From e737f4b944c590581f67953cb5f051cebbbbdb8e Mon Sep 17 00:00:00 2001
From: Avery Pennarun <apenwarr@gmail.com>
Date: Sun, 8 Jan 2012 19:13:39 -0500
Subject: firewall.py: add comments about sysctl problems.

---
 firewall.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/firewall.py b/firewall.py
index de85bd0..452715e 100644
--- a/firewall.py
+++ b/firewall.py
@@ -270,6 +270,12 @@ def do_ipfw(port, dnsport, subnets):
 
     if subnets or dnsport:
         sysctl_set('net.inet.ip.fw.enable', 1)
+
+        # This seems to be needed on MacOS 10.6 and 10.7.  For more
+        # information, see:
+        #   http://groups.google.com/group/sshuttle/browse_thread/thread/bc32562e17987b25/6d3aa2bb30a1edab
+        # and
+        #   http://serverfault.com/questions/138622/transparent-proxying-leaves-sockets-with-syn-rcvd-in-macos-x-10-6-snow-leopard
         changeflag = sysctl_set('net.inet.ip.scopedroute', 0, permanent=True)
         if changeflag == SUCCESS:
             log("\n"
@@ -283,6 +289,10 @@ def do_ipfw(port, dnsport, subnets):
                 "permanent; you only have to do this once.\n\n")
             sys.exit(1)
         elif changeflag == FAILED:
+            # On MacOS 10.7, the scopedroute sysctl became read-only, so
+            # we have to fix it using a kernel boot parameter instead,
+            # which requires rebooting.  For more, see:
+            #   http://groups.google.com/group/sshuttle/browse_thread/thread/a42505ca33e1de80/e5e8f3e5a92d25f7
             log('Updating kernel boot flags.\n')
             defaults_write_kernel_flag('net.inet.ip.scopedroute', 0)
             log("\n"
-- 
cgit v1.2.3