^0-9.]', '', ip).strip()
            if name and ip:
                found_host(name, ip)


 def found_host(name, ip):
+    """The provided name maps to the given IP. Add the host to the
+       hostnames list, send the host to the sshuttle client via
+       stdout, and write the host to the cache file.
+    """
    hostname = re.sub(r'\..*', '', name)
    hostname = re.sub(r'[^-\w\.]', '_', hostname)
    if (ip.startswith('127.') or ip.startswith('255.') or
@ -80,43 +100,51 @@ def found_host(name, ip):
    oldip = hostnames.get(name)
    if oldip != ip:
        hostnames[name] = ip
-        debug1('Found: %s: %s\n' % (name, ip))
+        debug1('Found: %s: %s' % (name, ip))
        sys.stdout.write('%s,%s\n' % (name, ip))
        write_host_cache()


 def _check_etc_hosts():
-    debug2(' > hosts\n')
-    for line in open('/etc/hosts'):
-        line = re.sub(r'#.*', '', line)
+    """If possible, read /etc/hosts to find hosts."""
+    filename = '/etc/hosts'
+    debug2(' > Reading %s on remote host' % filename)
+    try:
+        for line in open(filename):
+            line = re.sub(r'#.*', '', line)  # remove comments
            words = line.strip().split()
            if not words:
                continue
            ip = words[0]
-        names = words[1:]
            if _is_ip(ip):
-            debug3('<    %s %r\n' % (ip, names))
+                names = words[1:]
+                debug3('<    %s %r' % (ip, names))
                for n in names:
                    check_host(n)
                    found_host(n, ip)
+    except (OSError, IOError):
+        debug1("Failed to read %s on remote host" % filename)


 def _check_revdns(ip):
-    debug2(' > rev: %s\n' % ip)
+    """Use reverse DNS to try to get hostnames from an IP addresses."""
+    debug2(' > rev: %s' % ip)
    try:
        r = socket.gethostbyaddr(ip)
-        debug3('<    %s\n' % r[0])
+        debug3('<    %s' % r[0])
        check_host(r[0])
        found_host(r[0], ip)
-    except (socket.herror, UnicodeError):
+    except (OSError, socket.error, UnicodeError):
+        # This case is expected to occur regularly.
+        # debug3('<    %s gethostbyaddr failed on remote host' % ip)
        pass


 def _check_dns(hostname):
-    debug2(' > dns: %s\n' % hostname)
+    debug2(' > dns: %s' % hostname)
    try:
        ip = socket.gethostbyname(hostname)
-        debug3('<    %s\n' % ip)
+        debug3('<    %s' % ip)
        check_host(ip)
        found_host(hostname, ip)
    except (socket.gaierror, UnicodeError):
@ -124,7 +152,7 @@ def _check_dns(hostname):


 def _check_netstat():
-    debug2(' > netstat\n')
+    debug2(' > netstat')
    argv = ['netstat', '-n']
    try:
        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
@ -133,118 +161,26 @@ def _check_netstat():
        p.wait()
    except OSError:
        _, e = sys.exc_info()[:2]
-        log('%r failed: %r\n' % (argv, e))
+        log('%r failed: %r' % (argv, e))
        return

+    # The same IPs may appear multiple times. Consolidate them so the
+    # debug message doesn't print the same IP repeatedly.
+    ip_list = []
    for ip in re.findall(r'\d+\.\d+\.\d+\.\d+', content):
-        debug3('<    %s\n' % ip)
+        if ip not in ip_list:
+            ip_list.append(ip)
+
+    for ip in sorted(ip_list):
+        debug3('<    %s' % ip)
        check_host(ip)


-def _check_smb(hostname):
-    return
-    global _smb_ok
-    if not _smb_ok:
-        return
-    debug2(' > smb: %s\n' % hostname)
-    argv = ['smbclient', '-U', '%', '-L', hostname]
-    try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
-                              env=get_env())
-        lines = p.stdout.readlines()
-        p.wait()
-    except OSError:
-        _, e = sys.exc_info()[:2]
-        log('%r failed: %r\n' % (argv, e))
-        _smb_ok = False
-        return
-
-    lines.reverse()
-
-    # junk at top
-    while lines:
-        line = lines.pop().strip()
-        if re.match(r'Server\s+', line):
-            break
-
-    # server list section:
-    #    Server   Comment
-    #    ------   -------
-    while lines:
-        line = lines.pop().strip()
-        if not line or re.match(r'-+\s+-+', line):
-            continue
-        if re.match(r'Workgroup\s+Master', line):
-            break
-        words = line.split()
-        hostname = words[0].lower()
-        debug3('<    %s\n' % hostname)
-        check_host(hostname)
-
-    # workgroup list section:
-    #   Workgroup  Master
-    #   ---------  ------
-    while lines:
-        line = lines.pop().strip()
-        if re.match(r'-+\s+', line):
-            continue
-        if not line:
-            break
-        words = line.split()
-        (workgroup, hostname) = (words[0].lower(), words[1].lower())
-        debug3('<    group(%s) -> %s\n' % (workgroup, hostname))
-        check_host(hostname)
-        check_workgroup(workgroup)
-
-    if lines:
-        assert(0)
-
-
-def _check_nmb(hostname, is_workgroup, is_master):
-    return
-    global _nmb_ok
-    if not _nmb_ok:
-        return
-    debug2(' > n%d%d: %s\n' % (is_workgroup, is_master, hostname))
-    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
-    try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
-                              env=get_env)
-        lines = p.stdout.readlines()
-        rv = p.wait()
-    except OSError:
-        _, e = sys.exc_info()[:2]
-        log('%r failed: %r\n' % (argv, e))
-        _nmb_ok = False
-        return
-    if rv:
-        log('%r returned %d\n' % (argv, rv))
-        return
-    for line in lines:
-        m = re.match(r'(\d+\.\d+\.\d+\.\d+) (\w+)<\w\w>\n', line)
-        if m:
-            g = m.groups()
-            (ip, name) = (g[0], g[1].lower())
-            debug3('<    %s -> %s\n' % (name, ip))
-            if is_workgroup:
-                _enqueue(_check_smb, ip)
-            else:
-                found_host(name, ip)
-                check_host(name)
-
-
 def check_host(hostname):
    if _is_ip(hostname):
        _enqueue(_check_revdns, hostname)
    else:
        _enqueue(_check_dns, hostname)
-    _enqueue(_check_smb, hostname)
-    _enqueue(_check_nmb, hostname, False, False)
-
-
-def check_workgroup(hostname):
-    _enqueue(_check_nmb, hostname, True, False)
-    _enqueue(_check_nmb, hostname, True, True)


 def _enqueue(op, *args):
@ -263,12 +199,9 @@ def _stdin_still_ok(timeout):


 def hw_main(seed_hosts, auto_hosts):
-    if helpers.verbose >= 2:
    helpers.logprefix = 'HH: '
-    else:
-        helpers.logprefix = 'hostwatch: '

-    debug1('Starting hostwatch with Python version %s\n'
+    debug1('Starting hostwatch with Python version %s'
           % platform.python_version())

    for h in seed_hosts:
@ -280,18 +213,22 @@ def hw_main(seed_hosts, auto_hosts):
        _enqueue(_check_netstat)
        check_host('localhost')
        check_host(socket.gethostname())
-        check_workgroup('workgroup')
-        check_workgroup('-')

    while 1:
        now = time.time()
+        # For each item in the queue
        for t, last_polled in list(queue.items()):
            (op, args) = t
            if not _stdin_still_ok(0):
                break
+
+            # Determine if we need to run.
            maxtime = POLL_TIME
+            # netstat runs more often than other jobs
            if op == _check_netstat:
                maxtime = NETSTAT_POLL_TIME
+
+            # Check if this jobs needs to run.
            if now - last_polled > maxtime:
                queue[t] = time.time()
                op(*args)
@ -301,5 +238,5 @@ def hw_main(seed_hosts, auto_hosts):
                break

        # FIXME: use a smarter timeout based on oldest last_polled
-        if not _stdin_still_ok(1):
+        if not _stdin_still_ok(1):  # sleeps for up to 1 second
            break
--- a/sshuttle/linux.py
+++ b/sshuttle/linux.py
@ -7,7 +7,7 @@ def nonfatal(func, *args):
    try:
        func(*args)
    except Fatal as e:
-        log('fw: error: %s\n' % e)
+        log('error: %s' % e)


 def ipt_chain_exists(family, table, name):
@ -17,27 +17,27 @@ def ipt_chain_exists(family, table, name):
        cmd = 'iptables'
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
-    argv = [cmd, '-t', table, '-nL']
+    argv = [cmd, '-w', '-t', table, '-nL']
    try:
        output = ssubprocess.check_output(argv, env=get_env())
        for line in output.decode('ASCII').split('\n'):
            if line.startswith('Chain %s ' % name):
                return True
    except ssubprocess.CalledProcessError as e:
-        raise Fatal('fw: %r returned %d' % (argv, e.returncode))
+        raise Fatal('%r returned %d' % (argv, e.returncode))


 def ipt(family, table, *args):
    if family == socket.AF_INET6:
-        argv = ['ip6tables', '-t', table] + list(args)
+        argv = ['ip6tables', '-w', '-t', table] + list(args)
    elif family == socket.AF_INET:
-        argv = ['iptables', '-t', table] + list(args)
+        argv = ['iptables', '-w', '-t', table] + list(args)
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
-    debug1('%s\n' % ' '.join(argv))
+    debug1('%s' % ' '.join(argv))
    rv = ssubprocess.call(argv, env=get_env())
    if rv:
-        raise Fatal('fw: %r returned %d' % (argv, rv))
+        raise Fatal('%r returned %d' % (argv, rv))


 def nft(family, table, action, *args):
@ -45,29 +45,7 @@ def nft(family, table, action, *args):
        argv = ['nft', action, 'inet', table] + list(args)
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
-    debug1('%s\n' % ' '.join(argv))
+    debug1('%s' % ' '.join(argv))
    rv = ssubprocess.call(argv, env=get_env())
    if rv:
-        raise Fatal('fw: %r returned %d' % (argv, rv))
-
-
-_no_ttl_module = False
-
-
-def ipt_ttl(family, *args):
-    global _no_ttl_module
-    if not _no_ttl_module:
-        # we avoid infinite loops by generating server-side connections
-        # with ttl 63.  This makes the client side not recapture those
-        # connections, in case client == server.
-        try:
-            argsplus = list(args)
-            ipt(family, *argsplus)
-        except Fatal:
-            ipt(family, *args)
-            # we only get here if the non-ttl attempt succeeds
-            log('fw: WARNING: your iptables is missing '
-                'the ttl module.\n')
-            _no_ttl_module = True
-    else:
-        ipt(family, *args)
+        raise Fatal('%r returned %d' % (argv, rv))
--- a/sshuttle/methods/init.py
+++ b/sshuttle/methods/init.py
@ -7,8 +7,6 @@ from sshuttle.helpers import Fatal, debug3


 def original_dst(sock):
-    ip = "0.0.0.0"
-    port = -1
    try:
        family = sock.family
        SO_ORIGINAL_DST = 80
@ -66,13 +64,13 @@ class BaseMethod(object):

