Fix: mismatch variable type (cluster_port).
[l2tpns.git] / Docs / manual / manual.xml
1 <?xml version="1.0"?>
2 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://docbook.org/xml/4.4/docbookx.dtd">
4
5 <article>
6 <articleinfo>
7 <title>L2TPNS Manual</title>
8 </articleinfo>
9
10 <sect1 id="overview">
11 <title>Overview</title>
12 <para>
13 <command>l2tpns</command> is half of a complete L2TP
14 implementation. It supports only the LNS side of the
15 connection.
16 </para>
17
18 <para>
19 L2TP (Layer 2 Tunneling Protocol) is designed to allow any layer
20 2 protocol (e.g. Ethernet, PPP) to be tunneled over an IP
21 connection. <command>l2tpns</command> implements PPP over L2TP
22 only.
23 </para>
24
25 <para>
26 There are a couple of other L2TP implementations, of which
27 <ulink url="http://sourceforge.net/projects/l2tpd">l2tpd</ulink>
28 is probably the most popular. l2tpd also will handle being
29 either end of a tunnel, and is a lot more configurable than
30 <command>l2tpns</command>. However, due to the way it works, it
31 is nowhere near as scalable.
32 </para>
33
34 <para>
35 <command>l2tpns</command> uses the TUN/TAP interface provided by
36 the Linux kernel to receive and send packets. Using some packet
37 manipulation it doesn't require a single interface per
38 connection, as l2tpd does.
39 </para>
40
41 <para>
42 This allows it to scale extremely well to very high loads and
43 very high numbers of connections.
44 </para>
45
46 <para>
47 It also has a plugin architecture which allows custom code to be
48 run during processing. An example of this is in the walled
49 garden module included.
50 </para>
51 </sect1>
52
53 <sect1 id="installation">
54 <title>Installation</title>
55 <sect2 id="installation-requirements">
56 <title>Requirements</title>
57 <itemizedlist>
58 <listitem>
59 <para>
60 Linux kernel version 2.4 or above, with the Tun/Tap
61 interface either compiled in, or as a module.
62 </para>
63 </listitem>
64
65 <listitem>
66 <para>
67 libcli 1.8.5 or greater. You can get this from
68 <ulink url="http://sourceforge.net/projects/libcli">
69 SourceForge</ulink>
70 </para>
71 </listitem>
72 </itemizedlist>
73 </sect2>
74
75 <sect2 id="installation-compile">
76 <title>Compiling</title>
77 <para>
78 You can generally get away with just running
79 <command>make</command> from the source directory. This will
80 compile the daemon, associated tools and any modules shipped
81 with the distribution.
82 </para>
83 </sect2>
84
85 <sect2 id="installation-install">
86 <title>Installing</title>
87 <para>
88 After you have successfully compiled everything, run
89 <userinput>make install</userinput> to install it. By
90 default, the binaries are installed into
91 <filename>/usr/sbin</filename>, the configuration into
92 <filename>/etc/l2tpns</filename>, and the modules into
93 <filename>/usr/lib/l2tpns</filename>.
94 </para>
95
96 <para>
97 You will definately need to edit the configuration files
98 before you start. See <xref linkend="configuration"/> for
99 more information.
100 </para>
101 </sect2>
102
103 <sect2 id="installation-run">
104 <title>Running</title>
105 <para>
106 You only need to run <filename>/usr/sbin/l2tpns</filename> as
107 root to start it. It does not normally detach to a daemon
108 process (see the <option>-d</option> option), so you should
109 perhaps run it from <command>init</command>.
110 </para>
111
112 <para>
113 By default there is no log destination set, so all log
114 messages will go to stdout.
115 </para>
116 </sect2>
117 </sect1>
118
119 <sect1 id="configuration">
120 <title>Configuration</title>
121 <para>
122 All configuration of the software is done from the files
123 installed into <filename>/etc/l2tpns</filename>.
124 </para>
125
126 <sect2 id="config-startup">
127 <title><filename>startup-config</filename></title>
128 <para>
129 This is the main configuration file for
130 <command>l2tpns</command>. The format of the file is a list
131 of commands that can be run through the command-line
132 interface. This file can also be written directly by the
133 <command>l2tpns</command> process if a user runs the
134 <userinput>write memory</userinput> command, so any comments
135 will be lost. However if your policy is not to write the
136 config by the program, then feel free to comment the file with
137 a <literal>#</literal> or <literal>!</literal> at the
138 beginning of the line.
139 </para>
140
141 <para>
142 A list of the possible configuration directives follows. Each
143 of these should be set by a line like:
144 <synopsis>
145 set configstring "value"
146 set ipaddress 192.168.1.1
147 set boolean true
148 </synopsis>
149 </para>
150
151 <variablelist>
152 <varlistentry>
153 <term><literal>debug</literal> (int)</term>
154 <listitem>
155 <para>
156 Sets the level of messages that will be written to the
157 log file. The value should be between 0 and 5, with 0
158 being no debugging, and 5 being the highest. A rough
159 description of the levels is:
160
161 <variablelist>
162 <varlistentry>
163 <term><constant>0</constant>: Critical Errors</term>
164 <listitem>
165 <para>Things are probably broken</para>
166 </listitem>
167 </varlistentry>
168
169 <varlistentry>
170 <term><constant>1</constant>: Errors</term>
171 <listitem>
172 <para>
173 Things might have gone wrong, but probably will
174 recover
175 </para>
176 </listitem>
177 </varlistentry>
178
179 <varlistentry>
180 <term><constant>2</constant>: Warnings</term>
181 <listitem>
182 <para>
183 Just in case you care what is not quite perfect
184 </para>
185 </listitem>
186 </varlistentry>
187
188 <varlistentry>
189 <term><constant>3</constant>: Information</term>
190 <listitem>
191 <para>Parameters of control packets</para>
192 </listitem>
193 </varlistentry>
194
195 <varlistentry>
196 <term><constant>4</constant>: Calls</term>
197 <listitem>
198 <para>For tracing the execution of the code</para>
199 </listitem>
200 </varlistentry>
201
202 <varlistentry>
203 <term><constant>5</constant>: Packets</term>
204 <listitem>
205 <para>
206 Everything, including a hex dump of all packets
207 processed... probably twice
208 </para>
209 </listitem>
210 </varlistentry>
211 </variablelist>
212 </para>
213
214 <para>
215 Note that the higher you set the debugging level, the
216 slower the program will run. Also, at level 5 a
217 <emphasis>lot</emphasis> of information will be logged.
218 This should only ever be used for working out why it
219 doesn't work at all.
220 </para>
221 </listitem>
222 </varlistentry>
223
224 <varlistentry>
225 <term><literal>log_file</literal> (string)</term>
226 <listitem>
227 <para>
228 This will be where all logging and debugging information
229 is written to. This may be either a filename, such as
230 <filename>/var/log/l2tpns</filename>, or the special
231 magic string
232 <literal>syslog:</literal><replaceable>facility</replaceable>,
233 where <replaceable>facility</replaceable> is any one of
234 the syslog logging facilities, such as
235 <literal>local5</literal>.
236 </para>
237 </listitem>
238 </varlistentry>
239
240 <varlistentry>
241 <term><literal>pid_file</literal> (string)</term>
242 <listitem>
243 <para>
244 If set, the process id will be written to the specified
245 file. The value must be an absolute path.
246 </para>
247 </listitem>
248 </varlistentry>
249
250 <varlistentry>
251 <term><literal>random_device</literal> (string)</term>
252 <listitem>
253 <para>
254 Path to random data source (default
255 <filename>/dev/urandom</filename>). Use "" to use the
256 rand() library function.
257 </para>
258 </listitem>
259 </varlistentry>
260
261 <varlistentry>
262 <term><literal>l2tp_secret</literal> (string)</term>
263 <listitem>
264 <para>
265 The secret used by <command>l2tpns</command> for
266 authenticating tunnel request. Must be the same as the
267 LAC, or authentication will fail. Only actually be used
268 if the LAC requests authentication.
269 </para>
270 </listitem>
271 </varlistentry>
272
273 <varlistentry>
274 <term><literal>l2tp_mtu</literal> (int)</term>
275 <listitem>
276 <para>
277 MTU of interface for L2TP traffic (default:
278 <literal>1500</literal>). Used to set link MRU and
279 adjust TCP MSS.
280 </para>
281 </listitem>
282 </varlistentry>
283
284 <varlistentry>
285 <term><literal>ppp_restart_time</literal> (int)</term>
286 <term><literal>ppp_max_configure</literal> (int)</term>
287 <term><literal>ppp_max_failure</literal> (int)</term>
288 <listitem>
289 <para>
290 PPP counter and timer values, as described in &sect;4.1
291 of <ulink url="ftp://ftp.rfc-editor.org/in-notes/rfc1661.txt">
292 RFC1661</ulink>.
293 </para>
294 </listitem>
295 </varlistentry>
296
297 <varlistentry>
298 <term><literal>primary_dns</literal> (ip address)</term>
299 <term><literal>econdary_dns</literal> (ip address)</term>
300 <listitem>
301 <para>
302 Whenever a PPP connection is established, DNS servers
303 will be sent to the user, both a primary and a
304 secondary. If either is set to 0.0.0.0, then that one
305 will not be sent.
