diff options
| author | Avery Pennarun <apenwarr@gmail.com> | 2012-01-08 19:13:39 -0500 |
|---|---|---|
| committer | Avery Pennarun <apenwarr@gmail.com> | 2012-01-08 19:13:39 -0500 |
| commit | e737f4b944c590581f67953cb5f051cebbbbdb8e (patch) | |
| tree | 0a068124362aa937768f1d068bcd43e5cbb2c0b8 | |
| parent | d9f761a8a31c211687b2860b4a223b13fa44b398 (diff) | |
firewall.py: add comments about sysctl problems.sshuttle-0.60
| -rw-r--r-- | firewall.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/firewall.py b/firewall.py index de85bd0..452715e 100644 --- a/firewall.py +++ b/firewall.py @@ -270,6 +270,12 @@ def do_ipfw(port, dnsport, subnets): if subnets or dnsport: sysctl_set('net.inet.ip.fw.enable', 1) + + # This seems to be needed on MacOS 10.6 and 10.7. For more + # information, see: + # http://groups.google.com/group/sshuttle/browse_thread/thread/bc32562e17987b25/6d3aa2bb30a1edab + # and + # http://serverfault.com/questions/138622/transparent-proxying-leaves-sockets-with-syn-rcvd-in-macos-x-10-6-snow-leopard changeflag = sysctl_set('net.inet.ip.scopedroute', 0, permanent=True) if changeflag == SUCCESS: log("\n" @@ -283,6 +289,10 @@ def do_ipfw(port, dnsport, subnets): "permanent; you only have to do this once.\n\n") sys.exit(1) elif changeflag == FAILED: + # On MacOS 10.7, the scopedroute sysctl became read-only, so + # we have to fix it using a kernel boot parameter instead, + # which requires rebooting. For more, see: + # http://groups.google.com/group/sshuttle/browse_thread/thread/a42505ca33e1de80/e5e8f3e5a92d25f7 log('Updating kernel boot flags.\n') defaults_write_kernel_flag('net.inet.ip.scopedroute', 0) log("\n" |