    @staticmethod
    def recv_udp(udp_listener, bufsize):
-        debug3('Accept UDP using recvfrom.\n')
+        debug3('Accept UDP using recvfrom.')
        data, srcip = udp_listener.recvfrom(bufsize)
        return (srcip, None, data)

    def send_udp(self, sock, srcip, dstip, data):
        if srcip is not None:
-            Fatal("Method %s send_udp does not support setting srcip to %r"
+            raise Fatal("Method %s send_udp does not support setting srcip to %r"
                        % (self.name, srcip))
        sock.sendto(data, dstip)

@ -87,11 +85,11 @@ class BaseMethod(object):
        for key in ["udp", "dns", "ipv6", "ipv4", "user"]:
            if getattr(features, key) and not getattr(avail, key):
                raise Fatal(
-                    "Feature %s not supported with method %s.\n" %
+                    "Feature %s not supported with method %s." %
                    (key, self.name))

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        raise NotImplementedError()

    def restore_firewall(self, port, family, udp, user):
@ -108,13 +106,13 @@ def get_method(method_name):


 def get_auto_method():
-    debug3("Selecting a method automatically...\n")
+    debug3("Selecting a method automatically...")
    # Try these methods, in order:
    methods_to_try = ["nat", "nft", "pf", "ipfw"]
    for m in methods_to_try:
        method = get_method(m)
        if method.is_supported():
-            debug3("Method '%s' was automatically selected.\n" % m)
+            debug3("Method '%s' was automatically selected." % m)
            return method

    raise Fatal("Unable to automatically find a supported method. Check that "
--- a/sshuttle/methods/ipfw.py
+++ b/sshuttle/methods/ipfw.py
@ -4,21 +4,6 @@ from sshuttle.methods import BaseMethod
 from sshuttle.helpers import log, debug1, debug2, debug3, \
    Fatal, family_to_string, get_env, which

-recvmsg = None
-try:
-    # try getting recvmsg from python
-    import socket as pythonsocket
-    getattr(pythonsocket.socket, "recvmsg")
-    socket = pythonsocket
-    recvmsg = "python"
-except AttributeError:
-    # try getting recvmsg from socket_ext library
-    try:
-        import socket_ext
-        getattr(socket_ext.socket, "recvmsg")
-        socket = socket_ext
-        recvmsg = "socket_ext"
-    except ImportError:
 import socket

 IP_BINDANY = 24
@ -26,9 +11,9 @@ IP_RECVDSTADDR = 7
 SOL_IPV6 = 41
 IPV6_RECVDSTADDR = 74

-if recvmsg == "python":
+
 def recv_udp(listener, bufsize):
-        debug3('Accept UDP python using recvmsg.\n')
+    debug3('Accept UDP python using recvmsg.')
    data, ancdata, _, srcip = listener.recvmsg(4096,
                                               socket.CMSG_SPACE(4))
    dstip = None
@ -39,37 +24,20 @@ if recvmsg == "python":
            dstip = (ip, port)
            break
    return (srcip, dstip, data)
-elif recvmsg == "socket_ext":
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, _ = listener.recvmsg((bufsize,),
-                                                 socket.CMSG_SPACE(4))
-        dstip = None
-        for a in adata:
-            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_RECVDSTADDR:
-                port = 53
-                ip = socket.inet_ntop(socket.AF_INET, a.cmsg_data[0:4])
-                dstip = (ip, port)
-                break
-        return (srcip, dstip, data[0])
-else:
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using recvfrom.\n')
-        data, srcip = listener.recvfrom(bufsize)
-        return (srcip, None, data)


 def ipfw_rule_exists(n):
-    argv = ['ipfw', 'list']
+    argv = ['ipfw', 'list', '%d' % n]
    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())

    found = False
    for line in p.stdout:
        if line.startswith(b'%05d ' % n):
-            if not ('ipttl 63' in line or 'check-state' in line):
-                log('non-sshuttle ipfw rule: %r\n' % line.strip())
+            if 'check-state :sshuttle' not in line:
+                log('non-sshuttle ipfw rule: %r' % line.strip())
                raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
            found = True
+            break
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
@ -84,7 +52,7 @@ def _fill_oldctls(prefix):
    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=get_env())
    for line in p.stdout:
        line = line.decode()
-        assert(line[-1] == '\n')
+        assert line[-1] == '\n'
        (k, v) = line[:-1].split(': ', 1)
        _oldctls[k] = v.strip()
    rv = p.wait()
@ -96,7 +64,7 @@ def _fill_oldctls(prefix):

 def _sysctl_set(name, val):
    argv = ['sysctl', '-w', '%s=%s' % (name, val)]
-    debug1('>> %s\n' % ' '.join(argv))
+    debug1('>> %s' % ' '.join(argv))
    return ssubprocess.call(argv, stdout=open(os.devnull, 'w'), env=get_env())
    # No env: No output. (Or error that won't be parsed.)

@ -106,18 +74,18 @@ _changedctls = []

 def sysctl_set(name, val, permanent=False):
    PREFIX = 'net.inet.ip'
-    assert(name.startswith(PREFIX + '.'))
+    assert name.startswith(PREFIX + '.')
    val = str(val)
    if not _oldctls:
        _fill_oldctls(PREFIX)
    if not (name in _oldctls):
-        debug1('>> No such sysctl: %r\n' % name)
+        debug1('>> No such sysctl: %r' % name)
        return False
    oldval = _oldctls[name]
    if val != oldval:
        rv = _sysctl_set(name, val)
        if rv == 0 and permanent:
-            debug1('>>   ...saving permanently in /etc/sysctl.conf\n')
+            debug1('>>   ...saving permanently in /etc/sysctl.conf')
            f = open('/etc/sysctl.conf', 'a')
            f.write('\n'
                    '# Added by sshuttle\n'
@ -130,7 +98,7 @@ def sysctl_set(name, val, permanent=False):

 def ipfw(*args):
    argv = ['ipfw', '-q'] + list(args)
-    debug1('>> %s\n' % ' '.join(argv))
+    debug1('>> %s' % ' '.join(argv))
    rv = ssubprocess.call(argv, env=get_env())
    # No env: No output. (Or error that won't be parsed.)
    if rv:
@ -139,7 +107,7 @@ def ipfw(*args):

 def ipfw_noexit(*args):
    argv = ['ipfw', '-q'] + list(args)
-    debug1('>> %s\n' % ' '.join(argv))
+    debug1('>> %s' % ' '.join(argv))
    ssubprocess.call(argv, env=get_env())
    # No env: No output. (Or error that won't be parsed.)

@ -161,7 +129,7 @@ class Method(BaseMethod):
        if not dstip:
            debug1(
                   "-- ignored UDP from %r: "
-                   "couldn't determine destination IP address\n" % (srcip,))
+                   "couldn't determine destination IP address" % (srcip,))
            return None
        return srcip, dstip, data

@ -169,15 +137,14 @@ class Method(BaseMethod):
        if not srcip:
            debug1(
               "-- ignored UDP to %r: "
-               "couldn't determine source IP address\n" % (dstip,))
+               "couldn't determine source IP address" % (dstip,))
            return

-        # debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
+        # debug3('Sending SRC: %r DST: %r' % (srcip, dstip))
        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
        sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
        sender.bind(srcip)
        sender.sendto(data, dstip)
        sender.close()
@ -189,7 +156,7 @@ class Method(BaseMethod):
        #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        # IPv6 not supported
        if family not in [socket.AF_INET]:
            raise Exception(
@ -207,8 +174,7 @@ class Method(BaseMethod):
        if subnets or dnsport:
            sysctl_set('net.inet.ip.fw.enable', 1)

-        ipfw('add', '1', 'check-state', 'ip',
-             'from', 'any', 'to', 'any')
+        ipfw('add', '1', 'check-state', ':sshuttle')

        ipfw('add', '1', 'skipto', '2',
             'tcp',
@ -216,7 +182,7 @@ class Method(BaseMethod):
        ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
             'tcp',
             'from', 'any', 'to', 'table(126)',
-             'not', 'ipttl', '63', 'keep-state', 'setup')
+             'setup', 'keep-state', ':sshuttle')

        ipfw_noexit('table', '124', 'flush')
        dnscount = 0
@ -227,17 +193,15 @@ class Method(BaseMethod):
            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
                 'udp',
                 'from', 'any', 'to', 'table(124)',
-                 'not', 'ipttl', '63')
+                 'keep-state', ':sshuttle')
        ipfw('add', '1', 'allow',
             'udp',
-             'from', 'any', 'to', 'any',
-             'ipttl', '63')
+             'from', 'any', 'to', 'any')

        if subnets:
            # create new subnet entries
-            for _, swidth, sexclude, snet in sorted(subnets,
-                                                    key=lambda s: s[1],
-                                                    reverse=True):
+            for _, swidth, sexclude, snet, fport, lport \
+                    in sorted(subnets, key=lambda s: s[1], reverse=True):
                if sexclude:
                    ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
                else:
@ -246,7 +210,7 @@ class Method(BaseMethod):
    def restore_firewall(self, port, family, udp, user):
        if family not in [socket.AF_INET]:
            raise Exception(
-                'Address family "%s" unsupported by tproxy method'
+                'Address family "%s" unsupported by ipfw method'
                % family_to_string(family))

        ipfw_noexit('delete', '1')
@ -258,5 +222,5 @@ class Method(BaseMethod):
        if which("ipfw"):
            return True
        debug2("ipfw method not supported because 'ipfw' command is "
-               "missing.\n")
+               "missing.")
        return False
--- a/sshuttle/methods/nat.py
+++ b/sshuttle/methods/nat.py
@ -1,7 +1,7 @@
 import socket
 from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string, which, debug2
-from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists, nonfatal
+from sshuttle.linux import ipt, ipt_chain_exists, nonfatal
 from sshuttle.methods import BaseMethod


@ -13,23 +13,18 @@ class Method(BaseMethod):
    # recently-started one will win (because we use "-I OUTPUT 1" instead of
    # "-A OUTPUT").
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
-        # only ipv4 supported with NAT
-        if family != socket.AF_INET:
+                       user, tmark):
+        if family != socket.AF_INET and family != socket.AF_INET6:
            raise Exception(
                'Address family "%s" unsupported by nat method_name'
                % family_to_string(family))
        if udp:
            raise Exception("UDP not supported by nat method_name")
-
        table = "nat"

        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        def _ipm(*args):
            return ipt(family, "mangle", *args)

@ -50,16 +45,11 @@ class Method(BaseMethod):
        _ipt('-I', 'OUTPUT', '1', *args)
        _ipt('-I', 'PREROUTING', '1', *args)