306 </para>
307 </listitem>
308 </varlistentry>
309
310 <varlistentry>
311 <term><literal>primary_radius</literal> (ip address)</term>
312 <term><literal>secondary_radius</literal> (ip address)</term>
313 <listitem>
314 <para>
315 Sets the RADIUS servers used for both authentication and
316 accounting. If the primary server does not respond,
317 then the secondary RADIUS server will be tried.
318
319 <note>
320 <para>
321 In addition to the source IP address and identifier,
322 the RADIUS server <emphasis>must</emphasis> include
323 the source port when detecting duplicates to supress
324 (in order to cope with a large number of sessions
325 comming on-line simultaneously
326 <command>l2tpns</command> uses a set of udp sockets,
327 each with a seperate identifier).
328 </para>
329 </note>
330 </para>
331 </listitem>
332 </varlistentry>
333
334 <varlistentry>
335 <term><literal>primary_radius_port</literal> (short)</term>
336 <term><literal>secondary_radius_port</literal> (short)</term>
337 <listitem>
338 <para>
339 Sets the authentication ports for the primary and
340 secondary RADIUS servers. The accounting port is one
341 more than the authentication port. If no RADIUS ports
342 are given, the authentication port defaults to 1645, and
343 the accounting port to 1646.
344 </para>
345 </listitem>
346 </varlistentry>
347
348 <varlistentry>
349 <term><literal>radius_accounting</literal> (boolean)</term>
350 <listitem>
351 <para>
352 If set to true, then RADIUS accounting packets will be
353 sent. This means that a Start record will be sent when
354 the session is successfully authenticated, and a Stop
355 record will be sent when the session is closed.
356 </para>
357 </listitem>
358 </varlistentry>
359
360 <varlistentry>
361 <term><literal>radius_interim</literal> (int)</term>
362 <listitem>
363 <para>
364 If <literal>radius_accounting</literal> is on, defines
365 the interval between sending of RADIUS interim
366 accounting records (in seconds).
367 </para>
368 </listitem>
369 </varlistentry>
370
371 <varlistentry>
372 <term><literal>radius_secret</literal> (string)</term>
373 <listitem>
374 <para>
375 This secret will be used in all RADIUS queries. If this
376 is not set then RADIUS queries will fail.
377 </para>
378 </listitem>
379 </varlistentry>
380
381 <varlistentry>
382 <term><literal>radius_authtypes</literal> (string)</term>
383 <listitem>
384 <para>
385 A comma separated list of supported RADIUS
386 authentication methods (<literal>pap</literal> or
387 <literal>chap</literal>), in order of preference
388 (default <literal>pap</literal>).
389 </para>
390 </listitem>
391 </varlistentry>
392
393 <varlistentry>
394 <term><literal>radius_bind_min</literal> (short)</term>
395 <term><literal>radius_bind_max</literal> (short)</term>
396 <listitem>
397 <para>
398 Define a port range in which to bind sockets used to
399 send and receive RADIUS packets. Must be at least
400 RADIUS_FDS (64) wide. Simplifies firewalling of RADIUS
401 ports (default: dynamically assigned).
402 </para>
403 </listitem>
404 </varlistentry>
405
406 <varlistentry>
407 <term><literal>radius_dae_port</literal> (short)</term>
408 <listitem>
409 <para>
410 Port for DAE RADIUS (Packet of Death/Disconnect, Change
411 of Authorization) requests (default:
412 <literal>3799</literal>).
413 </para>
414 </listitem>
415 </varlistentry>
416
417 <varlistentry>
418 <term><literal>allow_duplicate_users</literal> (boolean)</term>
419 <listitem>
420 <para>
421 Allow multiple logins with the same username. If false
422 (the default), any prior session with the same username
423 will be dropped when a new session is established.
424 </para>
425 </listitem>
426 </varlistentry>
427
428 <varlistentry>
429 <term><literal>guest_account</literal> (string)</term>
430 <listitem>
431 <para>
432 Allow multiple logins matching this specific username.
433 </para>
434 </listitem>
435 </varlistentry>
436
437 <varlistentry>
438 <term><literal>bind_address</literal> (ip address)</term>
439 <listitem>
440 <para>
441 When the tun interface is created, it is assigned the
442 address specified here. If no address is given, 1.1.1.1
443 is used. Packets containing user traffic should be
444 routed via this address if given, otherwise the primary
445 address of the machine.
446 </para>
447 </listitem>
448 </varlistentry>
449
450 <varlistentry>
451 <term><literal>peer_address</literal> (ip address)</term>
452 <listitem>
453 <para>Address to send to clients as the default gateway.</para>
454 </listitem>
455 </varlistentry>
456
457 <varlistentry>
458 <term><literal>send_garp</literal> (boolean)</term>
459 <listitem>
460 <para>
461 Determines whether or not to send a gratuitous ARP for
462 the bind_address when the server is ready to handle
463 traffic (default: <literal>true</literal>). This value
464 is ignored if BGP is configured.
465 </para>
466 </listitem>
467 </varlistentry>
468
469 <varlistentry>
470 <term><literal>throttle_speed</literal> (int)</term>
471 <listitem>
472 <para>
473 Sets the default speed (in kbits/s) which sessions will
474 be limited to. If this is set to 0, then throttling
475 will not be used at all. Note: You can set this by the
476 CLI, but changes will not affect currently connected
477 users.
478 </para>
479 </listitem>
480 </varlistentry>
481
482 <varlistentry>
483 <term><literal>throttle_buckets</literal> (int)</term>
484 <listitem>
485 <para>
486 Number of token buckets to allocate for throttling.
487 Each throttled session requires two buckets (in and
488 out).
489 </para>
490 </listitem>
491 </varlistentry>
492
493 <varlistentry>
494 <term><literal>accounting_dir</literal> (string)</term>
495 <listitem>
496 <para>
497 If set to a directory, then every 5 minutes the current
498 usage for every connected use will be dumped to a file
499 in this directory. Each file dumped begins with a
500 header, where each line is prefixed by <code>#</code>.
501 Following the header is a single line for every
502 connected user, fields separated by a space.
503 </para>
504
505 <para>
506 The fields are username, ip, qos, uptxoctets,
507 downrxoctets. The qos field is 1 if a standard user,
508 and 2 if the user is throttled.
509 </para>
510 </listitem>
511 </varlistentry>
512
513 <varlistentry>
514 <term><literal>dump_speed</literal> (boolean)</term>
515 <listitem>
516 <para>
517 If set to true, then the current bandwidth utilization
518 will be logged every second. Even if this is disabled,
519 you can see this information by running the
520 <userinput>uptime</userinput> command on the CLI.
521 </para>
522 </listitem>
523 </varlistentry>
524
525 <varlistentry>
526 <term><literal>multi_read_count</literal> (int)</term>
527 <listitem>
528 <para>
529 Number of packets to read off each of the UDP and TUN
530 fds when returned as readable by select (default: 10).
531 Avoids incurring the unnecessary system call overhead of
532 select on busy servers.
533 </para>
534 </listitem>
535 </varlistentry>
536
537 <varlistentry>
538 <term><literal>scheduler_fifo</literal> (boolean)</term>
539 <listitem>
540 <para>
541 Sets the scheduling policy for the
542 <command>l2tpns</command> process to
543 <constant>SCHED_FIFO</constant>. This causes the kernel
544 to immediately preempt any currently running
545 <constant>SCHED_OTHER</constant> (normal) process in
546 favour of <command>l2tpns</command> when it becomes
547 runnable. Ignored on uniprocessor systems.
548 </para>
549 </listitem>
550 </varlistentry>
551
552 <varlistentry>
553 <term><literal>lock_pages</literal> (boolean)</term>
554 <listitem>
555 <para>
556 Keep all pages mapped by the <command>l2tpns</command>
557 process in memory.
558 </para>
559 </listitem>
560 </varlistentry>
561
562 <varlistentry>
563 <term><literal>icmp_rate</literal> (int)</term>
564 <listitem>
565 <para>
566 Maximum number of host unreachable ICMP packets to send
567 per second.
568 </para>
569 </listitem>
570 </varlistentry>
571
572 <varlistentry>
573 <term><literal>packet_limit</literal> (int)</term>
574 <listitem>
575 <para>
576 Maximum number of packets of downstream traffic to be
577 handled each tenth of a second per session. If zero, no
578 limit is applied (default: 0). Intended as a DoS
579 prevention mechanism and not a general throttling
580 control (packets are dropped, not queued).
