<LI><A HREF="#Filtering">Filtering</A></LI>
<LI><A HREF="#Clustering">Clustering</A></LI>
<LI><A HREF="#Routing">Routing</A></LI>
+ <LI><A HREF="#AvoidingFragmentation">Avoiding Fragmentation</A></LI>
<LI><A HREF="#Performance">Performance</A></LI>
</OL>
used if the LAC requests authentication.
</LI>
+<LI><B>ppp_restart_time</B> (int)<BR>
+<B>ppp_max_configure</B> (int)<BR>
+<B>ppp_max_failure</B> (int)<BR>
+PPP counter and timer values, as described in §4.1 of
+<a href="ftp://ftp.rfc-editor.org/in-notes/rfc1661.txt">RFC1661</a>.
+</LI>
+
+<LI><B>ppp_mru</B> (int)<BR>
+PPP link MRU (default: 1452).
+</LI>
+
<LI><B>primary_dns</B> (ip address)
<LI><B>secondary_dns</B> (ip address)<BR>
Whenever a PPP connection is established, DNS servers will be sent to the
(<B>pap</B> or <B>chap</B>), in order of preference (default <B>pap</B>).
</LI>
+<LI><B>radius_dae_port</B> (short)<BR>
+Port for DAE RADIUS (Packet of Death/Disconnect, Change of Authorization)
+requests (default: <B>3799</B>).
+</LI>
+
<LI><B>allow_duplicate_users</B> (boolean)</BR>
Allow multiple logins with the same username. If false (the default),
any prior session with the same username will be dropped when a new
Interface for cluster packets (default: eth0).
</LI>
+<LI><B>cluster_mcast_ttl</B> (int)<BR>
+TTL for multicast packets (default: 1).
+</LI>
+
<LI><B>cluster_hb_interval</B> (int)<BR>
Interval in tenths of a second between cluster heartbeat/pings.
</LI>
</PRE>
The signals understood are:
-<UL>
-<LI>SIGHUP - Reload the config from disk and re-open log file</LI>
-<LI>SIGTERM / SIGINT - Shut down.</LI>
-<LI>SIGQUIT - Shut down cleanly. This will send a disconnect message for
-every active session and tunnel before shutting down.</LI>
-</UL>
+<DL>
+<DT>SIGHUP</DT><DD>Reload the config from disk and re-open log file.</DD>
+<DT>SIGTERM, SIGINT</DT><DD>Stop process. Tunnels and sessions are not
+terminated. This signal should be used to stop l2tpns on a
+<A HREF="#Clustering">cluster node</A> where there are other machines to
+continue handling traffic.</DD>
+<DT>SIGQUIT</DT><DD>Shut down tunnels and sessions, exit process when
+complete.</DD>
+</DL>
<H2 ID="Throttling">Throttling</H2>
some way.
</TD>
<TD>
- <UL>
- <LI>t - Tunnel ID</LI>
- <LI>s - Session ID</LI>
- <LI>username</LI>
- <LI>password</LI>
- <LI>protocol (0xC023 for PAP, 0xC223 for CHAP)</LI>
- <LI>continue_auth - Set to 0 to stop processing authentication modules</LI>
- </UL>
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ <DT>username
+ <DT>password
+ <DT>protocol<DD>0xC023 for PAP, 0xC223 for CHAP
+ <DT>continue_auth<DD>Set to 0 to stop processing authentication modules
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>post_auth</B></TD>
to be accepted.