-        # This TTL hack allows the client and server to run on the
-        # same host. The connections the sshuttle server makes will
-        # have TTL set to 63.
-        _ipt_ttl('-A', chain, '-j', 'RETURN',  '-m', 'ttl', '--ttl', '63')
-
        # Redirect DNS traffic as requested. This includes routing traffic
        # to localhost DNS servers through sshuttle.
        for _, ip in [i for i in nslist if i[0] == family]:
            _ipt('-A', chain, '-j', 'REDIRECT',
-                 '--dest', '%s/32' % ip,
+                 '--dest', '%s' % ip,
                 '-p', 'udp',
                 '--dport', '53',
                 '--to-ports', str(dnsport))
@ -87,7 +77,7 @@ class Method(BaseMethod):

    def restore_firewall(self, port, family, udp, user):
        # only ipv4 supported with NAT
-        if family != socket.AF_INET:
+        if family != socket.AF_INET and family != socket.AF_INET6:
            raise Exception(
                'Address family "%s" unsupported by nat method_name'
                % family_to_string(family))
@ -99,9 +89,6 @@ class Method(BaseMethod):
        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        def _ipm(*args):
            return ipt(family, "mangle", *args)

@ -123,11 +110,12 @@ class Method(BaseMethod):
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.user = True
+        result.ipv6 = True
        return result

    def is_supported(self):
        if which("iptables"):
            return True
        debug2("nat method not supported because 'iptables' command "
-               "is missing.\n")
+               "is missing.")
        return False
--- a/sshuttle/methods/nft.py
+++ b/sshuttle/methods/nft.py
@ -13,7 +13,7 @@ class Method(BaseMethod):
    # recently-started one will win (because we use "-I OUTPUT 1" instead of
    # "-A OUTPUT").
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        if udp:
            raise Exception("UDP not supported by nft")

@ -45,14 +45,6 @@ class Method(BaseMethod):
        else:
            _nft('add rule', chain, 'meta', 'nfproto', '!=', 'ipv6', 'return')

-        # This TTL hack allows the client and server to run on the
-        # same host. The connections the sshuttle server makes will
-        # have TTL set to 63.
-        if family == socket.AF_INET:
-            _nft('add rule', chain, 'ip ttl == 63 return')
-        elif family == socket.AF_INET6:
-            _nft('add rule', chain, 'ip6 hoplimit == 63 return')
-
        # Strings to use below to simplify our code
        if family == socket.AF_INET:
            ip_version_l = 'ipv4'
@ -118,5 +110,5 @@ class Method(BaseMethod):
    def is_supported(self):
        if which("nft"):
            return True
-        debug2("nft method not supported because 'nft' command is missing.\n")
+        debug2("nft method not supported because 'nft' command is missing.")
        return False
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@ -11,8 +11,8 @@ from fcntl import ioctl
 from ctypes import c_char, c_uint8, c_uint16, c_uint32, Union, Structure, \
    sizeof, addressof, memmove
 from sshuttle.firewall import subnet_weight
-from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string, \
-    get_env, which
+from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, \
+     family_to_string, get_env, which
 from sshuttle.methods import BaseMethod


@ -386,13 +386,17 @@ else:

 def pfctl(args, stdin=None):
    argv = ['pfctl'] + shlex.split(args)
-    debug1('>> %s\n' % ' '.join(argv))
+    debug1('>> %s' % ' '.join(argv))
    p = ssubprocess.Popen(argv, stdin=ssubprocess.PIPE,
                          stdout=ssubprocess.PIPE,
                          stderr=ssubprocess.PIPE,
                          env=get_env())
    o = p.communicate(stdin)
    if p.returncode:
+        log('%r returned %d, stdout and stderr follows: ' %
+            (argv, p.returncode))
+        log("stdout:\n%s" % o[0].decode("ascii"))
+        log("stderr:\n%s" % o[1].decode("ascii"))
        raise Fatal('%r returned %d' % (argv, p.returncode))

    return o
@ -444,7 +448,7 @@ class Method(BaseMethod):
        return sock.getsockname()

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
+                       user, tmark):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
@ -495,5 +499,5 @@ class Method(BaseMethod):
    def is_supported(self):
        if which("pfctl"):
            return True
-        debug2("pf method not supported because 'pfctl' command is missing.\n")
+        debug2("pf method not supported because 'pfctl' command is missing.")
        return False
--- a/sshuttle/methods/tproxy.py
+++ b/sshuttle/methods/tproxy.py
@ -1,26 +1,12 @@
 import struct
 from sshuttle.firewall import subnet_weight
 from sshuttle.helpers import family_to_string
-from sshuttle.linux import ipt, ipt_ttl, ipt_chain_exists
+from sshuttle.linux import ipt, ipt_chain_exists
 from sshuttle.methods import BaseMethod
 from sshuttle.helpers import debug1, debug2, debug3, Fatal, which

-recvmsg = None
-try:
-    # try getting recvmsg from python
-    import socket as pythonsocket
-    getattr(pythonsocket.socket, "recvmsg")
-    socket = pythonsocket
-    recvmsg = "python"
-except AttributeError:
-    # try getting recvmsg from socket_ext library
-    try:
-        import socket_ext
-        getattr(socket_ext.socket, "recvmsg")
-        socket = socket_ext
-        recvmsg = "socket_ext"
-    except ImportError:
 import socket
+import os


 IP_TRANSPARENT = 19
@ -30,9 +16,9 @@ SOL_IPV6 = 41
 IPV6_ORIGDSTADDR = 74
 IPV6_RECVORIGDSTADDR = IPV6_ORIGDSTADDR

-if recvmsg == "python":
+
 def recv_udp(listener, bufsize):
-        debug3('Accept UDP python using recvmsg.\n')
+    debug3('Accept UDP python using recvmsg.')
    data, ancdata, _, srcip = listener.recvmsg(
        4096, socket.CMSG_SPACE(24))
    dstip = None
@ -61,44 +47,6 @@ if recvmsg == "python":
            dstip = (ip, port)
            break
    return (srcip, dstip, data)
-elif recvmsg == "socket_ext":
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, _ = listener.recvmsg(
-            (bufsize,), socket.CMSG_SPACE(24))
-        dstip = None
-        family = None
-        for a in adata:
-            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_ORIGDSTADDR:
-                family, port = struct.unpack('=HH', a.cmsg_data[0:4])
-                port = socket.htons(port)
-                if family == socket.AF_INET:
-                    start = 4
-                    length = 4
-                else:
-                    raise Fatal("Unsupported socket type '%s'" % family)
-                ip = socket.inet_ntop(
-                    family, a.cmsg_data[start:start + length])
-                dstip = (ip, port)
-                break
-            elif a.cmsg_level == SOL_IPV6 and a.cmsg_type == IPV6_ORIGDSTADDR:
-                family, port = struct.unpack('=HH', a.cmsg_data[0:4])
-                port = socket.htons(port)
-                if family == socket.AF_INET6:
-                    start = 8
-                    length = 16
-                else:
-                    raise Fatal("Unsupported socket type '%s'" % family)
-                ip = socket.inet_ntop(
-                    family, a.cmsg_data[start:start + length])
-                dstip = (ip, port)
-                break
-        return (srcip, dstip, data[0])
-else:
-    def recv_udp(listener, bufsize):
-        debug3('Accept UDP using recvfrom.\n')
-        data, srcip = listener.recvfrom(bufsize)
-        return (srcip, None, data)


 class Method(BaseMethod):
@ -106,10 +54,6 @@ class Method(BaseMethod):
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.ipv6 = True
-        if recvmsg is None:
-            result.udp = False
-            result.dns = False
-        else:
        result.udp = True
        result.dns = True
        return result
@ -126,6 +70,15 @@ class Method(BaseMethod):
            return None
        return srcip, dstip, data

+    def setsockopt_error(self, e):
+        """The tproxy method needs root permissions to successfully
+        set the IP_TRANSPARENT option on sockets. This method is
+        called when we receive a PermissionError when trying to do
+        so."""
+        raise Fatal("Insufficient permissions for tproxy method.\n"
+                    "Your effective UID is %d, not 0. Try rerunning as root.\n"
+                    % os.geteuid())
+
    def send_udp(self, sock, srcip, dstip, data):
        if not srcip:
            debug1(
@ -134,16 +87,26 @@ class Method(BaseMethod):
            return
        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        try:
            sender.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        except PermissionError as e:
+            self.setsockopt_error(e)
        sender.bind(srcip)
        sender.sendto(data, dstip)
        sender.close()

    def setup_tcp_listener(self, tcp_listener):
+        try:
            tcp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        except PermissionError as e:
+            self.setsockopt_error(e)

    def setup_udp_listener(self, udp_listener):
+        try:
            udp_listener.setsockopt(socket.SOL_IP, IP_TRANSPARENT, 1)
+        except PermissionError as e:
+            self.setsockopt_error(e)
+
        if udp_listener.v4 is not None:
            udp_listener.v4.setsockopt(
                socket.SOL_IP, IP_RECVORIGDSTADDR, 1)
@ -151,17 +114,7 @@ class Method(BaseMethod):
            udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)

    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-                       user):
-        if self.firewall is None:
-            tmark = '1'
-        else:
-            tmark = self.firewall.tmark
-
-        self.setup_firewall_tproxy(port, dnsport, nslist, family, subnets, udp,
-                                   user, tmark)
-
-    def setup_firewall_tproxy(self, port, dnsport, nslist, family, subnets,
-                              udp, user, tmark):
+                       user, tmark):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
@ -172,9 +125,6 @@ class Method(BaseMethod):
        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        def _ipt_proto_ports(proto, fport, lport):
            return proto + ('--dport', '%d:%d' % (fport, lport)) \
                if fport else proto
@ -192,8 +142,24 @@ class Method(BaseMethod):
        _ipt('-F', divert_chain)
        _ipt('-N', tproxy_chain)
        _ipt('-F', tproxy_chain)
-        _ipt('-I', 'OUTPUT', tmark, '-j', mark_chain)
-        _ipt('-I', 'PREROUTING', tmark, '-j', tproxy_chain)
+        _ipt('-I', 'OUTPUT', '1', '-j', mark_chain)
+        _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain)
+
+        # Don't have packets sent to any of our local IP addresses go
+        # through the tproxy or mark chains.
+        #
+        # Without this fix, if a large subnet is redirected through
+        # sshuttle (i.e., 0/0), then the user may be unable to receive
+        # UDP responses or connect to their own machine using an IP
+        # besides (127.0.0.1). Prior to including these lines, the
+        # documentation reminded the user to use -x to exclude their
+        # own IP addresses to receive UDP responses if they are
+        # redirecting a large subnet through sshuttle (i.e., 0/0).
+        _ipt('-A', tproxy_chain, '-j', 'RETURN', '-m', 'addrtype',
+             '--dst-type', 'LOCAL')
+        _ipt('-A', mark_chain, '-j', 'RETURN', '-m', 'addrtype',
+             '--dst-type', 'LOCAL')
+
        _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', tmark)
        _ipt('-A', divert_chain, '-j', 'ACCEPT')
        _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
@ -208,7 +174,7 @@ class Method(BaseMethod):
                 '--dest', '%s/32' % ip,
                 '-m', 'udp', '-p', 'udp', '--dport', '53')
            _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                 '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
+                 '--tproxy-mark', tmark,
                 '--dest', '%s/32' % ip,
                 '-m', 'udp', '-p', 'udp', '--dport', '53',
                 '--on-port', str(dnsport))
@ -233,7 +199,7 @@ class Method(BaseMethod):
                     '-m', 'tcp',
                     *tcp_ports)
                _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                     '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
+                     '--tproxy-mark', tmark,
                     '--dest', '%s/%s' % (snet, swidth),
                     '-m', 'tcp',
                     *(tcp_ports + ('--on-port', str(port))))
@ -257,7 +223,7 @@ class Method(BaseMethod):
                         '-m', 'udp',
                         *udp_ports)
                    _ipt('-A', tproxy_chain, '-j', 'TPROXY',
-                         '--tproxy-mark', '0x'+tmark+'/0x'+tmark,
+                         '--tproxy-mark', tmark,
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp',
                         *(udp_ports + ('--on-port', str(port))))
@ -273,9 +239,6 @@ class Method(BaseMethod):
        def _ipt(*args):
            return ipt(family, table, *args)

