X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/12f16f60c19b470a3a4e5ee145485095dc674dee..11e0f6910dd7f4bc2bee8683a5d472aba371ab5c:/Docs/manual.html?ds=sidebyside

diff --git a/Docs/manual.html b/Docs/manual.html
index 13748a9..1395e3a 100644
--- a/Docs/manual.html
+++ b/Docs/manual.html
@@ -56,6 +56,7 @@ H3 {
     <LI><A HREF="#Filtering">Filtering</A></LI>
     <LI><A HREF="#Clustering">Clustering</A></LI>
     <LI><A HREF="#Routing">Routing</A></LI>
+    <LI><A HREF="#AvoidingFragmentation">Avoiding Fragmentation</A></LI>
     <LI><A HREF="#Performance">Performance</A></LI>
 </OL>
 
@@ -191,14 +192,6 @@ user, both a primary and a secondary.  If either is set to 0.0.0.0, then that
 one will not be sent.
 </LI>
 
-<LI><B>save_state</B> (boolean)<BR>
-When l2tpns receives a STGTERM it will write out its current
-ip_address_pool, session and tunnel tables to disk prior to exiting to
-be re-loaded at startup.  The validity of this data is obviously quite
-short and the intent is to allow an sessions to be retained over a
-software upgrade.
-</LI>
-
 <LI><B>primary_radius</B> (ip address)
 <LI><B>secondary_radius</B> (ip address)<BR>
 Sets the RADIUS servers used for both authentication and accounting. 
@@ -231,6 +224,17 @@ This secret will be used in all RADIUS queries.  If this is not set then
 RADIUS queries will fail.
 </LI>
 
+<LI><B>radius_authtypes</B> (string)</BR>
+A comma separated list of supported RADIUS authentication methods
+(<B>pap</B> or <B>chap</B>), in order of preference (default <B>pap</B>).
+</LI>
+
+<LI><B>allow_duplicate_users</B> (boolean)</BR>
+Allow multiple logins with the same username.  If false (the default),
+any prior session with the same username will be dropped when a new
+session is established.
+</LI>
+
 <LI><B>bind_address</B> (ip address)<BR>
 When the tun interface is created, it is assigned the address
 specified here.  If no address is given, 1.1.1.1 is used.  Packets
@@ -282,10 +286,6 @@ second.  Even if this is disabled, you can see this information by running
 the <EM>uptime</EM> command on the CLI.
 </LI>
 
-<LI><B>cleanup_interval</B> (int)<BR>
-Interval between regular cleanups (in seconds).
-</LI>
-
 <LI><B>multi_read_count</B> (int)<BR>
 Number of packets to read off each of the UDP and TUN fds when
 returned as readable by select (default:  10).  Avoids incurring the
@@ -307,6 +307,13 @@ Keep all pages mapped by the l2tpns process in memory.
 Maximum number of host unreachable ICMP packets to send per second.
 </LI>
 
+<LI><B>packet_limit</B> (int><BR>
+Maximum number of packets of downstream traffic to be handled each
+tenth of a second per session.  If zero, no limit is applied (default: 
+0).  Intended as a DoS prevention mechanism and not a general
+throttling control (packets are dropped, not queued).
+</LI>
+
 <LI><B>cluster_address</B> (ip address)<BR>
 Multicast cluster address (default:  239.192.13.13).  See the section
 on <A HREF="#Clustering">Clustering</A> for more information.
@@ -325,6 +332,11 @@ Cluster heartbeat timeout in tenths of a second.  A new master will be
 elected when this interval has been passed without seeing a heartbeat
 from the master.
 </LI>
+
+<LI><B>cluster_master_min_adv</B> (int)<BR>
+Determines the minumum number of up to date slaves required before the
+master will drop routes (default: 1).
+</LI>
 </UL>
 
 <P>BGP routing configuration is entered by the command:
@@ -360,23 +372,25 @@ define the body of the access-list.  Standard access-list syntax:
 
 Extended access-lists:
 
-<DL>
-  <DD>{<B>permit</B>|<B>deny</B>} <B>ip</B>
+<DIV STYLE="margin-left: 4em; text-indent: -2em">
+  <P>{<B>permit</B>|<B>deny</B>} <B>ip</B>
     {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>}
-    {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>}
-  <DD>{<B>permit</B>|<B>deny</B>} <B>udp</B>
+    {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>} [<B>fragments</B>]
+  <P>{<B>permit</B>|<B>deny</B>} <B>udp</B>
     {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>}
 	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
     {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>}
 	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
-  <DD>{<B>permit</B>|<B>deny</B>} <B>tcp</B>
+	[<B>fragments</B>]
+  <P>{<B>permit</B>|<B>deny</B>} <B>tcp</B>
     {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>}
 	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
     {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>}
 	[{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>]
 	[{<B>established</B>|{<B>match-any</B>|<B>match-all</B>}
-	    {<B>+</B>|<B>-</B>}{<B>fin</B>|<B>syn</B>|<B>rst</B>|<B>psh</B>|<B>ack</B>|<B>urg</B>} ...]
-</DL>
+	    {<B>+</B>|<B>-</B>}{<B>fin</B>|<B>syn</B>|<B>rst</B>|<B>psh</B>|<B>ack</B>|<B>urg</B>}
+	    ...|<B>fragments</B>]
+</DIV>
 
 <H3 ID="users">users</H3>
 
@@ -682,16 +696,15 @@ killall -HUP l2tpns
 </PRE>
 
 The signals understood are:
-<UL>
-<LI>SIGHUP - Reload the config from disk and re-open log file<P></LI>
-<LI>SIGTERM / SIGINT - Shut down for a restart.  This will dump the current
-state to disk (if <EM>save_state</EM> is set to true).  Upon restart, the
-process will read this saved state to resume active sessions.<P>
-<LI>SIGQUIT - Shut down cleanly.  This will send a disconnect message for
-every active session and tunnel before shutting down.  This is a good idea
-when upgrading the code, as no sessions will be left with the remote end
-thinking they are open.</LI>
-</UL>
+<DL>
+<DT>SIGHUP</DT><DD>Reload the config from disk and re-open log file.</DD>
+<DT>SIGTERM, SIGINT</DT><DD>Stop process.  Tunnels and sessions are not
+terminated.  This signal should be used to stop l2tpns on a
+<A HREF="#Clustering">cluster node</A> where there are other machines to
+continue handling traffic.</DD>
+<DT>SIGQUIT</DT><DD>Shut down tunnels and sessions, exit process when
+complete.</DD>
+</DL>
 
 <H2 ID="Throttling">Throttling</H2>
 
@@ -1021,6 +1034,22 @@ ibgp" for IBGP.  If this is not supported by your IOS revision, you
 can use "maximum-paths" (which works for EBGP) and set
 <B>as_number</B> to a private value such as 64512.<P>
 
+<H2 ID="AvoidingFragmentation">Avoiding Fragmentation</H2>
+
+Fragmentation of encapsulated return packets to the LAC may be avoided
+for TCP sessions by adding a firewall rule to clamps the MSS on
+outgoing SYN packets.
+
+The following is appropriate for interfaces with a typical MTU of
+1500:
+
+<pre>
+iptables -A FORWARD -i tun+ -o eth0 	\
+    -p tcp --tcp-flags SYN,RST SYN	\
+    -m tcpmss --mss 1413:1600		\
+    -j TCPMSS --set-mss 1412
+</pre>
+
 <H2 ID="Performance">Performance</H2>
 
 Performance is great.<P>