581 </para>
582 </listitem>
583 </varlistentry>
584
585 <varlistentry>
586 <term><literal>cluster_address</literal> (ip address)</term>
587 <listitem>
588 <para>
589 Multicast cluster address (default: 239.192.13.13).
590 See <xref linkend="clustering"/> for more information.
591 </para>
592 </listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term><literal>cluster_port</literal> (udp port)</term>
597 <listitem>
598 <para>
599 UDP cluster port (default: 32792).
600 See <xref linkend="clustering"/> for more information.
601 </para>
602 </listitem>
603 </varlistentry>
604
605 <varlistentry>
606 <term><literal>cluster_interface</literal> (string)</term>
607 <listitem>
608 <para>Interface for cluster packets (default: eth0)</para>
609 </listitem>
610 </varlistentry>
611
612 <varlistentry>
613 <term><literal>cluster_mcast_ttl</literal> (int)</term>
614 <listitem>
615 <para>TTL for multicast packets (default: 1).</para>
616 </listitem>
617 </varlistentry>
618
619 <varlistentry>
620 <term><literal>cluster_hb_interval</literal> (int)</term>
621 <listitem>
622 <para>
623 Interval in tenths of a second between cluster
624 heartbeat/pings.
625 </para>
626 </listitem>
627 </varlistentry>
628
629 <varlistentry>
630 <term><literal>cluster_hb_timeout</literal> (int)</term>
631 <listitem>
632 <para>
633 Cluster heartbeat timeout in tenths of a second. A new
634 master will be elected when this interval has been
635 passed without seeing a heartbeat from the master.
636 </para>
637 </listitem>
638 </varlistentry>
639
640 <varlistentry>
641 <term><literal>cluster_master_min_adv</literal> (int)</term>
642 <listitem>
643 <para>
644 Determines the minumum number of up to date slaves
645 required before the master will drop routes (default: 1).
646 </para>
647 </listitem>
648 </varlistentry>
649
650 <varlistentry>
651 <term><literal>ipv6_prefix</literal> (ipv6 address)</term>
652 <listitem>
653 <para>
654 Enable negotiation of IPv6. This forms the the first 64
655 bits of the client allocated address. The remaining 64
656 come from the allocated IPv4 address and 4 bytes of 0s.
657 </para>
658 </listitem>
659 </varlistentry>
660 </variablelist>
661
662 <sect3 id="config-startup-bgp">
663 <title>BGP</title>
664 <para>
665 BGP routing configuration is entered by the command:
666 <synopsis>router bgp <replaceable>as</replaceable></synopsis>
667 where <replaceable>as</replaceable> specifies the local AS
668 number.
669 </para>
670
671 <para>
672 Subsequent lines prefixed with
673 <synopsis>neighbour <replaceable>peer</replaceable></synopsis>
674 define the attributes of BGP neighhbours. Valid commands
675 are:
676 <synopsis>
677 neighbour <replaceable>peer</replaceable> remote-as <replaceable>as</replaceable>
678 neighbour <replaceable>peer</replaceable> timers <replaceable>keepalive hold</replaceable>
679 </synopsis>
680 </para>
681
682 <para>
683 Where <replaceable>peer</replaceable> specifies the BGP
684 neighbour as either a hostname or IP address,
685 <replaceable>as</replaceable> is the remote AS number and
686 <replaceable>keepalive</replaceable>,
687 <replaceable>hold</replaceable> are the timer values in
688 seconds.
689 </para>
690 </sect3>
691
692 <sect3 id="config-startup-acl">
693 <title>Access Lists</title>
694 <para>
695 Named access-lists are configured using one of the commands:
696 <synopsis>
697 ip access-list standard <replaceable>name</replaceable>
698 ip access-list extended <replaceable>name</replaceable>
699 </synopsis>
700 </para>
701
702 <para>
703 Subsequent lines prefixed with <literal>permit</literal> or
704 <literal>deny</literal> define the body of the access-list.
705 Standard access-list syntax:
706 </para>
707
708 <para role="hanging-indent">
709 {<literal>permit</literal>|<literal>deny</literal>}
710 {<replaceable>host</replaceable>|<replaceable>source
711 source-wildcard</replaceable>|<literal>any</literal>}
712 [{<replaceable>host</replaceable>|<replaceable>destination
713 destination-wildcard</replaceable>|<literal>any</literal>}]
714 </para>
715
716 <para>Extended access-lists:</para>
717 <para role="hanging-indent">
718 {<literal>permit</literal>|<literal>deny</literal>}
719 <literal>ip</literal>
720 {<replaceable>host</replaceable>|<replaceable>source
721 source-wildcard</replaceable>|<literal>any</literal>}
722 {<replaceable>host</replaceable>|<replaceable>destination
723 destination-wildcard</replaceable>|<literal>any</literal>}
724 [<literal>fragments</literal>]
725 </para>
726
727 <para role="hanging-indent">
728 {<literal>permit</literal>|<literal>deny</literal>}
729 <literal>udp</literal>
730 {<replaceable>host</replaceable>|<replaceable>source
731 source-wildcard</replaceable>|<literal>any</literal>}
732 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
733 <replaceable>port</replaceable>|<literal>range</literal>
734 <replaceable>from</replaceable>
735 <replaceable>to</replaceable>]
736 {<replaceable>host</replaceable>|<replaceable>destination
737 destination-wildcard</replaceable>|<literal>any</literal>}
738 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
739 <replaceable>port</replaceable>|<literal>range</literal>
740 <replaceable>from</replaceable>
741 <replaceable>to</replaceable>]
742 [<literal>fragments</literal>]
743 </para>
744
745 <para role="hanging-indent">
746 {<literal>permit</literal>|<literal>deny</literal>}
747 <literal>tcp</literal>
748 {<replaceable>host</replaceable>|<replaceable>source
749 source-wildcard</replaceable>|<literal>any</literal>}
750 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
751 <replaceable>port</replaceable>|<literal>range</literal>
752 <replaceable>from</replaceable>
753 <replaceable>to</replaceable>]
754 {<replaceable>host</replaceable>|<replaceable>destination
755 destination-wildcard</replaceable>|<literal>any</literal>}
756 [{<literal>eq</literal>|<literal>neq</literal>|<literal>gt</literal>|<literal>lt</literal>}
757 <replaceable>port</replaceable>|<literal>range</literal>
758 <replaceable>from</replaceable>
759 <replaceable>to</replaceable>]
760 [{<literal>established</literal>|{<literal>match-any</literal>|<literal>match-all</literal>}
761 {<literal>+</literal>|<literal>-</literal>}{<literal>fin</literal>|<literal>syn</literal>|<literal>rst</literal>|<literal>psh</literal>|<literal>ack</literal>|<literal>urg</literal>}
762 ...|<literal>fragments</literal>]
763 </para>
764 </sect3>
765 </sect2>
766
767 <sect2 id="config-users">
768 <title><filename>users</filename></title>
769 <para>
770 Usernames and passwords for the command-line interface are
771 stored in this file. The format is
772 <synopsis>
773 <replaceable>username</replaceable>:<replaceable>password</replaceable>
774 </synopsis>
775 where <replaceable>password</replaceable> may either by plain
776 text, an MD5 digest (prefixed by
777 <literal>$1</literal><replaceable>salt</replaceable><literal>$</literal>)
778 or a DES password, distinguished from plain text by the prefix
779 <literal>{crypt}</literal>.
780 </para>
781
782 <para>
783 The username <literal>enable</literal> has a special meaning
784 and is used to set the enable password.
785 </para>
786
787 <important>
788 <para>
789 If this file doesn't exist, then anyone who can get to port
790 23 will be allowed access without a username or password.
791 </para>
792 </important>
793 </sect2>
794
795 <sect2 id="config-ip-pool">
796 <title><filename>ip_pool</filename></title>
797 <para>
798 This file is used to configure the IP address pool which user
799 addresses are assigned from. This file should contain either
800 an IP address or a CIDR network per line. e.g.:
801
802 <programlisting>
803 192.168.1.1
804 192.168.1.2
805 192.168.1.3
806 192.168.4.0/24
807 172.16.0.0/16
808 10.0.0.0/8
809 </programlisting>
810 </para>
811
812 <para>
813 Keep in mind that <command>l2tpns</command> can only handle
814 65535 connections per process, so don't put more than 65535 IP
815 addresses in the configuration file. They will be
816 wasted.