-        def _ipt_ttl(*args):
-            return ipt_ttl(family, table, *args)
-
        mark_chain = 'sshuttle-m-%s' % port
        tproxy_chain = 'sshuttle-t-%s' % port
        divert_chain = 'sshuttle-d-%s' % port
--- a/sshuttle/options.py
+++ b/sshuttle/options.py
@ -37,9 +37,9 @@ def parse_subnetport_file(s):
 def parse_subnetport(s):

    if s.count(':') > 1:
-        rx = r'(?:\[?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
+        rx = r'(?:\[?(?:\*\.)?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
    else:
-        rx = r'([\w\.\-]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
+        rx = r'((?:\*\.)?[\w\.\-]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'

    m = re.match(rx, s)
    if not m:
@ -132,6 +132,7 @@ def parse_ipport(s):


 def parse_list(lst):
+    """Parse a comma separated string into a list."""
    return re.split(r'[\s,]+', lst.strip()) if lst else []


@ -146,9 +147,33 @@ class Concat(Action):
        setattr(namespace, self.dest, curr_value + values)


-parser = ArgumentParser(
+# Override one function in the ArgumentParser so that we can have
+# better control for how we parse files containing arguments. We
+# expect one argument per line, but strip whitespace/quotes from the
+# beginning/end of the lines.
+class MyArgumentParser(ArgumentParser):
+    def convert_arg_line_to_args(self, arg_line):
+        # Ignore comments
+        if arg_line.startswith("#"):
+            return []
+
+        # strip whitespace at beginning and end of line
+        arg_line = arg_line.strip()
+
+        # When copying parameters from the command line to a file,
+        # some users might copy the quotes they used on the command
+        # line into the config file. We ignore these if the line
+        # starts and ends with the same quote.
+        if arg_line.startswith("'") and arg_line.endswith("'") or \
+           arg_line.startswith('"') and arg_line.endswith('"'):
+            arg_line = arg_line[1:-1]
+
+        return [arg_line]
+
+
+parser = MyArgumentParser(
    prog="sshuttle",
-    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>",
+    usage="%(prog)s [-l [ip:]port] -r [user@]sshserver[:port] <subnets...>",
    fromfile_prefix_chars="@"
 )
 parser.add_argument(
@ -196,6 +221,7 @@ parser.add_argument(
    type=parse_list,
    help="""
    capture and forward DNS requests made to the following servers
+    (comma separated)
    """
 )
 parser.add_argument(
@ -256,7 +282,7 @@ parser.add_argument(
    action="count",
    default=0,
    help="""
-    increase debug message verbosity
+    increase debug message verbosity (can be used more than once)
    """
 )
 parser.add_argument(
@ -370,18 +396,15 @@ parser.add_argument(
    (internal use only)
    """
 )
-parser.add_argument(
-    "--sudoers",
-    action="store_true",
-    help="""
-    Add sshuttle to the sudoers for this user
-    """
-)
 parser.add_argument(
    "--sudoers-no-modify",
    action="store_true",
    help="""
-    Prints the sudoers config to STDOUT and DOES NOT modify anything.
+    Prints a sudo configuration to STDOUT which allows a user to
+    run sshuttle without a password. This option is INSECURE because,
+    with some cleverness, it also allows the user to run any command
+    as root without a password. The output also includes a suggested
+    method for you to install the configuration.
    """
 )
 parser.add_argument(
@ -389,16 +412,7 @@ parser.add_argument(
    default="",
    help="""
    Set the user name or group with %%group_name for passwordless operation.
-    Default is the current user.set ALL for all users. Only works with
-    --sudoers or --sudoers-no-modify option.
-    """
-)
-parser.add_argument(
-    "--sudoers-filename",
-    default="sshuttle_auto",
-    help="""
-    Set the file name for the sudoers.d file to be added. Default is
-    "sshuttle_auto". Only works with --sudoers or --sudoers-no-modify option.
+    Default is the current user. Only works with the --sudoers-no-modify option.
    """
 )
 parser.add_argument(
@ -412,8 +426,9 @@ parser.add_argument(
 parser.add_argument(
    "-t", "--tmark",
    metavar="[MARK]",
-    default="1",
+    default="0x01",
    help="""
-    transproxy optional traffic mark with provided MARK value
+    tproxy optional traffic mark with provided MARK value in
+    hexadecimal (default '0x01')
    """
 )
--- a/sshuttle/sdnotify.py
+++ b/sshuttle/sdnotify.py
@ -26,7 +26,7 @@ def _notify(message):
    try:
        sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
    except (OSError, IOError) as e:
-        debug1("Error creating socket to notify systemd: %s\n" % e)
+        debug1("Error creating socket to notify systemd: %s" % e)
        return False

    if not message:
@ -37,7 +37,7 @@ def _notify(message):
    try:
        return (sock.sendto(message, addr) > 0)
    except (OSError, IOError) as e:
-        debug1("Error notifying systemd: %s\n" % e)
+        debug1("Error notifying systemd: %s" % e)
        return False


--- a/sshuttle/server.py
+++ b/sshuttle/server.py
@ -5,7 +5,6 @@ import traceback
 import time
 import sys
 import os
-import platform


 import sshuttle.ssnet as ssnet
@ -35,7 +34,6 @@ def _ipmatch(ipstr):
        elif g[3] is None:
            ips += '.0'
            width = min(width, 24)
-        ips = ips
        return (struct.unpack('!I', socket.inet_aton(ips))[0], width)


@ -96,7 +94,7 @@ def _list_routes(argv, extract_route):
            (socket.AF_INET, socket.inet_ntoa(struct.pack('!I', ip)), width))
    rv = p.wait()
    if rv != 0:
-        log('WARNING: %r returned %d\n' % (argv, rv))
+        log('WARNING: %r returned %d' % (argv, rv))

    return routes

@ -108,7 +106,7 @@ def list_routes():
        routes = _list_routes(['netstat', '-rn'], _route_netstat)
    else:
        log('WARNING: Neither "ip" nor "netstat" were found on the server. '
-            '--auto-nets feature will not work.\n')
+            '--auto-nets feature will not work.')
        routes = []

    for (family, ip, width) in routes:
@ -135,7 +133,7 @@ def start_hostwatch(seed_hosts, auto_hosts):
                s1.close()
                rv = hostwatch.hw_main(seed_hosts, auto_hosts) or 0
            except Exception:
-                log('%s\n' % _exc_dump())
+                log('%s' % _exc_dump())
                rv = 98
        finally:
            os._exit(rv)
@ -191,12 +189,11 @@ class DnsProxy(Handler):

        family, sockaddr = self._addrinfo(peer, port)
        sock = socket.socket(family, socket.SOCK_DGRAM)
-        sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
        sock.connect(sockaddr)

        self.peers[sock] = peer

-        debug2('DNS: sending to %r:%d (try %d)\n' % (peer, port, self.tries))
+        debug2('DNS: sending to %r:%d (try %d)' % (peer, port, self.tries))
        try:
            sock.send(self.request)
            self.socks.append(sock)
@ -206,11 +203,11 @@ class DnsProxy(Handler):
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
-                debug2('DNS send to %r: %s\n' % (peer, e))
+                debug2('DNS send to %r: %s' % (peer, e))
                self.try_send()
                return
            else:
-                log('DNS send to %r: %s\n' % (peer, e))
+                log('DNS send to %r: %s' % (peer, e))
                return

    def callback(self, sock):
@ -227,13 +224,13 @@ class DnsProxy(Handler):
                # might have been spurious; try again.
                # Note: these errors sometimes are reported by recv(),
                # and sometimes by send().  We have to catch both.
-                debug2('DNS recv from %r: %s\n' % (peer, e))
+                debug2('DNS recv from %r: %s' % (peer, e))
                self.try_send()
                return
            else:
-                log('DNS recv from %r: %s\n' % (peer, e))
+                log('DNS recv from %r: %s' % (peer, e))
                return
-        debug2('DNS response: %d bytes\n' % len(data))
+        debug2('DNS response: %d bytes' % len(data))
        self.mux.send(self.chan, ssnet.CMD_DNS_RESPONSE, data)
        self.ok = False

@ -247,16 +244,14 @@ class UdpProxy(Handler):
        self.mux = mux
        self.chan = chan
        self.sock = sock
-        if family == socket.AF_INET:
-            self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)

    def send(self, dstip, data):
-        debug2(' s: UDP: sending to %r port %d\n' % dstip)
+        debug2('UDP: sending to %r port %d' % dstip)
        try:
            self.sock.sendto(data, dstip)
        except socket.error:
            _, e = sys.exc_info()[:2]
-            log(' s: UDP send to %r port %d: %s\n' % (dstip[0], dstip[1], e))
+            log('UDP send to %r port %d: %s' % (dstip[0], dstip[1], e))
            return

    def callback(self, sock):
@ -264,19 +259,22 @@ class UdpProxy(Handler):
            data, peer = sock.recvfrom(4096)
        except socket.error:
            _, e = sys.exc_info()[:2]
-            log(' s: UDP recv from %r port %d: %s\n' % (peer[0], peer[1], e))
+            log('UDP recv from %r port %d: %s' % (peer[0], peer[1], e))
            return
-        debug2(' s: UDP response: %d bytes\n' % len(data))
+        debug2('UDP response: %d bytes' % len(data))
        hdr = b("%s,%r," % (peer[0], peer[1]))
        self.mux.send(self.chan, ssnet.CMD_UDP_DATA, hdr + data)


-def main(latency_control, auto_hosts, to_nameserver, auto_nets):
-    debug1(' s: Starting server with Python version %s\n'
-           % platform.python_version())
-
+def main(latency_control, latency_buffer_size, auto_hosts, to_nameserver,
+         auto_nets):
+    try:
        helpers.logprefix = ' s: '
-    debug1('latency control setting = %r\n' % latency_control)
+
+        debug1('latency control setting = %r' % latency_control)
+        if latency_buffer_size:
+            import sshuttle.ssnet as ssnet
+            ssnet.LATENCY_BUFFER_SIZE = latency_buffer_size