</TD>
<TD>
- <UL>
- <LI>t - Tunnel ID</LI>
- <LI>s - Session ID</LI>
- <LI>username</LI>
- <LI>auth_allowed - This is already set to true or
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ <DT>username
+ <DT>auth_allowed<DD>This is already set to true or
false depending on whether authentication has been
allowed so far. You can set this to 1 or 0 to force
- allow or disallow authentication</LI>
- <LI>protocol (0xC023 for PAP, 0xC223 for CHAP)</LI>
- </UL>
+ allow or disallow authentication
+ <DT>protocol<DD>0xC023 for PAP, 0xC223 for CHAP
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>packet_rx</B></TD>
seriously slow down the system.</FONT>
</TD>
<TD>
- <UL>
- <LI>t - Tunnel ID</LI>
- <LI>s - Session ID</LI>
- <LI>buf - The raw packet data</LI>
- <LI>len - The length of buf</LI>
- </UL>
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ <DT>buf<DD>The raw packet data
+ <DT>len<DD>The length of buf
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>packet_tx</B></TD>
seriously slow down the system.</FONT>
</TD>
<TD>
- <UL>
- <LI>t - Tunnel ID</LI>
- <LI>s - Session ID</LI>
- <LI>buf - The raw packet data</LI>
- <LI>len - The length of buf</LI>
- </UL>
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ <DT>buf<DD>The raw packet data
+ <DT>len<DD>The length of buf
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>timer</B></TD>
you do is reentrant.
</TD>
<TD>
- <UL>
- <LI>time_now - The current unix timestamp</LI>
- </UL>
+ <DL>
+ <DT>time_now<DD>The current unix timestamp
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>new_session</B></TD>
session is now ready to handle traffic.
</TD>
<TD>
- <UL>
- <LI>t - Tunnel ID</LI>
- <LI>s - Session ID</LI>
- </UL>
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>kill_session</B></TD>
This may be called multiple times for the same session.
</TD>
<TD>
- <UL>
- <LI>t - Tunnel ID</LI>
- <LI>s - Session ID</LI>
- </UL>
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>radius_response</B></TD>
modules.
</TD>
<TD>
- <UL>
- <LI>t - Tunnel ID</LI>
- <LI>s - Session ID</LI>
- <LI>key</LI>
- <LI>value</LI>
- </UL>
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ <DT>key
+ <DT>value
+ </DL>
+ </TD>
+ </TR>
+ <TR VALIGN=TOP BGCOLOR=WHITE><TD><B>radius_reset</B></TD>
+ <TD>This is called whenever a RADIUS CoA request is
+ received to reset any options to default values before
+ the new values are applied.
+ </TD>
+ <TD>
+ <DL>
+ <DT>t<DD>Tunnel
+ <DT>s<DD>Session
+ </DL>
</TD>
</TR>
<TR VALIGN=TOP BGCOLOR=WHITE><TD><B>control</B></TD>
required.
</TD>
<TD>
- <UL>
- <LI>buf - The raw packet data</LI>
- <LI>l - The raw packet data length</LI>
- <LI>source_ip - Where the request came from</LI>
- <LI>source_port - Where the request came from</LI>
- <LI>response - Allocate a buffer and put your response in here</LI>
- <LI>response_length - Length of response</LI>
- <LI>send_response - true or false whether a response
- should be sent. If you set this to true, you must
- allocate a response buffer.</LI>
- <LI>type - Type of request (see nsctl.c)</LI>
- <LI>id - ID of request</LI>
- <LI>data - I'm really not sure</LI>
- <LI>data_length - Length of data</LI>
- </UL>
+ <DL>
+ <DT>iam_master<DD>Cluster master status
+ <DT>argc<DD>The number of arguments
+ <DT>argv<DD>Arguments
+ <DT>response<DD>Return value: NSCTL_RES_OK or NSCTL_RES_ERR
+ <DT>additional<DD>Extended response text
+ </DL>
</TD>
</TR>
</TABLE>
can use "maximum-paths" (which works for EBGP) and set
<B>as_number</B> to a private value such as 64512.<P>
+<H2 ID="AvoidingFragmentation">Avoiding Fragmentation</H2>
+
+Fragmentation of encapsulated return packets to the LAC may be avoided
+for TCP sessions by adding a firewall rule to clamps the MSS on
+outgoing SYN packets.
+
+The following is appropriate for interfaces with a typical MTU of
+1500:
+
+<pre>
+iptables -A FORWARD -i tun+ -o eth0 \
+ -p tcp --tcp-flags SYN,RST SYN \
+ -m tcpmss --mss 1413:1600 \
+ -j TCPMSS --set-mss 1412
+</pre>
+
<H2 ID="Performance">Performance</H2>
Performance is great.<P>