817 </para>
818 </sect2>
819
820 <sect2 id="config-build-garden" xreflabel="build-garden">
821 <title><filename>build-garden</filename></title>
822 <para>
823 The garden plugin on startup creates a NAT table called
824 "garden" then sources the <filename>build-garden</filename>
825 script to populate that table. All packets from gardened
826 users will be sent through this table. Example:
827
828 <programlisting>
829 iptables -t nat -A garden -p tcp -m tcp --dport 25 -j DNAT --to 192.168.1.1
830 iptables -t nat -A garden -p udp -m udp --dport 53 -j DNAT --to 192.168.1.1
831 iptables -t nat -A garden -p tcp -m tcp --dport 53 -j DNAT --to 192.168.1.1
832 iptables -t nat -A garden -p tcp -m tcp --dport 80 -j DNAT --to 192.168.1.1
833 iptables -t nat -A garden -p tcp -m tcp --dport 110 -j DNAT --to 192.168.1.1
834 iptables -t nat -A garden -p tcp -m tcp --dport 443 -j DNAT --to 192.168.1.1
835 iptables -t nat -A garden -p icmp -m icmp --icmp-type echo-request -j DNAT --to 192.168.1.1
836 iptables -t nat -A garden -p icmp -j ACCEPT
837 iptables -t nat -A garden -j DROP
838 </programlisting>
839 </para>
840 </sect2>
841 </sect1>
842
843 <sect1 id="operation">
844 <title>Operation</title>
845 <para>
846 A running l2tpns process can be controlled in a number of ways.
847 The primary method of control is by the Command-Line Interface
848 (CLI).
849 </para>
850
851 <para>
852 You can also remotely send commands to modules via the
853 <command>nsctl</command> client provided.
854 </para>
855
856 <para>
857 There are also a number of signals that l2tpns understands and
858 takes action when it receives them.
859 </para>
860
861 <sect2 id="operation-cli">
862 <title>Command-Line Interface</title>
863 <para>
864 You can access the command line interface by telneting to port
865 23. There is no IP address restriction, so it's a good idea
866 to firewall this port off from anyone who doesn't need access
867 to it. See <xref linkend="config-users"/> for information on
868 restricting access based on a username and password.
869 </para>
870
871 <para>
872 The CLI gives you real-time control over almost everything in
873 the process. The interface is designed to look like a Cisco
874 device, and supports things like command history, line editing
875 and context sensitive help. This is provided by linking with
876 the <ulink url="http://sourceforge.net/projects/libcli">
877 libcli</ulink> library. Some general documentation of the
878 interface is <ulink
879 url="http://sourceforge.net/docman/display_doc.php?docid=20501&amp;group_id=79019">
880 here</ulink>.
881 </para>
882
883 <para>
884 After you have connected to the telnet port (and perhaps
885 logged in), you will be presented with a
886 <prompt><replaceable>hostname</replaceable>&gt;</prompt>
887 prompt.
888 </para>
889
890 <para>
891 Enter <userinput>help</userinput> to get a list of possible
892 commands, or press <userinput>?</userinput> for
893 context-specific help.
894 </para>
895
896 <para>
897 A brief overview of the more important commands
898 follows:
899
900 <variablelist>
901 <varlistentry id="operation-cli-show-session"
902 xreflabel="show session">
903 <term>
904 <userinput>show session [<replaceable>ID</replaceable>]
905 </userinput>
906 </term>
907
908 <listitem>
909 <para>
910 Detailed information for a specific session is
911 presented if you specify a session
912 <replaceable>ID</replaceable> argument.
913 </para>
914
915 <para>
916 If no <replaceable>ID</replaceable> is given, a
917 summary of all connected sessions is produced. Note
918 that this summary list can be around 185 columns wide,
919 so you should probably use a wide
920 terminal.
921 </para>
922
923 <para>
924 The columns listed in the summary are:
925
926 <informaltable>
927 <tgroup cols="3">
928 <colspec colname="col"/>
929 <colspec colname="desc"/>
930 <colspec colname="extra"/>
931 <tbody>
932 <row>
933 <entry><literal>SID</literal></entry>
934 <entry namest="desc" nameend="extra">Session ID</entry>
935 </row>
936 <row>
937 <entry><literal>TID</literal></entry>
938 <entry>Tunnel ID</entry>
939 <entry>
940 See also the <xref
941 linkend="operation-cli-show-tunnel"/> CLI
942 command.
943 </entry>
944 </row>
945 <row>
946 <entry><literal>Username</literal></entry>
947 <entry>
948 The username given in the PPP authentication.
949 </entry>
950 <entry>
951 If this is *, then LCP authentication has
952 not completed.
953 </entry>
954 </row>
955 <row>
956 <entry><literal>IP</literal></entry>
957 <entry>The IP address given to the session.</entry>
958 <entry>
959 If this is 0.0.0.0, IPCP negotiation has not
960 completed
961 </entry>
962 </row>
963 <row>
964 <entry><literal>I</literal></entry>
965 <entry>Intercept</entry>
966 <entry>
967 Y or N: indicates whether the session is
968 being snooped. See also the
969 <xref linkend="operation-cli-snoop"/>
970 CLI command.
971 </entry>
972 </row>
973 <row>
974 <entry><literal>T</literal></entry>
975 <entry>Throttled</entry>
976 <entry>
977 Y or N: indicates whether the session is
978 currently throttled. See also the
979 <xref linkend="operation-cli-throttle"/>
980 CLI command.
981 </entry>
982 </row>
983 <row>
984 <entry><literal>G</literal></entry>
985 <entry>Walled Garden</entry>
986 <entry>
987 Y or N: indicates whether the user is
988 trapped in the walled garden. This field is
989 present even if the garden module is not
990 loaded.
991 </entry>
992 </row>
993 <row>
994 <entry><literal>6</literal></entry>
995 <entry>IPv6</entry>
996 <entry>
997 Y or N: indicates whether the session has
998 IPv6 active (IPV6CP open)
999 </entry>
1000 </row>
1001 <row>
1002 <entry><literal>opened</literal></entry>
1003 <entry namest="desc" nameend="extra">
1004 The number of seconds since the
1005 session started
1006 </entry>
1007 </row>
1008 <row>
1009 <entry><literal>downloaded</literal></entry>
1010 <entry namest="desc" nameend="extra">
1011 Number of bytes downloaded by the user
1012 </entry>
1013 </row>
1014 <row>
1015 <entry><literal>uploaded</literal></entry>
1016 <entry namest="desc" nameend="extra">
1017 Number of bytes uploaded by the user
1018 </entry>
1019 </row>
1020 <row>
1021 <entry><literal>idle</literal></entry>
1022 <entry namest="desc" nameend="extra">
1023 The number of seconds since traffic was
1024 detected on the session
1025 </entry>
1026 </row>
1027 <row>
1028 <entry><literal>LAC</literal></entry>
1029 <entry namest="desc" nameend="extra">
1030 The IP address of the LAC the session is
1031 connected to.
1032 </entry>
1033 </row>
1034 <row>
1035 <entry><literal>CLI</literal></entry>
1036 <entry namest="desc" nameend="extra">
1037 The Calling-Line-Identification field
1038 provided during the session setup. This
1039 field is generated by the LAC.
1040 </entry>
1041 </row>
1042 </tbody>
1043 </tgroup>
1044 </informaltable>
1045 </para>
1046 </listitem>
1047 </varlistentry>
1048
1049 <varlistentry id="operation-cli-show-user" xreflabel="show user">
1050 <term>
1051 <userinput>show users</userinput>
1052 </term>
1053 <term>
1054 <userinput>show user <replaceable>username</replaceable>
1055 </userinput>
1056 </term>
1057
1058 <listitem>
1059 <para>
1060 With no arguments, display a list of currently
1061 connected users. If an argument is given, the session
1062 details for the given
1063 <replaceable>username</replaceable> are displayed.
1064 </para>
1065 </listitem>
1066 </varlistentry>
1067
1068 <varlistentry id="operation-cli-show-tunnel" xreflabel="show tunnel">
1069 <term>
1070 <userinput>show tunnel [<replaceable>ID</replaceable>]</userinput>
1071 </term>
1072
1073 <listitem>
1074 <para>
1075 Produce a summary list of all open tunnels, or detail
1076 on a specific tunnel <replaceable>ID</replaceable>.
1077 </para>
1078
1079 <para>
1080 The columns listed in the summary are:
1081
1082 <informaltable>
1083 <tgroup cols="2">
1084 <tbody>
1085 <row>
1086 <entry>TID</entry>
1087 <entry>Tunnel ID</entry>
1088 </row>
1089 <row>
1090 <entry>Hostname</entry>
1091 <entry>
1092 The hostname for the tunnel as provided by
1093 the LAC. This has no relation to DNS, it is
1094 just a text field.
1095 </entry>
1096 </row>
1097 <row>
1098 <entry>IP</entry>
1099 <entry>The IP address of the LAC</entry>
1100 </row>
1101 <row>
1102 <entry>State</entry>
1103 <entry>
1104 Tunnel state: Free, Open, Dieing, Opening
1105 </entry>
1106 </row>
1107 <row>
1108 <entry>Sessions</entry>
1109 <entry>The number of open sessions on the tunnel</entry>
1110 </row>
1111 </tbody>
1112 </tgroup>
1113 </informaltable>
1114 </para>
1115 </listitem>
1116 </varlistentry>
1117
1118 <varlistentry id="operation-cli-show-pool" xreflabel="show pool">
1119 <term><userinput>show pool</userinput></term>
1120 <listitem>
1121 <para>
1122 Displays the current IP address pool allocation. This
1123 will only display addresses that are in use, or are
1124 reserved for re-allocation to a disconnected user.