        # synchronization header
        sys.stdout.write('\0\0SSHUTTLE0001')
@ -286,12 +284,12 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):
        mux = Mux(sys.stdin, sys.stdout)
        handlers.append(mux)

-    debug1('auto-nets:' + str(auto_nets) + '\n')
+        debug1('auto-nets:' + str(auto_nets))
        if auto_nets:
            routes = list(list_routes())
-        debug1('available routes:\n')
+            debug1('available routes:')
            for r in routes:
-            debug1('  %d/%s/%d\n' % r)
+                debug1('  %d/%s/%d' % r)
        else:
            routes = []

@ -304,7 +302,7 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):
        hw.leftover = b('')

        def hostwatch_ready(sock):
-        assert(hw.pid)
+            assert hw.pid
            content = hw.sock.recv(4096)
            if content:
                lines = (hw.leftover + content).split(b('\n'))
@ -316,7 +314,7 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):
                    hw.leftover = b('')
                mux.send(0, ssnet.CMD_HOST_LIST, b('\n').join(lines))
            else:
-            raise Fatal(' s: hostwatch process died')
+                raise Fatal('hostwatch process died')

        def got_host_req(data):
            if not hw.pid:
@ -343,7 +341,7 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):
        dnshandlers = {}

        def dns_req(channel, data):
-        debug2('Incoming DNS request channel=%d.\n' % channel)
+            debug2('Incoming DNS request channel=%d.' % channel)
            h = DnsProxy(mux, channel, data, to_nameserver)
            handlers.append(h)
            dnshandlers[channel] = h
@ -352,25 +350,28 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):
        udphandlers = {}

        def udp_req(channel, cmd, data):
-        debug2('Incoming UDP request channel=%d, cmd=%d\n' % (channel, cmd))
+            debug2('Incoming UDP request channel=%d, cmd=%d' %
+                   (channel, cmd))
            if cmd == ssnet.CMD_UDP_DATA:
                (dstip, dstport, data) = data.split(b(','), 2)
                dstport = int(dstport)
-            debug2('is incoming UDP data. %r %d.\n' % (dstip, dstport))
+                debug2('is incoming UDP data. %r %d.' % (dstip, dstport))
                h = udphandlers[channel]
                h.send((dstip, dstport), data)
            elif cmd == ssnet.CMD_UDP_CLOSE:
-            debug2('is incoming UDP close\n')
+                debug2('is incoming UDP close')
                h = udphandlers[channel]
                h.ok = False
                del mux.channels[channel]

        def udp_open(channel, data):
-        debug2('Incoming UDP open.\n')
+            debug2('Incoming UDP open.')
            family = int(data)
-        mux.channels[channel] = lambda cmd, data: udp_req(channel, cmd, data)
+            mux.channels[channel] = lambda cmd, data: udp_req(channel, cmd,
+                                                              data)
            if channel in udphandlers:
-            raise Fatal(' s: UDP connection channel %d already open' % channel)
+                raise Fatal('UDP connection channel %d already open' %
+                            channel)
            else:
                h = UdpProxy(mux, channel, family)
                handlers.append(h)
@ -379,11 +380,11 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):

        while mux.ok:
            if hw.pid:
-            assert(hw.pid > 0)
+                assert hw.pid > 0
                (rpid, rv) = os.waitpid(hw.pid, os.WNOHANG)
                if rpid:
                    raise Fatal(
-                    'hostwatch exited unexpectedly: code 0x%04x\n' % rv)
+                        'hostwatch exited unexpectedly: code 0x%04x' % rv)

            ssnet.runonce(handlers, mux)
            if latency_control:
@ -394,7 +395,7 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):
                remove = []
                for channel, h in dnshandlers.items():
                    if h.timeout < now or not h.ok:
-                    debug3('expiring dnsreqs channel=%d\n' % channel)
+                        debug3('expiring dnsreqs channel=%d' % channel)
                        remove.append(channel)
                        h.ok = False
                for channel in remove:
@ -403,8 +404,12 @@ def main(latency_control, auto_hosts, to_nameserver, auto_nets):
                remove = []
                for channel, h in udphandlers.items():
                    if not h.ok:
-                    debug3('expiring UDP channel=%d\n' % channel)
+                        debug3('expiring UDP channel=%d' % channel)
                        remove.append(channel)
                        h.ok = False
                for channel in remove:
                    del udphandlers[channel]
+
+    except Fatal as e:
+        log('fatal: %s' % e)
+        sys.exit(99)
--- a/sshuttle/ssh.py
+++ b/sshuttle/ssh.py
@ -61,11 +61,11 @@ def parse_hostport(rhostport):
    if ":" in host:
        # IPv6 address and/or got a port specified

-        # If it is an IPv6 adress with port specification,
+        # If it is an IPv6 address with port specification,
        # then it will look like: [::1]:22

        try:
-            # try to parse host as an IP adress,
+            # try to parse host as an IP address,
            # if that works it is an IPv6 address
            host = str(ipaddress.ip_address(host))
        except ValueError:
@ -103,11 +103,21 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
                empackage(z, 'sshuttle.server') +
                b"\n")

+    # If the exec() program calls sys.exit(), it should exit python
+    # and the sys.exit(98) call won't be reached (so we try to only
+    # exit that way in the server). However, if the code that we
+    # exec() simply returns from main, then we will return from
+    # exec(). If the server's python process dies, it should stop
+    # executing and also won't reach sys.exit(98).
+    #
+    # So, we shouldn't reach sys.exit(98) and we certainly shouldn't
+    # reach it immediately after trying to start the server.
    pyscript = r"""
                import sys, os;
                verbosity=%d;
                sys.stdin = os.fdopen(0, "rb");
-                exec(compile(sys.stdin.read(%d), "assembler.py", "exec"))
+                exec(compile(sys.stdin.read(%d), "assembler.py", "exec"));
+                sys.exit(98);
                """ % (helpers.verbose or 0, len(content))
    pyscript = re.sub(r'\s+', ' ', pyscript.strip())

@ -127,8 +137,47 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
        if python:
            pycmd = "'%s' -c '%s'" % (python, pyscript)
        else:
+            # By default, we run the following code in a shell.
+            # However, with restricted shells and other unusual
+            # situations, there can be trouble. See the RESTRICTED
+            # SHELL section in "man bash" for more information. The
+            # code makes many assumptions:
+            #
+            # (1) That /bin/sh exists and that we can call it.
+            # Restricted shells often do *not* allow you to run
+            # programs specified with an absolute path like /bin/sh.
+            # Either way, if there is trouble with this, it should
+            # return error code 127.
+            #
+            # (2) python3 or python exists in the PATH and is
+            # executable. If they aren't, then exec won't work (see (4)
+            # below).
+            #
+            # (3) In /bin/sh, that we can redirect stderr in order to
+            # hide the version that "python3 -V" might print (some
+            # restricted shells don't allow redirection, see
+            # RESTRICTED SHELL section in 'man bash'). However, if we
+            # are in a restricted shell, we'd likely have trouble with
+            # assumption (1) above.
+            #
+            # (4) The 'exec' command should work except if we failed
+            # to exec python because it doesn't exist or isn't
+            # executable OR if exec isn't allowed (some restricted
+            # shells don't allow exec). If the exec succeeded, it will
+            # not return and not get to the "exit 97" command. If exec
+            # does return, we exit with code 97.
+            #
+            # Specifying the exact python program to run with --python
+            # avoids many of the issues above. However, if
+            # you have a restricted shell on remote, you may only be
+            # able to run python if it is in your PATH (and you can't
+            # run programs specified with an absolute path). In that
+            # case, sshuttle might not work at all since it is not
+            # possible to run python on the remote machine---even if
+            # it is present.
            pycmd = ("P=python3; $P -V 2>%s || P=python; "
-                     "exec \"$P\" -c %s") % (os.devnull, quote(pyscript))
+                     "exec \"$P\" -c %s; exit 97") % \
+                (os.devnull, quote(pyscript))
            pycmd = ("/bin/sh -c {}".format(quote(pycmd)))

        if password is not None:
@ -160,7 +209,7 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
    s1a, s1b = os.dup(s1.fileno()), os.dup(s1.fileno())
    s1.close()

-    debug2('executing: %r\n' % argv)
+    debug2('executing: %r' % argv)
    p = ssubprocess.Popen(argv, stdin=s1a, stdout=s1b, preexec_fn=setup,
                          close_fds=True, stderr=stderr)
    os.close(s1a)
--- a/sshuttle/ssnet.py
+++ b/sshuttle/ssnet.py
@ -83,7 +83,7 @@ def _nb_clean(func, *args):
        if e.errno not in (errno.EWOULDBLOCK, errno.EAGAIN):
            raise
        else:
-            debug3('%s: err was: %s\n' % (func.__name__, e))
+            debug3('%s: err was: %s' % (func.__name__, e))
            return None


@ -111,7 +111,7 @@ class SockWrapper:
    def __init__(self, rsock, wsock, connect_to=None, peername=None):
        global _swcount
        _swcount += 1
-        debug3('creating new SockWrapper (%d now exist)\n' % _swcount)
+        debug3('creating new SockWrapper (%d now exist)' % _swcount)
        self.exc = None
        self.rsock = rsock
        self.wsock = wsock
@ -124,9 +124,9 @@ class SockWrapper:
    def __del__(self):
        global _swcount
        _swcount -= 1
-        debug1('%r: deleting (%d remain)\n' % (self, _swcount))
+        debug1('%r: deleting (%d remain)' % (self, _swcount))
        if self.exc:
-            debug1('%r: error was: %s\n' % (self, self.exc))
+            debug1('%r: error was: %s' % (self, self.exc))

    def __repr__(self):
        if self.rsock == self.wsock:
@ -148,14 +148,14 @@ class SockWrapper:
        if not self.connect_to:
            return  # already connected
        self.rsock.setblocking(False)
-        debug3('%r: trying connect to %r\n' % (self, self.connect_to))
+        debug3('%r: trying connect to %r' % (self, self.connect_to))
        try:
            self.rsock.connect(self.connect_to)
            # connected successfully (Linux)
            self.connect_to = None
        except socket.error:
            _, e = sys.exc_info()[:2]
-            debug3('%r: connect result: %s\n' % (self, e))
+            debug3('%r: connect result: %s' % (self, e))
            if e.args[0] == errno.EINVAL:
                # this is what happens when you call connect() on a socket
                # that is now connected but returned EINPROGRESS last time,
@ -165,7 +165,7 @@ class SockWrapper:
                realerr = self.rsock.getsockopt(socket.SOL_SOCKET,
                                                socket.SO_ERROR)
                e = socket.error(realerr, os.strerror(realerr))
-                debug3('%r: fixed connect result: %s\n' % (self, e))
+                debug3('%r: fixed connect result: %s' % (self, e))
            if e.args[0] in [errno.EINPROGRESS, errno.EALREADY]:
                pass  # not connected yet
            elif e.args[0] == 0:
@ -191,13 +191,13 @@ class SockWrapper:

    def noread(self):
        if not self.shut_read:
-            debug2('%r: done reading\n' % self)
+            debug2('%r: done reading' % self)
            self.shut_read = True
            # self.rsock.shutdown(SHUT_RD)  # doesn't do anything anyway

    def nowrite(self):
        if not self.shut_write:
-            debug2('%r: done writing\n' % self)
+            debug2('%r: done writing' % self)
            self.shut_write = True
            try:
                self.wsock.shutdown(SHUT_WR)
@ -218,7 +218,7 @@ class SockWrapper:
        except OSError:
            _, e = sys.exc_info()[:2]
            if e.errno == errno.EPIPE:
-                debug1('%r: uwrite: got EPIPE\n' % self)
+                debug1('%r: uwrite: got EPIPE' % self)
                self.nowrite()
                return 0
            else:
@ -227,7 +227,7 @@ class SockWrapper:
                return 0

    def write(self, buf):
-        assert(buf)
+        assert buf
        return self.uwrite(buf)

    def uread(self):
@ -275,12 +275,12 @@ class Handler:
            _add(r, i)

    def callback(self, sock):
-        log('--no callback defined-- %r\n' % self)
+        log('--no callback defined-- %r' % self)
        (r, _, _) = select.select(self.socks, [], [], 0)
        for s in r:
            v = s.recv(4096)
            if not v:
-                log('--closed-- %r\n' % self)
+                log('--closed-- %r' % self)
                self.socks = []
                self.ok = False

