From c02b93e719a5c33df85d35e6ac6559c377fa0eb4 Mon Sep 17 00:00:00 2001 From: Scott Kuhl Date: Thu, 22 Oct 2020 20:17:03 -0400 Subject: [PATCH] nft IPv6 documentation (and other minor doc updates) Update docs to indicate that IPv6 is supported with the nft method. - Adds nft into the requirements.rst file. - Update description of what happens when a hostname is used in a subnet. - Add ipfw to list of methods. - Indicate that --auto-nets does not work with IPv6. Previously this was only mentioned in tproxy.rst - Clarify that we try to use "python3" on the server before trying "python". --- docs/manpage.rst | 33 +++++++++++++++++++++------------ docs/requirements.rst | 12 ++++++++++++ 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/docs/manpage.rst b/docs/manpage.rst index ecc32cd..9c59c17 100644 --- a/docs/manpage.rst +++ b/docs/manpage.rst @@ -37,14 +37,18 @@ Options netmask), and 0/0 ('just route everything through the VPN'). Any of the previous examples are also valid if you append a port or a port range, so 1.2.3.4:8000 will only tunnel traffic - that has as the destination port 8000 of 1.2.3.4 and + that has as the destination port 8000 of 1.2.3.4 and 1.2.3.0/24:8000-9000 will tunnel traffic going to any port between 8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet. - It is also possible to use a name in which case the first IP it resolves - to during startup will be routed over the VPN. Valid examples are - example.com, example.com:8000 and example.com:8000-9000. + A hostname can be provided instead of an IP address. If the + hostname resolves to multiple IPs, all of the IPs are included. + If a width is provided with a hostname that the width is applied + to all of the hostnames IPs (if they are all either IPv4 or IPv6). + Widths cannot be supplied to hostnames that resolve to both IPv4 + and IPv6. Valid examples are example.com, example.com:8000, + example.com/24, example.com/24:8000 and example.com:8000-9000. -.. option:: --method +.. option:: --method Which firewall method should sshuttle use? For auto, sshuttle attempts to guess the appropriate method depending on what it can find in PATH. The @@ -64,9 +68,9 @@ Options You can use any name resolving to an IP address of the machine running :program:`sshuttle`, e.g. ``--listen localhost``. - For the tproxy and pf methods this can be an IPv6 address. Use this option - with comma separated values if required, to provide both IPv4 and IPv6 - addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``. + For the nft, tproxy and pf methods this can be an IPv6 address. Use + this option with comma separated values if required, to provide both + IPv4 and IPv6 addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``. .. option:: -H, --auto-hosts @@ -92,6 +96,10 @@ Options are taken automatically from the server's routing table. + This feature does not detect IPv6 routes. Specify IPv6 subnets + manually. For example, specify the ``::/0`` subnet on the command + line to route all IPv6 traffic. + .. option:: --dns Capture local DNS requests and forward to the remote DNS @@ -122,9 +130,9 @@ Options .. option:: --python - Specify the name/path of the remote python interpreter. - The default is just ``python``, which means to use the - default python interpreter on the remote system's PATH. + Specify the name/path of the remote python interpreter. The + default is to use ``python3`` (or ``python``, if ``python3`` + fails) in the remote system's PATH. .. option:: -r <[username@]sshserver[:port]>, --remote=<[username@]sshserver[:port]> @@ -221,7 +229,8 @@ Options .. option:: --disable-ipv6 - If using tproxy or pf methods, this will disable IPv6 support. + Disable IPv6 support for methods that support it (nft, tproxy, and + pf). .. option:: --firewall diff --git a/docs/requirements.rst b/docs/requirements.rst index 27072b4..335b3c4 100644 --- a/docs/requirements.rst +++ b/docs/requirements.rst @@ -20,6 +20,18 @@ Requires: * iptables DNAT, REDIRECT, and ttl modules. +Linux with nft method +~~~~~~~~~~~~~~~~~~~~~ +Supports + +* IPv4 TCP +* IPv4 DNS +* IPv6 TCP +* IPv6 DNS + +Requires: + +* nftables Linux with TPROXY method ~~~~~~~~~~~~~~~~~~~~~~~~