1125 </para>
1126
1127 <para>
1128 If an address is not currently in use, but has been
1129 used, then in the User column the username will be
1130 shown in square brackets, followed by the time since
1131 the address was used:
1132
1133 <screen>
1134 IP Address Used Session User
1135 192.168.100.6 N [joe.user] 1548s
1136 </screen>
1137 </para>
1138 </listitem>
1139 </varlistentry>
1140
1141 <varlistentry id="operation-cli-show-radius" xreflabel="show radius">
1142 <term><userinput>show radius</userinput></term>
1143 <listitem>
1144 <para>
1145 Show a summary of the in-use RADIUS sessions. This
1146 list should not be very long, as RADIUS sessions
1147 should be cleaned up as soon as they are used. The
1148 columns listed are:
1149
1150 <informaltable>
1151 <tgroup cols="2">
1152 <tbody>
1153 <row>
1154 <entry>Radius</entry>
1155 <entry>
1156 The ID of the RADIUS request. This is sent
1157 in the packet to the RADIUS server for
1158 identification
1159 </entry>
1160 </row>
1161 <row>
1162 <entry>State</entry>
1163 <entry>
1164 The state of the request: WAIT, CHAP, AUTH,
1165 IPCP, START, STOP or NULL
1166 </entry>
1167 </row>
1168 <row>
1169 <entry>Session</entry>
1170 <entry>
1171 The session ID that this RADIUS request is
1172 associated with
1173 </entry>
1174 </row>
1175 <row>
1176 <entry>Retry</entry>
1177 <entry>
1178 If a response does not appear to the
1179 request, it will retry at this time. This
1180 is a Unix timestamp
1181 </entry>
1182 </row>
1183 <row>
1184 <entry>Try</entry>
1185 <entry>
1186 Retry count. The RADIUS request is
1187 discarded after 3 retries
1188 </entry>
1189 </row>
1190 </tbody>
1191 </tgroup>
1192 </informaltable>
1193 </para>
1194 </listitem>
1195 </varlistentry>
1196
1197 <varlistentry id="operation-cli-show-run" xreflabel="show run">
1198 <term><userinput>show running-config</userinput></term>
1199 <listitem>
1200 <para>
1201 This will list the current running configuration.
1202 This is in a format that can either be pasted into the
1203 configuration file, or run directly at the command
1204 line.
1205 </para>
1206 </listitem>
1207 </varlistentry>
1208
1209 <varlistentry id="operation-cli-show-counters"
1210 xreflabel="show counters">
1211 <term><userinput>show counters</userinput></term>
1212 <listitem>
1213 <para>
1214 Internally, counters are kept of key values, such as
1215 bytes and packets transferred, as well as function
1216 call counters. This function displays all these
1217 counters, and is probably only useful for debugging.
1218 </para>
1219
1220 <para>
1221 You can reset these counters by running
1222 <userinput>clear counters</userinput>.
1223 </para>
1224 </listitem>
1225 </varlistentry>
1226
1227 <varlistentry id="operation-cli-show-cluster"
1228 xreflabel="show cluster">
1229 <term><userinput>show cluster</userinput></term>
1230 <listitem>
1231 <para>
1232 Show cluster status. Shows the cluster state for this
1233 server (Master/Slave), information about known peers
1234 and (for slaves) the master IP address, last packet
1235 seen and up-to-date status. See
1236 <xref linkend="clustering"/> for more information.
1237 </para>
1238 </listitem>
1239 </varlistentry>
1240
1241 <varlistentry id="operation-cli-write-mem" xreflabel="write memory">
1242 <term><userinput>write memory</userinput></term>
1243 <listitem>
1244 <para>
1245 This will write the current running configuration to
1246 the config file <filename>startup-config</filename>,
1247 which will be run on a restart.
1248 </para>
1249 </listitem>
1250 </varlistentry>
1251
1252 <varlistentry id="operation-cli-snoop" xreflabel="snoop">
1253 <term>
1254 <userinput>snoop <replaceable>user</replaceable>
1255 <replaceable>IP</replaceable>
1256 <replaceable>port</replaceable></userinput>
1257 </term>
1258 <listitem>
1259 <para>
1260 You must specify a username, IP address and port. All
1261 packets for the current session for that username will
1262 be forwarded to the given host/port. Specify
1263 <userinput>no snoop
1264 <replaceable>username</replaceable></userinput> to
1265 disable interception for the session.
1266 </para>
1267
1268 <para>
1269 If you want interception to be permanent, you will
1270 have to modify the RADIUS response for the user. See
1271 <xref linkend="interception"/>.
1272 </para>
1273 </listitem>
1274 </varlistentry>
1275
1276 <varlistentry id="operation-cli-throttle" xreflabel="throttle">
1277 <term>
1278 <userinput>throttle <replaceable>user</replaceable>
1279 [in|out] <replaceable>rate</replaceable></userinput>
1280 </term>
1281 <listitem>
1282 <para>
1283 You must specify a username, which will be throttled
1284 for the current session to
1285 <replaceable>rate</replaceable> Kbps. Prefix
1286 <replaceable>rate</replaceable> with
1287 <userinput>in</userinput> or
1288 <userinput>out</userinput> to set different upstream
1289 and downstream rates.
1290 </para>
1291
1292 <para>
1293 Specify <userinput>no throttle
1294 <replaceable>username</replaceable></userinput> to
1295 disable throttling for the current session.
1296 </para>
1297
1298 <para>
1299 If you want throttling to be permanent, you will have
1300 to modify the RADIUS response for the user. See <xref
1301 linkend="throttling"/>.
1302 </para>
1303 </listitem>
1304 </varlistentry>
1305
1306 <varlistentry id="operation-cli-drop-session"
1307 xreflabel="drop session">
1308 <term>
1309 <userinput>drop <replaceable>session</replaceable></userinput>
1310 </term>
1311 <listitem>
1312 <para>
1313 This will cleanly disconnect the session specified by
1314 <replaceable>session</replaceable> ID.
1315 </para>
1316 </listitem>
1317 </varlistentry>
1318
1319 <varlistentry id="operation-cli-drop-tunnel" xreflabel="drop tunnel">
1320 <term>
1321 <userinput>drop <replaceable>tunnel</replaceable></userinput>
1322 </term>
1323 <listitem>
1324 <para>
1325 This will cleanly disconnect the tunnel specified by
1326 <replaceable>tunnel</replaceable> ID, as well as all
1327 sessions on that tunnel.
1328 </para>
1329 </listitem>
1330 </varlistentry>
1331
1332 <varlistentry id="operation-cli-uptime" xreflabel="uptime">
1333 <term><userinput>uptime</userinput></term>
1334 <listitem>
1335 <para>
1336 This will show how long the <command>l2tpns</command>
1337 process has been running, and the current bandwidth
1338 utilization:
1339
1340 <screen>
1341 17:10:35 up 8 days, 2212 users, load average: 0.21, 0.17, 0.16
1342 Bandwidth: UDP-ETH:6/6 ETH-UDP:13/13 TOTAL:37.6 IN:3033 OUT:2569
1343 </screen>
1344
1345 The bandwidth line contains 4 sets of values:
1346
1347 <informaltable>
1348 <tgroup cols="2">
1349 <tbody>
1350 <row>
1351 <entry>UDP-ETH</entry>
1352 <entry>
1353 The current bandwidth going from the LAC to
1354 the ethernet (user uploads), in mbits/sec.
1355 </entry>
1356 </row>
1357 <row>
1358 <entry>ETH-UDP</entry>
1359 <entry>
1360 The current bandwidth going from ethernet to
1361 the LAC (user downloads).
1362 </entry>
1363 </row>
1364 <row>
1365 <entry>TOTAL</entry>
1366 <entry>The total aggregate bandwidth in mbits/s.</entry>
1367 </row>
1368 <row>
1369 <entry>IN and OUT</entry>
1370 <entry>
1371 Packets/per-second going between UDP-ETH and
1372 ETH-UDP.
1373 </entry>
1374 </row>
1375 </tbody>
1376 </tgroup>
1377 </informaltable>
1378
1379 These counters are updated every second.
1380 </para>
1381 </listitem>
1382 </varlistentry>
1383
1384 <varlistentry id="operation-cli-configure" xreflabel="configure">
1385 <term><userinput>configure terminal</userinput></term>
1386 <listitem>
1387 <para>
1388 Enter configuration mode. Use
1389 <userinput>exit</userinput> or
1390 <userinput>^Z</userinput> to exit this mode.