@ -377,7 +377,7 @@ class Mux(Handler):
        # for b in self.outbuf:
        #    (s1,s2,c) = struct.unpack('!ccH', b[:4])
        #    ob.append(c)
-        # log('outbuf: %d %r\n' % (self.amount_queued(), ob))
+        # log('outbuf: %d %r' % (self.amount_queued(), ob))

    def send(self, channel, cmd, data):
        assert isinstance(data, bytes)
@ -385,32 +385,32 @@ class Mux(Handler):
        p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) \
            + data
        self.outbuf.append(p)
-        debug2(' > channel=%d cmd=%s len=%d (fullness=%d)\n'
+        debug2(' > channel=%d cmd=%s len=%d (fullness=%d)'
               % (channel, cmd_to_name.get(cmd, hex(cmd)),
                  len(data), self.fullness))
        self.fullness += len(data)

    def got_packet(self, channel, cmd, data):
-        debug2('<  channel=%d cmd=%s len=%d\n'
+        debug2('<  channel=%d cmd=%s len=%d'
               % (channel, cmd_to_name.get(cmd, hex(cmd)), len(data)))
        if cmd == CMD_PING:
            self.send(0, CMD_PONG, data)
        elif cmd == CMD_PONG:
-            debug2('received PING response\n')
+            debug2('received PING response')
            self.too_full = False
            self.fullness = 0
        elif cmd == CMD_EXIT:
            self.ok = False
        elif cmd == CMD_TCP_CONNECT:
-            assert(not self.channels.get(channel))
+            assert not self.channels.get(channel)
            if self.new_channel:
                self.new_channel(channel, data)
        elif cmd == CMD_DNS_REQ:
-            assert(not self.channels.get(channel))
+            assert not self.channels.get(channel)
            if self.got_dns_req:
                self.got_dns_req(channel, data)
        elif cmd == CMD_UDP_OPEN:
-            assert(not self.channels.get(channel))
+            assert not self.channels.get(channel)
            if self.got_udp_open:
                self.got_udp_open(channel, data)
        elif cmd == CMD_ROUTES:
@ -431,7 +431,7 @@ class Mux(Handler):
        else:
            callback = self.channels.get(channel)
            if not callback:
-                log('warning: closed channel %d got cmd=%s len=%d\n'
+                log('warning: closed channel %d got cmd=%s len=%d'
                    % (channel, cmd_to_name.get(cmd, hex(cmd)), len(data)))
            else:
                callback(cmd, data)
@ -443,10 +443,10 @@ class Mux(Handler):
            # python < 3.5
            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_GETFL)
            flags |= os.O_NONBLOCK
-            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_SETFL, flags)
+            fcntl.fcntl(self.wfile.fileno(), fcntl.F_SETFL, flags)
        if self.outbuf and self.outbuf[0]:
            wrote = _nb_clean(os.write, self.wfile.fileno(), self.outbuf[0])
-            debug2('mux wrote: %r/%d\n' % (wrote, len(self.outbuf[0])))
+            debug2('mux wrote: %r/%d' % (wrote, len(self.outbuf[0])))
            if wrote:
                self.outbuf[0] = self.outbuf[0][wrote:]
        while self.outbuf and not self.outbuf[0]:
@ -459,13 +459,16 @@ class Mux(Handler):
            # python < 3.5
            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_GETFL)
            flags |= os.O_NONBLOCK
-            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_SETFL, flags)
+            fcntl.fcntl(self.rfile.fileno(), fcntl.F_SETFL, flags)
        try:
-            read = _nb_clean(os.read, self.rfile.fileno(), LATENCY_BUFFER_SIZE)
+            # If LATENCY_BUFFER_SIZE is inappropriately large, we will
+            # get a MemoryError here. Read no more than 1MiB.
+            read = _nb_clean(os.read, self.rfile.fileno(),
+                             min(1048576, LATENCY_BUFFER_SIZE))
        except OSError:
            _, e = sys.exc_info()[:2]
            raise Fatal('other end: %r' % e)
-        # log('<<< %r\n' % b)
+        # log('<<< %r' % b)
        if read == b(''):  # EOF
            self.ok = False
        if read:
@ -473,14 +476,14 @@ class Mux(Handler):

    def handle(self):
        self.fill()
-        # log('inbuf is: (%d,%d) %r\n'
+        # log('inbuf is: (%d,%d) %r'
        #     % (self.want, len(self.inbuf), self.inbuf))
        while 1:
            if len(self.inbuf) >= (self.want or HDR_LEN):
                (s1, s2, channel, cmd, datalen) = \
                    struct.unpack('!ccHHH', self.inbuf[:HDR_LEN])
-                assert(s1 == b('S'))
-                assert(s2 == b('S'))
+                assert s1 == b('S')
+                assert s2 == b('S')
                self.want = datalen + HDR_LEN
            if self.want and len(self.inbuf) >= self.want:
                data = self.inbuf[HDR_LEN:self.want]
@ -511,7 +514,7 @@ class MuxWrapper(SockWrapper):
        self.channel = channel
        self.mux.channels[channel] = self.got_packet
        self.socks = []
-        debug2('new channel: %d\n' % channel)
+        debug2('new channel: %d' % channel)

    def __del__(self):
        self.nowrite()
@ -527,7 +530,7 @@ class MuxWrapper(SockWrapper):

    def setnoread(self):
        if not self.shut_read:
-            debug2('%r: done reading\n' % self)
+            debug2('%r: done reading' % self)
            self.shut_read = True
            self.maybe_close()

@ -538,13 +541,13 @@ class MuxWrapper(SockWrapper):

    def setnowrite(self):
        if not self.shut_write:
-            debug2('%r: done writing\n' % self)
+            debug2('%r: done writing' % self)
            self.shut_write = True
            self.maybe_close()

    def maybe_close(self):
        if self.shut_read and self.shut_write:
-            debug2('%r: closing connection\n' % self)
+            debug2('%r: closing connection' % self)
            # remove the mux's reference to us.  The python garbage collector
            # will then be able to reap our object.
            self.mux.channels[self.channel] = None
@ -581,9 +584,9 @@ class MuxWrapper(SockWrapper):


 def connect_dst(family, ip, port):
-    debug2('Connecting to %s:%d\n' % (ip, port))
+    debug2('Connecting to %s:%d' % (ip, port))
    outsock = socket.socket(family)
-    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
+
    return SockWrapper(outsock, outsock,
                       connect_to=(ip, port),
                       peername='%s:%d' % (ip, port))
@ -599,11 +602,11 @@ def runonce(handlers, mux):

    for s in handlers:
        s.pre_select(r, w, x)
-    debug2('Waiting: %d r=%r w=%r x=%r (fullness=%d/%d)\n'
+    debug2('Waiting: %d r=%r w=%r x=%r (fullness=%d/%d)'
           % (len(handlers), _fds(r), _fds(w), _fds(x),
               mux.fullness, mux.too_full))
    (r, w, x) = select.select(r, w, x)
-    debug2('  Ready: %d r=%r w=%r x=%r\n'
+    debug2('  Ready: %d r=%r w=%r x=%r'
           % (len(handlers), _fds(r), _fds(w), _fds(x)))
    ready = r + w + x
    did = {}
--- a/sshuttle/stresstest.py
+++ b/sshuttle/stresstest.py
@ -1,89 +0,0 @@
-#!/usr/bin/env python
-import socket
-import select
-import struct
-import time
-
-listener = socket.socket()
-listener.bind(('127.0.0.1', 0))
-listener.listen(500)
-
-servers = []
-clients = []
-remain = {}
-
-NUMCLIENTS = 50
-count = 0
-
-
-while 1:
-    if len(clients) < NUMCLIENTS:
-        c = socket.socket()
-        c.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-        c.bind(('0.0.0.0', 0))
-        c.connect(listener.getsockname())
-        count += 1
-        if count >= 16384:
-            count = 1
-        print('cli CREATING %d' % count)
-        b = struct.pack('I', count) + 'x' * count
-        remain[c] = count
-        print('cli  >> %r' % len(b))
-        c.send(b)
-        c.shutdown(socket.SHUT_WR)
-        clients.append(c)
-        r = [listener]
-        time.sleep(0.1)
-    else:
-        r = [listener] + servers + clients
-    print('select(%d)' % len(r))
-    r, w, x = select.select(r, [], [], 5)
-    assert(r)
-    for i in r:
-        if i == listener:
-            s, addr = listener.accept()
-            servers.append(s)
-        elif i in servers:
-            b = i.recv(4096)
-            print('srv <<  %r' % len(b))
-            if i not in remain:
-                assert(len(b) >= 4)
-                want = struct.unpack('I', b[:4])[0]
-                b = b[4:]
-                # i.send('y'*want)
-            else:
-                want = remain[i]
-            if want < len(b):
-                print('weird wanted %d bytes, got %d: %r' % (want, len(b), b))
-                assert(want >= len(b))
-            want -= len(b)
-            remain[i] = want
-            if not b:  # EOF
-                if want:
-                    print('weird: eof but wanted %d more' % want)
-                    assert(want == 0)
-                i.close()
-                servers.remove(i)
-                del remain[i]
-            else:
-                print('srv  >> %r' % len(b))
-                i.send('y' * len(b))
-                if not want:
-                    i.shutdown(socket.SHUT_WR)
-        elif i in clients:
-            b = i.recv(4096)
-            print('cli <<  %r' % len(b))
-            want = remain[i]
-            if want < len(b):
-                print('weird wanted %d bytes, got %d: %r' % (want, len(b), b))
-                assert(want >= len(b))
-            want -= len(b)
-            remain[i] = want
-            if not b:  # EOF
-                if want:
-                    print('weird: eof but wanted %d more' % want)
-                    assert(want == 0)
-                i.close()
-                clients.remove(i)
-                del remain[i]
-listener.accept()
--- a/sshuttle/sudoers.py
+++ b/sshuttle/sudoers.py
@ -2,63 +2,45 @@ import os
 import sys
 import getpass
 from uuid import uuid4
-from subprocess import Popen, PIPE
-from sshuttle.helpers import log, debug1
-from distutils import spawn

