diff options
author | Scott Kuhl <kuhl@mtu.edu> | 2020-10-22 20:17:03 -0400 |
---|---|---|
committer | Scott Kuhl <kuhl@mtu.edu> | 2020-10-22 20:17:09 -0400 |
commit | c02b93e719a5c33df85d35e6ac6559c377fa0eb4 (patch) | |
tree | b1c5bc3ee6c30efdc1d3cda843002d16654fffbe /docs | |
parent | 6d86e44fb4b67f4d4c2b4453e44c97c11a754c33 (diff) |
nft IPv6 documentation (and other minor doc updates)
Update docs to indicate that IPv6 is supported with the nft method.
- Adds nft into the requirements.rst file.
- Update description of what happens when a hostname is used in a
subnet.
- Add ipfw to list of methods.
- Indicate that --auto-nets does not work with IPv6. Previously this
was only mentioned in tproxy.rst
- Clarify that we try to use "python3" on the server before trying
"python".
Diffstat (limited to 'docs')
-rw-r--r-- | docs/manpage.rst | 33 | ||||
-rw-r--r-- | docs/requirements.rst | 12 |
2 files changed, 33 insertions, 12 deletions
diff --git a/docs/manpage.rst b/docs/manpage.rst index ecc32cd..9c59c17 100644 --- a/docs/manpage.rst +++ b/docs/manpage.rst @@ -37,14 +37,18 @@ Options netmask), and 0/0 ('just route everything through the VPN'). Any of the previous examples are also valid if you append a port or a port range, so 1.2.3.4:8000 will only tunnel traffic - that has as the destination port 8000 of 1.2.3.4 and + that has as the destination port 8000 of 1.2.3.4 and 1.2.3.0/24:8000-9000 will tunnel traffic going to any port between 8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet. - It is also possible to use a name in which case the first IP it resolves - to during startup will be routed over the VPN. Valid examples are - example.com, example.com:8000 and example.com:8000-9000. + A hostname can be provided instead of an IP address. If the + hostname resolves to multiple IPs, all of the IPs are included. + If a width is provided with a hostname that the width is applied + to all of the hostnames IPs (if they are all either IPv4 or IPv6). + Widths cannot be supplied to hostnames that resolve to both IPv4 + and IPv6. Valid examples are example.com, example.com:8000, + example.com/24, example.com/24:8000 and example.com:8000-9000. -.. option:: --method <auto|nat|nft|tproxy|pf> +.. option:: --method <auto|nat|nft|tproxy|pf|ipfw> Which firewall method should sshuttle use? For auto, sshuttle attempts to guess the appropriate method depending on what it can find in PATH. The @@ -64,9 +68,9 @@ Options You can use any name resolving to an IP address of the machine running :program:`sshuttle`, e.g. ``--listen localhost``. - For the tproxy and pf methods this can be an IPv6 address. Use this option - with comma separated values if required, to provide both IPv4 and IPv6 - addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``. + For the nft, tproxy and pf methods this can be an IPv6 address. Use + this option with comma separated values if required, to provide both + IPv4 and IPv6 addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``. .. option:: -H, --auto-hosts @@ -92,6 +96,10 @@ Options are taken automatically from the server's routing table. + This feature does not detect IPv6 routes. Specify IPv6 subnets + manually. For example, specify the ``::/0`` subnet on the command + line to route all IPv6 traffic. + .. option:: --dns Capture local DNS requests and forward to the remote DNS @@ -122,9 +130,9 @@ Options .. option:: --python - Specify the name/path of the remote python interpreter. - The default is just ``python``, which means to use the - default python interpreter on the remote system's PATH. + Specify the name/path of the remote python interpreter. The + default is to use ``python3`` (or ``python``, if ``python3`` + fails) in the remote system's PATH. .. option:: -r <[username@]sshserver[:port]>, --remote=<[username@]sshserver[:port]> @@ -221,7 +229,8 @@ Options .. option:: --disable-ipv6 - If using tproxy or pf methods, this will disable IPv6 support. + Disable IPv6 support for methods that support it (nft, tproxy, and + pf). .. option:: --firewall diff --git a/docs/requirements.rst b/docs/requirements.rst index 27072b4..335b3c4 100644 --- a/docs/requirements.rst +++ b/docs/requirements.rst @@ -20,6 +20,18 @@ Requires: * iptables DNAT, REDIRECT, and ttl modules. +Linux with nft method +~~~~~~~~~~~~~~~~~~~~~ +Supports + +* IPv4 TCP +* IPv4 DNS +* IPv6 TCP +* IPv6 DNS + +Requires: + +* nftables Linux with TPROXY method ~~~~~~~~~~~~~~~~~~~~~~~~ |