1391 </para>
1392
1393 <para>
1394 The following commands are valid in this mode:
1395
1396 <variablelist>
1397 <varlistentry id="operation-cli-conf-load">
1398 <term>
1399 <userinput>load plugin
1400 <replaceable>name</replaceable></userinput>
1401 </term>
1402 <listitem>
1403 <para>
1404 Load a plugin. You must specify the plugin
1405 name, and it will search in
1406 <filename>/usr/lib/l2tpns</filename> for
1407 <filename><replaceable>name</replaceable>.so</filename>.
1408 You can unload a loaded plugin with
1409 <userinput>remove plugin
1410 <replaceable>name</replaceable></userinput>.
1411 </para>
1412 </listitem>
1413 </varlistentry>
1414
1415 <varlistentry id="operation-cli-conf-set">
1416 <term><userinput>set</userinput> ...</term>
1417 <listitem>
1418 <para>
1419 Set a configuration variable. You must specify
1420 the variable name, and the value. If the value
1421 contains any spaces, you should quote the value
1422 with double (") or single (') quotes.
1423 </para>
1424
1425 <para>
1426 You can set any configuration value in this
1427 way, although some may require a restart to
1428 take effect. See <xref
1429 linkend="config-startup"/>.
1430 </para>
1431 </listitem>
1432 </varlistentry>
1433
1434 <varlistentry id="operation-cli-conf-router">
1435 <term><userinput>router bgp</userinput> ...</term>
1436 <listitem>
1437 <para>
1438 Configure BGP. See <xref
1439 linkend="config-startup-bgp"/>.
1440 </para>
1441 </listitem>
1442 </varlistentry>
1443
1444 <varlistentry id="operation-cli-conf-acl">
1445 <term><userinput>ip access-list</userinput> ...</term>
1446 <listitem>
1447 <para>
1448 Configure a named access list. See <xref
1449 linkend="config-startup-acl"/>.
1450 </para>
1451 </listitem>
1452 </varlistentry>
1453 </variablelist>
1454 </para>
1455 </listitem>
1456 </varlistentry>
1457 </variablelist>
1458 </para>
1459 </sect2>
1460
1461 <sect2 id="operation-nsctl">
1462 <title>nsctl</title>
1463 <para>
1464 <command>nsctl</command> sends messages to a running
1465 <command>l2tpns</command> instance to be control plugins.
1466 </para>
1467
1468 <para>
1469 Arguments are <userinput>command</userinput> and optional
1470 <replaceable>args</replaceable>. See
1471 <literal>nsctl(8)</literal>.
1472 </para>
1473
1474 <para>
1475 Built-in command are <userinput>load_plugin</userinput>,
1476 <userinput>unload_plugin</userinput> and
1477 <userinput>help</userinput>. Any other commands are passed to
1478 plugins for processing by the
1479 <literal>plugin_control</literal> function.
1480 </para>
1481 </sect2>
1482
1483 <sect2 id="operation-signals">
1484 <title>Signals</title>
1485 <para>
1486 While the process is running, you can send it a few different
1487 signals, using the <command>kill</command> command.
1488
1489 <screen>
1490 killall -HUP l2tpns
1491 </screen>
1492
1493 The signals understood are:
1494
1495 <variablelist>
1496 <varlistentry>
1497 <term>SIGHUP</term>
1498 <listitem>
1499 <para>Reload the config from disk and re-open log file.</para>
1500 </listitem>
1501 </varlistentry>
1502
1503 <varlistentry>
1504 <term>SIGTERM</term>
1505 <term>SIGINT</term>
1506 <listitem>
1507 <para>
1508 Stop process. Tunnels and sessions are not
1509 terminated. This signal should be used to stop
1510 <command>l2tpns</command> on a cluster node where
1511 there are other machines to continue handling traffic.
1512 See <xref linkend="clustering"/>
1513 </para>
1514 </listitem>
1515 </varlistentry>
1516
1517 <varlistentry>
1518 <term>SIGQUIT</term>
1519 <listitem>
1520 <para>
1521 Shut down tunnels and sessions, exit process when
1522 complete.
1523 </para>
1524 </listitem>
1525 </varlistentry>
1526 </variablelist>
1527 </para>
1528 </sect2>
1529 </sect1>
1530
1531 <sect1 id="throttling">
1532 <title>Throttling</title>
1533 <para>
1534 <command>l2tpns</command> contains support for slowing down user
1535 sessions to whatever speed you desire. The global setting
1536 <literal>throttle_speed</literal> defines the default throttle
1537 rate.
1538 </para>
1539
1540 <para>
1541 To throttle a sesion permanently, add a
1542 <literal>Cisco-AVPair</literal> RADIUS attribute. The
1543 <filename>autothrotle</filename> module interprets the following
1544 attributes:
1545
1546 <informaltable>
1547 <tgroup cols="2">
1548 <tbody>
1549 <row>
1550 <entry><literal>throttle=yes</literal></entry>
1551 <entry>
1552 Throttle upstream/downstream traffic to the configured
1553 <literal>throttle_speed</literal>.
1554 </entry>
1555 </row>
1556
1557 <row>
1558 <entry>
1559 <literal>throttle=<replaceable>rate</replaceable></literal>
1560 </entry>
1561 <entry>
1562 Throttle upstream/downstream traffic to the specified
1563 <replaceable>rate</replaceable> Kbps.
1564 </entry>
1565 </row>
1566
1567 <row>
1568 <entry>
1569 <literal>lcp:interface-config#1=service-policy input
1570 <replaceable>rate</replaceable></literal>
1571 </entry>
1572
1573 <entry morerows="1">
1574 Alternate (Cisco) format: throttle
1575 upstream/downstream to specified
1576 <replaceable>rate</replaceable> Kbps.
1577 </entry>
1578 </row>
1579
1580 <row>
1581 <entry>
1582 <literal>lcp:interface-config#2=service-policy output
1583 <replaceable>rate</replaceable></literal>
1584 </entry>
1585 </row>
1586 </tbody>
1587 </tgroup>
1588 </informaltable>
1589 </para>
1590
1591 <para>
1592 You can also enable and disable throttling an active session
1593 using the <xref linkend="operation-cli-throttle"/> CLI command.
1594 </para>
1595 </sect1>
1596
1597 <sect1 id="interception">
1598 <title>Interception</title>
1599 <para>
1600 You may have to deal with legal requirements to be able to
1601 intercept a user's traffic at any time.
1602 <command>l2tpns</command> allows you to begin and end
1603 interception on the fly, as well as at authentication time.
1604 </para>
1605
1606 <para>
1607 When a user is being intercepted, a copy of every packet they
1608 send and receive will be sent wrapped in a UDP packet to a
1609 specified host.
1610 </para>
1611
1612 <para>
1613 The UDP packet contains just the raw IP frame, with no extra
1614 headers. The script <filename>scripts/l2tpns-capture</filename>
1615 may be used as the end-point for such intercepts, writing the
1616 data in PCAP format (suitable for inspection with
1617 <command>tcpdump</command>).
1618 </para>
1619
1620 <para>
1621 To enable or disable interception of a connected user, use the
1622 <xref linkend="operation-cli-snoop"/> and <userinput>no
1623 snoop</userinput> CLI commands. These will enable interception
1624 immediately.
1625 </para>
1626
1627 <para>
1628 If you wish the user to be intercepted whenever they reconnect,
1629 you will need to modify the RADIUS response to include the
1630 Vendor-Specific value
1631 <literal>Cisco-AVPair="intercept=<replaceable>ip</replaceable>:<replaceable>port</replaceable>"</literal>.
1632 For this feature to be enabled, you need to have the
1633 <filename>autosnoop</filename> module loaded.
1634 </para>
1635 </sect1>
1636
1637 <sect1 id="plugins">
1638 <title>Plugins</title>
1639 <para>
1640 So as to make <command>l2tpns</command> as flexible as possible,
1641 a plugin API is include which you can use to hook into certain
1642 events.
1643 </para>
1644
1645 <para>
1646 There are a some standard modules included which may be used as
1647 examples: <filename>autosnoop</filename>,
1648 <filename>autothrottle</filename>, <filename>garden</filename>,
1649 <filename>sessionctl</filename>,
1650 <filename>setrxspeed</filename>, <filename>snoopctl</filename>,
1651 <filename>stripdomain</filename> and
1652 <filename>throttlectl</filename>.
1653 </para>
1654
1655 <para>
1656 When an event occurs that has a hook, <command>l2tpns</command>
1657 looks for a predefined function name in every loaded module, and
1658 runs them in the order the modules were loaded.
1659 </para>
1660
1661 <para>
1662 The function should return <code>PLUGIN_RET_OK</code> if it is
1663 all OK. If it returns <code>PLUGIN_RET_STOP</code>, then it is
1664 assumed to have worked, but that no further modules should be
1665 run for this event.