-path_to_sshuttle = sys.argv[0]
-path_to_dist_packages = os.path.dirname(os.path.abspath(__file__))[:-9]

-# randomize command alias to avoid collisions
-command_alias = 'SSHUTTLE%(num)s' % {'num': uuid4().hex[-3:].upper()}
-
-# Template for the sudoers file
+def build_config(user_name):
    template = '''
+# WARNING: If you intend to restrict a user to only running the
+# sshuttle command as root, THIS CONFIGURATION IS INSECURE.
+# When a user can run sshuttle as root (with or without a password),
+# they can also run other commands as root because sshuttle itself
+# can run a command specified by the user with the --ssh-cmd option.
+
+# INSTRUCTIONS: Add this text to your sudo configuration to run
+# sshuttle without needing to enter a sudo password. To use this
+# configuration, run 'visudo /etc/sudoers.d/sshuttle_auto' as root and
+# paste this text into the editor that it opens. If you want to give
+# multiple users these privileges, you may wish to use use different
+# filenames for each one (i.e., /etc/sudoers.d/sshuttle_auto_john).
+
+# This configuration was initially generated by the
+# 'sshuttle --sudoers-no-modify' command.
+
 Cmnd_Alias %(ca)s = /usr/bin/env PYTHONPATH=%(dist_packages)s %(py)s %(path)s *

 %(user_name)s ALL=NOPASSWD: %(ca)s
 '''

-
-def build_config(user_name):
    content = template % {
-        'ca': command_alias,
-        'dist_packages': path_to_dist_packages,
+        # randomize command alias to avoid collisions
+        'ca': 'SSHUTTLE%(num)s' % {'num': uuid4().hex[-3:].upper()},
+        'dist_packages': os.path.dirname(os.path.abspath(__file__))[:-9],
        'py': sys.executable,
-        'path': path_to_sshuttle,
+        'path': sys.argv[0],
        'user_name': user_name,
    }

    return content


-def save_config(content, file_name):
-    process = Popen([
-        '/usr/bin/sudo',
-        spawn.find_executable('sudoers-add'),
-        file_name,
-    ], stdout=PIPE, stdin=PIPE)
-
-    process.stdin.write(content.encode())
-
-    streamdata = process.communicate()[0]
-    returncode = process.returncode
-
-    if returncode:
-        log('Failed updating sudoers file.\n')
-        debug1(streamdata)
-        exit(returncode)
-    else:
-        log('Success, sudoers file update.\n')
-        exit(0)
-
-
-def sudoers(user_name=None, no_modify=None, file_name=None):
+def sudoers(user_name=None):
    user_name = user_name or getpass.getuser()
    content = build_config(user_name)
-
-    if no_modify:
    sys.stdout.write(content)
    exit(0)
-    else:
-        save_config(content, file_name)
--- a/sshuttle/version.py
+++ b/sshuttle/version.py
@ -0,0 +1 @@
+__version__ = version = '1.1.1'
--- a/tests/client/test_firewall.py
+++ b/tests/client/test_firewall.py
@ -1,7 +1,11 @@
 import io
+import os
 from socket import AF_INET, AF_INET6

-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call
+
+import pytest
+
 import sshuttle.firewall


@ -15,7 +19,7 @@ NSLIST
 {inet},1.2.3.33
 {inet6},2404:6800:4004:80c::33
 PORTS 1024,1025,1026,1027
-GO 1 -
+GO 1 - 0x01 12345
 HOST 1.2.3.3,existing
 """.format(inet=AF_INET, inet6=AF_INET6))
    stdout = Mock()
@ -59,6 +63,21 @@ def test_rewrite_etc_hosts(tmpdir):
    assert orig_hosts.computehash() == new_hosts.computehash()


+@patch('os.link')
+@patch('os.rename')
+def test_rewrite_etc_hosts_no_overwrite(mock_link, mock_rename, tmpdir):
+    mock_link.side_effect = OSError
+    mock_rename.side_effect = OSError
+
+    with pytest.raises(OSError):
+        os.link('/test_from', '/test_to')
+
+    with pytest.raises(OSError):
+        os.rename('/test_from', '/test_to')
+
+    test_rewrite_etc_hosts(tmpdir)
+
+
 def test_subnet_weight():
    subnets = [
        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
@ -125,7 +144,8 @@ def test_main(mock_get_method, mock_setup_daemon, mock_rewrite_etc_hosts):
            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
             (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
            True,
-            None),
+            None,
+            '0x01'),
        call().setup_firewall(
            1025, 1027,
            [(AF_INET, u'1.2.3.33')],
@ -133,7 +153,8 @@ def test_main(mock_get_method, mock_setup_daemon, mock_rewrite_etc_hosts):
            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
             (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
            True,
-            None),
+            None,
+            '0x01'),
        call().restore_firewall(1024, AF_INET6, True, None),
        call().restore_firewall(1025, AF_INET, True, None),
    ]
--- a/tests/client/test_helpers.py
+++ b/tests/client/test_helpers.py
@ -3,7 +3,7 @@ import socket
 from socket import AF_INET, AF_INET6
 import errno

-from mock import patch, call
+from unittest.mock import patch, call
 import sshuttle.helpers


@ -24,19 +24,19 @@ def test_log(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
-        call.write('prefix: abc'),
+        call.write('prefix: abc\r\n'),
        call.flush(),
-        call.write('prefix: message 1\n'),
+        call.write('prefix: message 1\r\n'),
        call.flush(),
-        call.write('prefix: message 2\n'),
-        call.write('---> line2\n'),
-        call.write('---> line3\n'),
+        call.write('prefix: message 2\r\n'),
+        call.write('    line2\r\n'),
+        call.write('    line3\r\n'),
        call.flush(),
-        call.write('prefix: message 3\n'),
-        call.write('---> line2\n'),
-        call.write('---> line3\n'),
+        call.write('prefix: message 3\r\n'),
+        call.write('    line2\r\n'),
+        call.write('    line3\r\n'),
        call.flush(),
    ]

@ -51,7 +51,7 @@ def test_debug1(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
    ]

@ -76,7 +76,7 @@ def test_debug2(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
    ]

@ -101,7 +101,7 @@ def test_debug3(mock_stderr, mock_stdout):
        call.flush(),
    ]
    assert mock_stderr.mock_calls == [
-        call.write('prefix: message'),
+        call.write('prefix: message\r\n'),
        call.flush(),
    ]

@ -192,5 +192,4 @@ def test_family_ip_tuple():
 def test_family_to_string():
    assert sshuttle.helpers.family_to_string(AF_INET) == "AF_INET"
    assert sshuttle.helpers.family_to_string(AF_INET6) == "AF_INET6"
-    expected = 'AddressFamily.AF_UNIX'
-    assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == expected
+    assert isinstance(sshuttle.helpers.family_to_string(socket.AF_UNIX), str)
--- a/tests/client/test_methods_nat.py
+++ b/tests/client/test_methods_nat.py
@ -3,7 +3,7 @@ from socket import AF_INET, AF_INET6
 import struct

 import pytest
-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call
 from sshuttle.helpers import Fatal
 from sshuttle.methods import get_method

@ -11,7 +11,7 @@ from sshuttle.methods import get_method
 def test_get_supported_features():
    method = get_method('nat')
    features = method.get_supported_features()
-    assert not features.ipv6
+    assert features.ipv6
    assert not features.udp
    assert features.dns

@ -81,30 +81,56 @@ def test_assert_features():

 def test_firewall_command():
    method = get_method('nat')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")


@patch('sshuttle.methods.nat.ipt')
-@patch('sshuttle.methods.nat.ipt_ttl')
@patch('sshuttle.methods.nat.ipt_chain_exists')
-def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
+def test_setup_firewall(mock_ipt_chain_exists, mock_ipt):
    mock_ipt_chain_exists.return_value = True
    method = get_method('nat')
    assert method.name == 'nat'

-    with pytest.raises(Exception) as excinfo:
+    assert mock_ipt_chain_exists.mock_calls == []
+    assert mock_ipt.mock_calls == []
    method.setup_firewall(
        1024, 1026,
        [(AF_INET6, u'2404:6800:4004:80c::33')],
        AF_INET6,
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
         (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
-            True,
-            None)
-    assert str(excinfo.value) \
-        == 'Address family "AF_INET6" unsupported by nat method_name'
+        False,
+        None,
+        '0x01')
+
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET6, 'nat', 'sshuttle-1024')
+    ]
+    assert mock_ipt.mock_calls == [
+        call(AF_INET6, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-F', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-X', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-N', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-F', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1024'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'REDIRECT',
+             '--dest', u'2404:6800:4004:80c::33', '-p', 'udp',
+             '--dport', '53', '--to-ports', '1026'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'RETURN',
+             '--dest', u'2404:6800:4004:80c::101f/128', '-p', 'tcp',
+             '--dport', '80:80'),
+        call(AF_INET6, 'nat', '-A', 'sshuttle-1024', '-j', 'REDIRECT',
+             '--dest', u'2404:6800:4004:80c::/64', '-p', 'tcp',
+             '--to-ports', '1024')
+    ]
+    mock_ipt_chain_exists.reset_mock()
+    mock_ipt.reset_mock()
+
    assert mock_ipt_chain_exists.mock_calls == []
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == []

    with pytest.raises(Exception) as excinfo:
@ -115,10 +141,10 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by nat method_name'
    assert mock_ipt_chain_exists.mock_calls == []
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == []

    method.setup_firewall(
@ -128,14 +154,11 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
            (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET, 'nat', 'sshuttle-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == [
-        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
-             '-m', 'ttl', '--ttl', '63')
-    ]
    assert mock_ipt.mock_calls == [
        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
@ -146,7 +169,7 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
-             '--dest', u'1.2.3.33/32', '-p', 'udp',
+             '--dest', u'1.2.3.33', '-p', 'udp',
             '--dport', '53', '--to-ports', '1027'),
        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
             '-m', 'addrtype', '--dst-type', 'LOCAL'),
@ -157,20 +180,33 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
             '--to-ports', '1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    method.restore_firewall(1025, AF_INET, False, None)
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET, 'nat', 'sshuttle-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
-        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j',
+             'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j',
+             'sshuttle-1025'),
        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
        call(AF_INET, 'nat', '-X', 'sshuttle-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
+    mock_ipt.reset_mock()
+
+    method.restore_firewall(1025, AF_INET6, False, None)
+    assert mock_ipt_chain_exists.mock_calls == [
+        call(AF_INET6, 'nat', 'sshuttle-1025')
+    ]
+    assert mock_ipt.mock_calls == [
+        call(AF_INET6, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET6, 'nat', '-D', 'PREROUTING', '-j',
+             'sshuttle-1025'),
+        call(AF_INET6, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET6, 'nat', '-X', 'sshuttle-1025')
+    ]
+    mock_ipt_chain_exists.reset_mock()
    mock_ipt.reset_mock()
--- a/tests/client/test_methods_pf.py
+++ b/tests/client/test_methods_pf.py
@ -2,7 +2,7 @@ import socket
 from socket import AF_INET, AF_INET6

 import pytest
-from mock import Mock, patch, call, ANY
+from unittest.mock import Mock, patch, call, ANY
 from sshuttle.methods import get_method
 from sshuttle.helpers import Fatal, get_env
 from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd
@ -92,7 +92,7 @@ def test_assert_features():
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")

