Override the skip on lo that ends up in the chain

In some cases (see #43) it seems that some network configurations may
end up setting a skip on lo. As sshuttle adds rules that rely on
filtering/translating packets on lo, this causes problem. This fix
overrides the skip and makes the rules be applied again.
Should fix at least some of the problems reported on #43.

2 files changed, 8 insertions, 0 deletions

diff --git a/sshuttle/methods/pf.py b/sshuttle/methods/pf.py
index eee36fe..e017c12 100644
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@@ -235,6 +235,13 @@ class Darwin(FreeBsd):
         if _pf_context['Xtoken'] is not None:
             pfctl('-X %s' % _pf_context['Xtoken'].decode("ASCII"))
 
+    def add_anchors(self):
+        # before adding anchors and rules we must override the skip lo
+        # that in some cases ends up in the chain so the rules we will add,
+        # which rely on translating/filtering  packets on lo, can work
+        pfctl('-f /dev/stdin', b'pass on lo\n')
+        super(Darwin, self).add_anchors()
+
     def _add_natlook_ports(self, pnl, src_port, dst_port):
         pnl.sxport.port = socket.htons(src_port)
         pnl.dxport.port = socket.htons(dst_port)
diff --git a/sshuttle/tests/test_methods_pf.py b/sshuttle/tests/test_methods_pf.py
index 3d87ae8..61d719e 100644
--- a/sshuttle/tests/test_methods_pf.py
+++ b/sshuttle/tests/test_methods_pf.py
@@ -192,6 +192,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
         call(mock_pf_get_dev(), 0xCC20441A, ANY),
     ]
     assert mock_pfctl.mock_calls == [
+        call('-f /dev/stdin', 'pass on lo\n'),
         call('-s all'),
         call('-a sshuttle -f /dev/stdin',
              b'table <forward_subnets> {!1.2.3.66/32,1.2.3.0/24}\n'