1666 </para>
1667
1668 <para>
1669 A return of <code>PLUGIN_RET_ERROR</code> means that this module
1670 failed, and no further processing should be done for this event.
1671 <note><para>Use this with care.</para></note>
1672 </para>
1673
1674 <para>
1675 Most event functions take a specific structure named
1676 <code>param_<replaceable>event</replaceable></code>, which
1677 varies in content with each event. The function name for each
1678 event will be
1679 <code>plugin_<replaceable>event</replaceable></code>, so for the
1680 event <replaceable>timer</replaceable>, the function declaration
1681 should look like:
1682
1683 <programlisting>
1684 int plugin_timer(struct param_timer *data);
1685 </programlisting>
1686
1687 A list of the available events follows, with a list of all the
1688 fields in the supplied structure:
1689
1690 <informaltable>
1691 <tgroup cols="4">
1692 <colspec colname="event"/>
1693 <colspec colname="event_desc"/>
1694 <colspec colname="member"/>
1695 <colspec colname="member_desc"/>
1696 <spanspec spanname="args" namest="member" nameend="member_desc"/>
1697 <thead>
1698 <row>
1699 <entry>Event</entry>
1700 <entry>Description</entry>
1701 <entry spanname="args">Arguments</entry>
1702 </row>
1703 </thead>
1704
1705 <tbody>
1706 <row>
1707 <entry morerows="1"><code>plugin_init</code></entry>
1708 <entry morerows="1">
1709 <para>
1710 Called when the plugin is loaded. A pointer to a
1711 struct containing function pointers is passed as the
1712 only argument, allowing the plugin to call back into
1713 the main code.
1714 </para>
1715 <para>
1716 Prior to loading the plugin, <command>l2tpns</command>
1717 checks the API version the plugin was compiled
1718 against. All plugins should contain:
1719 <programlisting>
1720 int plugin_api_version = PLUGIN_API_VERSION;
1721 </programlisting>
1722 </para>
1723 </entry>
1724 <entry spanname="args"><code>struct pluginfuncs *</code></entry>
1725 </row>
1726 <row>
1727 <entry spanname="args">
1728 See <code>pluginfuncs</code> structure in
1729 <code>plugin.h</code> for available functions.
1730 </entry>
1731 </row>
1732
1733 <row>
1734 <entry morerows="1"><code>plugin_done</code></entry>
1735 <entry morerows="1">
1736 Called when the plugin is unloaded or
1737 <command>l2tpns</command> is shutdown.
1738 </entry>
1739 <entry spanname="args"><code>void</code></entry>
1740 </row>
1741 <row>
1742 <entry spanname="args">No arguments.</entry>
1743 </row>
1744
1745 <row>
1746 <entry morerows="6"><code>plugin_pre_auth</code></entry>
1747 <entry morerows="6">
1748 Called after a RADIUS response has been received, but
1749 before it has been processed by the code. This will
1750 allow you to modify the response in some way.
1751 </entry>
1752 <entry spanname="args">
1753 <code>struct plugin param_pre_auth *</code>
1754 </entry>
1755 </row>
1756 <row>
1757 <entry><code>tunnelt *t</code></entry>
1758 <entry>Tunnel.</entry>
1759 </row>
1760 <row>
1761 <entry><code>sessiont *s</code></entry>
1762 <entry>Session.</entry>
1763 </row>
1764 <row>
1765 <entry><code>char *username</code></entry>
1766 <entry>User name.</entry>
1767 </row>
1768 <row>
1769 <entry><code>char *password</code></entry>
1770 <entry>Password.</entry>
1771 </row>
1772 <row>
1773 <entry><code>int protocol</code></entry>
1774 <entry>
1775 Authentication protocol: <literal>0xC023</literal> for PAP,
1776 <literal>0xC223</literal> for CHAP.
1777 </entry>
1778 </row>
1779 <row>
1780 <entry><code>int continue_auth</code></entry>
1781 <entry>Set to 0 to stop processing authentication modules.</entry>
1782 </row>
1783
1784 <row>
1785 <entry morerows="5"><code>plugin_post_auth</code></entry>
1786 <entry morerows="5">
1787 Called after a RADIUS response has been received, and
1788 the basic checks have been performed. This is what
1789 the <filename>garden</filename> module uses to force
1790 authentication to be accepted.
1791 </entry>
1792 <entry spanname="args">
1793 <code>struct plugin param_post_auth *</code>
1794 </entry>
1795 </row>
1796 <row>
1797 <entry><code>tunnelt *t</code></entry>
1798 <entry>Tunnel.</entry>
1799 </row>
1800 <row>
1801 <entry><code>sessiont *s</code></entry>
1802 <entry>Session.</entry>
1803 </row>
1804 <row>
1805 <entry><code>char *username</code></entry>
1806 <entry>User name.</entry>
1807 </row>
1808 <row>
1809 <entry><code>short auth_allowed</code></entry>
1810 <entry>
1811 Initially true or false depending on whether
1812 authentication has been allowed so far. You can
1813 set this to 1 or 0 to force authentication to be
1814 accepted or rejected.
1815 </entry>
1816 </row>
1817 <row>
1818 <entry><code>int protocol</code></entry>
1819 <entry>
1820 Authentication protocol: <literal>0xC023</literal> for PAP,
1821 <literal>0xC223</literal> for CHAP.
1822 </entry>
1823 </row>
1824
1825 <row>
1826 <entry morerows="1"><code>plugin_timer</code></entry>
1827 <entry morerows="1">
1828 Run once per second.
1829 </entry>
1830 <entry spanname="args">
1831 <code>struct plugin param_timer *</code>
1832 </entry>
1833 </row>
1834 <row>
1835 <entry><code>time_t time_now</code></entry>
1836 <entry>The current unix timestamp.</entry>
1837 </row>
1838
1839 <row>
1840 <entry morerows="2"><code>plugin_new_session</code></entry>
1841 <entry morerows="2">
1842 Called after a session is fully set up. The session
1843 is now ready to handle traffic.
1844 </entry>
1845 <entry spanname="args">
1846 <code>struct plugin param_new_session *</code>
1847 </entry>
1848 </row>
1849 <row>
1850 <entry><code>tunnelt *t</code></entry>
1851 <entry>Tunnel.</entry>
1852 </row>
1853 <row>
1854 <entry><code>sessiont *s</code></entry>
1855 <entry>Session.</entry>
1856 </row>
1857
1858 <row>
1859 <entry morerows="2"><code>plugin_kill_session</code></entry>
1860 <entry morerows="2">
1861 Called when a session is about to be shut down. This
1862 may be called multiple times for the same session.
1863 </entry>
1864 <entry spanname="args">
1865 <code>struct plugin param_kill_session *</code>
1866 </entry>
1867 </row>
1868 <row>
1869 <entry><code>tunnelt *t</code></entry>
1870 <entry>Tunnel.</entry>
1871 </row>
1872 <row>
1873 <entry><code>sessiont *s</code></entry>
1874 <entry>Session.</entry>
1875 </row>
1876
1877 <row>
1878 <entry morerows="5"><code>plugin_control</code></entry>
1879 <entry morerows="5">
1880 <para>
1881 Called in whenever a <command>nsctl</command> packet
1882 is received. This should handle the packet and form a
1883 response if required.
1884 </para>
1885 <para>
1886 Plugin-specific help strings may be included in the
1887 output of <userinput>nsctl help</userinput> by
1888 defining a <code>NULL</code> terminated list of
1889 strings as follows:
1890 <programlisting>
1891 char *plugin_control_help[] = { <replaceable>...</replaceable>, NULL };
1892 </programlisting>
1893 </para>
1894 </entry>
1895 <entry spanname="args">
1896 <code>struct plugin param_control *</code>
1897 </entry>
1898 </row>
1899 <row>
1900 <entry><code>int iam_master</code></entry>
1901 <entry>If true, this node is the cluster master.</entry>
1902 </row>
1903 <row>
1904 <entry><code>int argc</code></entry>
1905 <entry morerows="1"><command>nsctl</command> arguments.</entry>
1906 </row>
1907 <row>
1908 <entry><code>char **argc</code></entry>
1909 </row>
1910 <row>
1911 <entry><code>int reponse</code></entry>
1912 <entry>
1913 Response from control message (if handled): should be
1914 either <code>NSCTL_RES_OK</code> or
1915 <code>NSCTL_RES_ERR</code>.
1916 </entry>
1917 </row>
1918 <row>
1919 <entry><code>char *additional</code></entry>
1920 <entry>
1921 Additional information, output by
1922 <command>nsctl</command> on receiving the response.
1923 </entry>
1924 </row>
1925
1926 <row>
1927 <entry morerows="4"><code>plugin_radius_response</code></entry>
1928 <entry morerows="4">
1929 Called whenever a RADIUS response includes a
1930 <literal>Cisco-AVPair</literal> value. The value is
1931 split into
1932 <replaceable>key</replaceable><literal>=</literal><replaceable>value</replaceable>
1933 pairs. Will be called once for each pair in the
1934 response.