    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        AF_INET, socket.IPPROTO_TCP,
@ -115,7 +115,7 @@ def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")

    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        AF_INET, socket.IPPROTO_TCP,
@ -138,7 +138,7 @@ def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
@patch('sshuttle.methods.pf.pf_get_dev')
 def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    method = get_method('pf')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")

    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
        AF_INET, socket.IPPROTO_TCP,
@ -186,7 +186,8 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
@ -225,7 +226,8 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -238,7 +240,8 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
@ -298,7 +301,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')

    assert mock_pfctl.mock_calls == [
        call('-s all'),
@ -330,7 +334,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -343,7 +348,8 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCBE0441A, ANY),
@ -401,7 +407,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        False,
-        None)
+        None,
+        '0x01')

    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xcd60441a, ANY),
@ -437,7 +444,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
            True,
-            None)
+            None,
+            '0x01')
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -450,7 +458,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
-        None)
+        None,
+        '0x01')
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xcd60441a, ANY),
        call(mock_pf_get_dev(), 0xcd60441a, ANY),
--- a/tests/client/test_methods_tproxy.py
+++ b/tests/client/test_methods_tproxy.py
@ -1,13 +1,12 @@
 import socket
 from socket import AF_INET, AF_INET6

-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call

 from sshuttle.methods import get_method


-@patch("sshuttle.methods.tproxy.recvmsg")
-def test_get_supported_features_recvmsg(mock_recvmsg):
+def test_get_supported_features():
    method = get_method('tproxy')
    features = method.get_supported_features()
    assert features.ipv6
@ -15,15 +14,6 @@ def test_get_supported_features_recvmsg(mock_recvmsg):
    assert features.dns


-@patch("sshuttle.methods.tproxy.recvmsg", None)
-def test_get_supported_features_norecvmsg():
-    method = get_method('tproxy')
-    features = method.get_supported_features()
-    assert features.ipv6
-    assert not features.udp
-    assert not features.dns
-
-
 def test_get_tcp_dstip():
    sock = Mock()
    sock.getsockname.return_value = ('127.0.0.1', 1024)
@ -88,13 +78,12 @@ def test_assert_features():

 def test_firewall_command():
    method = get_method('tproxy')
-    assert not method.firewall_command("somthing")
+    assert not method.firewall_command("something")


@patch('sshuttle.methods.tproxy.ipt')
-@patch('sshuttle.methods.tproxy.ipt_ttl')
@patch('sshuttle.methods.tproxy.ipt_chain_exists')
-def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
+def test_setup_firewall(mock_ipt_chain_exists, mock_ipt):
    mock_ipt_chain_exists.return_value = True
    method = get_method('tproxy')
    assert method.name == 'tproxy'
@ -108,13 +97,13 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
        True,
-        None)
+        None,
+        '0x01')
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET6, 'mangle', 'sshuttle-m-1024'),
        call(AF_INET6, 'mangle', 'sshuttle-t-1024'),
        call(AF_INET6, 'mangle', 'sshuttle-d-1024')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
@ -133,18 +122,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
        call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
             'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
-             '--set-mark', '1'),
+             '--set-mark', '0x01'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::33/32',
+             '--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1',
+             '--tproxy-mark', '0x01',
             '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
@ -160,22 +153,23 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
+             '--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
+             '--tproxy-mark', '0x01', '--dest',
+             u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000',
             '--on-port', '1024'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
+             '--set-mark', '0x01', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
+             '--tproxy-mark', '0x01', '--dest',
+             u'2404:6800:4004:80c::/64',
             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000',
             '--on-port', '1024')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    method.restore_firewall(1025, AF_INET6, True, None)
@ -184,7 +178,6 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET6, 'mangle', 'sshuttle-t-1025'),
        call(AF_INET6, 'mangle', 'sshuttle-d-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1025'),
@ -196,7 +189,6 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    # IPV4
@ -208,13 +200,13 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        True,
-        None)
+        None,
+        '0x01')
    assert mock_ipt_chain_exists.mock_calls == [
        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
        call(AF_INET, 'mangle', 'sshuttle-d-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
@ -233,18 +225,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
             'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+             '-m', 'addrtype', '--dst-type', 'LOCAL'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
-             '-j', 'MARK', '--set-mark', '1'),
+             '-j', 'MARK', '--set-mark', '0x01'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.33/32',
+             '--set-mark', '0x01', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.33/32',
+             '--tproxy-mark', '0x01', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
@ -259,20 +255,19 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
             '--dport', '80:80'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.0/24',
+             '--set-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
+             '--tproxy-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
-             '--set-mark', '1', '--dest', u'1.2.3.0/24',
+             '--set-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
-             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
+             '--tproxy-mark', '0x01', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp', '--on-port', '1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()

    method.restore_firewall(1025, AF_INET, True, None)
@ -281,7 +276,6 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
        call(AF_INET, 'mangle', 'sshuttle-d-1025')
    ]
-    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
@ -293,5 +287,4 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
-    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
--- a/tests/client/test_options.py
+++ b/tests/client/test_options.py
@ -1,5 +1,6 @@
 import socket
 from argparse import ArgumentTypeError as Fatal
+from unittest.mock import patch

 import pytest

@ -27,6 +28,23 @@ _ip6_reprs = {
 _ip6_swidths = (48, 64, 96, 115, 128)


+def _mock_getaddrinfo(host, *_):
+    return {
+        "example.com": [
+            (socket.AF_INET6, socket.SOCK_STREAM, 0, '', ('2606:2800:220:1:248:1893:25c8:1946', 0, 0, 0)),
+            (socket.AF_INET, socket.SOCK_STREAM, 0, '', ('93.184.216.34', 0)),
+        ],
+        "my.local": [
+            (socket.AF_INET6, socket.SOCK_STREAM, 0, '', ('::1', 0, 0, 0)),
+            (socket.AF_INET, socket.SOCK_STREAM, 0, '', ('127.0.0.1', 0)),
+        ],
+        "*.blogspot.com": [
+            (socket.AF_INET6, socket.SOCK_STREAM, 0, '', ('2404:6800:4004:821::2001', 0, 0, 0)),
+            (socket.AF_INET, socket.SOCK_STREAM, 0, '', ('142.251.42.129', 0)),
+        ],
+    }.get(host, [])
+
+
 def test_parse_subnetport_ip4():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr) \
@ -100,3 +118,61 @@ def test_parse_subnetport_ip6_with_mask_and_port():
            == [(socket.AF_INET6, ip, 128, 80, 80)]
        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90')\
            == [(socket.AF_INET6, ip, 16, 80, 90)]
+
+
+def test_convert_arg_line_to_args_skips_comments():
+    parser = sshuttle.options.MyArgumentParser()
+    assert parser.convert_arg_line_to_args("# whatever something") == []
+
+
+@patch('sshuttle.options.socket.getaddrinfo', side_effect=_mock_getaddrinfo)
+def test_parse_subnetport_host(mock_getaddrinfo):
+    assert set(sshuttle.options.parse_subnetport('example.com')) \
+        == set([
+            (socket.AF_INET6, '2606:2800:220:1:248:1893:25c8:1946', 128, 0, 0),
+            (socket.AF_INET, '93.184.216.34', 32, 0, 0),
+        ])
+    assert set(sshuttle.options.parse_subnetport('my.local')) \
+        == set([
+            (socket.AF_INET6, '::1', 128, 0, 0),
+            (socket.AF_INET, '127.0.0.1', 32, 0, 0),
+        ])
+    assert set(sshuttle.options.parse_subnetport('*.blogspot.com')) \
+        == set([
+            (socket.AF_INET6, '2404:6800:4004:821::2001', 128, 0, 0),
+            (socket.AF_INET, '142.251.42.129', 32, 0, 0),
+        ])
+
+
+@patch('sshuttle.options.socket.getaddrinfo', side_effect=_mock_getaddrinfo)
+def test_parse_subnetport_host_with_port(mock_getaddrinfo):
+    assert set(sshuttle.options.parse_subnetport('example.com:80')) \
+        == set([
+            (socket.AF_INET6, '2606:2800:220:1:248:1893:25c8:1946', 128, 80, 80),
+            (socket.AF_INET, '93.184.216.34', 32, 80, 80),
+        ])
+    assert set(sshuttle.options.parse_subnetport('example.com:80-90')) \
+        == set([
+            (socket.AF_INET6, '2606:2800:220:1:248:1893:25c8:1946', 128, 80, 90),
+            (socket.AF_INET, '93.184.216.34', 32, 80, 90),
+        ])
+    assert set(sshuttle.options.parse_subnetport('my.local:445')) \
+        == set([
+            (socket.AF_INET6, '::1', 128, 445, 445),
+            (socket.AF_INET, '127.0.0.1', 32, 445, 445),
+        ])
+    assert set(sshuttle.options.parse_subnetport('my.local:445-450')) \
+        == set([
+            (socket.AF_INET6, '::1', 128, 445, 450),
+            (socket.AF_INET, '127.0.0.1', 32, 445, 450),
+        ])
+    assert set(sshuttle.options.parse_subnetport('*.blogspot.com:80')) \
+        == set([
+            (socket.AF_INET6, '2404:6800:4004:821::2001', 128, 80, 80),
+            (socket.AF_INET, '142.251.42.129', 32, 80, 80),
+        ])
+    assert set(sshuttle.options.parse_subnetport('*.blogspot.com:80-90')) \
+        == set([
+            (socket.AF_INET6, '2404:6800:4004:821::2001', 128, 80, 90),
+            (socket.AF_INET, '142.251.42.129', 32, 80, 90),
+        ])
--- a/tests/client/test_sdnotify.py
+++ b/tests/client/test_sdnotify.py
@ -1,6 +1,6 @@
 import socket

-from mock import Mock, patch, call
+from unittest.mock import Mock, patch, call

 import sshuttle.sdnotify

--- a/tests/server/test_server.py
+++ b/tests/server/test_server.py
@ -1,7 +1,7 @@
 import io
 import socket

-from mock import patch, Mock
+from unittest.mock import patch, Mock

 import sshuttle.server

--- a/tox.ini
+++ b/tox.ini
@ -1,18 +1,15 @@
 [tox]
 downloadcache = {toxworkdir}/cache/
 envlist =
-    py35,
-    py36,
-    py37,
    py38,
    py39,
+    py310,

 [testenv]
 basepython =
-    py36: python3.6
-    py37: python3.7
    py38: python3.8
    py39: python3.9
+    py310: python3.10
 commands =
    pip install -e .
    # actual flake8 test