1935 </entry>
1936 <entry spanname="args">
1937 <code>struct plugin param_radius_response *</code>
1938 </entry>
1939 </row>
1940 <row>
1941 <entry><code>tunnelt *t</code></entry>
1942 <entry>Tunnel.</entry>
1943 </row>
1944 <row>
1945 <entry><code>sessiont *s</code></entry>
1946 <entry>Session.</entry>
1947 </row>
1948 <row>
1949 <entry><code>char *key</code></entry>
1950 <entry morerows="1">Key and value.</entry>
1951 </row>
1952 <row>
1953 <entry><code>char *value</code></entry>
1954 </row>
1955
1956 <row>
1957 <entry morerows="2"><code>plugin_radius_reset</code></entry>
1958 <entry morerows="2">
1959 Called whenever a RADIUS CoA request is received to
1960 reset any options to default values before the new
1961 values are applied.
1962 </entry>
1963 <entry spanname="args">
1964 <code>struct param_radius_reset *</code>
1965 </entry>
1966 </row>
1967 <row>
1968 <entry><code>tunnelt *t</code></entry>
1969 <entry>Tunnel.</entry>
1970 </row>
1971 <row>
1972 <entry><code>sessiont *s</code></entry>
1973 <entry>Session.</entry>
1974 </row>
1975
1976 <row>
1977 <entry morerows="3"><code>plugin_radius_account</code></entry>
1978 <entry morerows="3">
1979 Called when preparing a RADIUS accounting record to
1980 allow additional data to be added to the packet.
1981 </entry>
1982 <entry spanname="args">
1983 <code>struct param_radius_account *</code>
1984 </entry>
1985 </row>
1986 <row>
1987 <entry><code>tunnelt *t</code></entry>
1988 <entry>Tunnel.</entry>
1989 </row>
1990 <row>
1991 <entry><code>sessiont *s</code></entry>
1992 <entry>Session.</entry>
1993 </row>
1994 <row>
1995 <entry><code>uint8_t **packet</code></entry>
1996 <entry>
1997 Pointer to the end of the currently assembled
1998 packet buffer. The value should be incremented by the
1999 length of any data added.
2000 </entry>
2001 </row>
2002
2003 <row>
2004 <entry morerows="1"><code>plugin_become_master</code></entry>
2005 <entry morerows="1">
2006 Called when a node elects itself cluster master.
2007 </entry>
2008 <entry spanname="args"><code>void</code></entry>
2009 </row>
2010 <row>
2011 <entry spanname="args">No arguments.</entry>
2012 </row>
2013
2014 <row>
2015 <entry morerows="1"><code>plugin_new_session_master</code></entry>
2016 <entry morerows="1">
2017 Called once for each open session on becoming cluster
2018 master.
2019 </entry>
2020 <entry spanname="args"><code>sessiont *</code></entry>
2021 </row>
2022 <row>
2023 <entry spanname="args">
2024 Session.
2025 </entry>
2026 </row>
2027 </tbody>
2028 </tgroup>
2029 </informaltable>
2030 </para>
2031 </sect1>
2032
2033 <sect1 id="walled-garden">
2034 <title>Walled Garden</title>
2035 <para>
2036 A "Walled Garden" is implemented so that you can provide perhaps
2037 limited service to sessions that incorrectly authenticate.
2038 </para>
2039
2040 <para>
2041 Whenever a session provides incorrect authentication, and the
2042 RADIUS server responds with Auth-Reject, the walled garden
2043 module (if loaded) will force authentication to succeed, but set
2044 the <literal>walled_garden</literal> flag in the session
2045 structure, and adds an <command>iptables</command> rule to the
2046 <literal>garden_users</literal> chain to cause all packets for
2047 the session to traverse the <literal>garden</literal> chain.
2048 </para>
2049
2050 <para>
2051 This doesn't <emphasis>just work</emphasis>. To set this all
2052 up, you will to setup the <literal>garden</literal> nat table
2053 with the <xref linkend="config-build-garden"/> script with rules
2054 to limit user's traffic.
2055 </para>
2056
2057 <para>
2058 For example, to force all traffic except DNS to be forwarded to
2059 192.168.1.1, add these entries to your
2060 <filename>build-garden</filename> script:
2061
2062 <programlisting>
2063 iptables -t nat -A garden -p tcp --dport ! 53 -j DNAT --to 192.168.1.1
2064 iptables -t nat -A garden -p udp --dport ! 53 -j DNAT --to 192.168.1.1
2065 </programlisting>
2066 </para>
2067
2068 <para>
2069 <command>l2tpns</command> will add entries to the
2070 <literal>garden_users</literal> chain as appropriate.
2071 </para>
2072
2073 <para>
2074 You can check the amount of traffic being captured using the
2075 following command:
2076
2077 <screen>
2078 iptables -t nat -L garden -nvx
2079 </screen>
2080 </para>
2081 </sect1>
2082
2083 <sect1 id="filtering">
2084 <title>Filtering</title>
2085 <para>
2086 Sessions may be filtered by specifying
2087 <literal>Filter-Id</literal> attributes in the RADIUS reply.
2088 <replaceable>filter</replaceable>.<literal>in</literal>
2089 specifies that the named access-list
2090 <replaceable>filter</replaceable> should be applied to traffic
2091 from the customer,
2092 <replaceable>filter</replaceable>.<literal>out</literal>
2093 specifies a list for traffic to the customer.
2094 </para>
2095 </sect1>
2096
2097 <sect1 id="clustering">
2098 <title>Clustering</title>
2099 <para>
2100 An <command>l2tpns</command> cluster consists of one* or more
2101 servers configured with the same configuration, notably the
2102 multicast <literal>cluster_address</literal> and the
2103 <literal>cluster_port</literal>
2104 </para>
2105
2106 <para>*A stand-alone server is simply a degraded cluster.</para>
2107
2108 <para>
2109 Initially servers come up as cluster slaves, and periodically
2110 (every <literal>cluster_hb_interval</literal>/10 seconds) send
2111 out ping packets containing the start time of the process to the
2112 multicast <literal>cluster_address</literal> on
2113 <literal>cluster_port</literal>.
2114 </para>
2115
2116 <para>
2117 A cluster master sends heartbeat rather than ping packets, which
2118 contain those session and tunnel changes since the last
2119 heartbeat.
2120 </para>
2121
2122 <para>
2123 When a slave has not seen a heartbeat within
2124 <literal>cluster_hb_timeout</literal>/10 seconds it "elects" a
2125 new master by examining the list of peers it has seen pings from
2126 and determines which of these and itself is the "best" candidate
2127 to be master. "Best" in this context means the server with the
2128 highest uptime (the highest IP address is used as a tie-breaker
2129 in the case of equal uptimes).
2130 </para>
2131
2132 <para>
2133 After discovering a master, and determining that it is
2134 up-to-date (has seen an update for all in-use sessions and
2135 tunnels from heartbeat packets) will raise a route (see <xref
2136 linkend="routing"/>) for the <literal>bind_address</literal> and
2137 for all addresses/networks in <filename>ip_pool</filename>.
2138 </para>
2139
2140 <para>
2141 Any packets recieved by the slave which would alter the session
2142 state, as well as packets for throttled or gardened sessions are
2143 forwarded to the master for handling. In addition, byte
2144 counters for session traffic are periodically forwarded.
2145 </para>
2146
2147 <para>
2148 The master, when determining that it has at least one* up-to-date
2149 slave will drop all routes (raising them again if all slaves
2150 disappear) and subsequently handle only packets forwarded to it
2151 by the slaves.
2152 </para>
2153
2154 <para>*Configurable with <literal>cluster_master_min_adv</literal></para>
2155
2156 <para>
2157 Multiple clusters can be run on the same network by just using different
2158 multicast <literal>cluster_address</literal>. However, for a given host to
2159 be part of multiple clusters without mixing the clusters,
2160 <literal>cluster_port</literal> must be different for each cluster.
2161 </para>
2162 </sect1>
2163
2164 <sect1 id="routing">
2165 <title>Routing</title>
2166 <para>
2167 If you are running a single instance, you may simply statically
2168 route the IP pools to the <literal>bind_address</literal>
2169 (<command>l2tpns</command> will send a gratuitous arp).
2170 </para>
2171
2172 <para>
2173 For a cluster, configure the members as BGP neighbours on your
2174 router and configure multi-path load-balancing. Cisco uses
2175 <userinput>maximum-paths ibgp</userinput> for IBGP. If this is
2176 not supported by your IOS revision, you can use
2177 <userinput>maximum-paths</userinput> (which works for EBGP) and
2178 set <literal>as_number</literal> to a private value such as
2179 64512.
2180 </para>
2181 </sect1>
2182 </article>