X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/12f16f60c19b470a3a4e5ee145485095dc674dee..11e0f6910dd7f4bc2bee8683a5d472aba371ab5c:/Docs/manual.html?ds=sidebyside diff --git a/Docs/manual.html b/Docs/manual.html index 13748a9..1395e3a 100644 --- a/Docs/manual.html +++ b/Docs/manual.html @@ -56,6 +56,7 @@ H3 { <LI><A HREF="#Filtering">Filtering</A></LI> <LI><A HREF="#Clustering">Clustering</A></LI> <LI><A HREF="#Routing">Routing</A></LI> + <LI><A HREF="#AvoidingFragmentation">Avoiding Fragmentation</A></LI> <LI><A HREF="#Performance">Performance</A></LI> </OL> @@ -191,14 +192,6 @@ user, both a primary and a secondary. If either is set to 0.0.0.0, then that one will not be sent. </LI> -<LI><B>save_state</B> (boolean)<BR> -When l2tpns receives a STGTERM it will write out its current -ip_address_pool, session and tunnel tables to disk prior to exiting to -be re-loaded at startup. The validity of this data is obviously quite -short and the intent is to allow an sessions to be retained over a -software upgrade. -</LI> - <LI><B>primary_radius</B> (ip address) <LI><B>secondary_radius</B> (ip address)<BR> Sets the RADIUS servers used for both authentication and accounting. @@ -231,6 +224,17 @@ This secret will be used in all RADIUS queries. If this is not set then RADIUS queries will fail. </LI> +<LI><B>radius_authtypes</B> (string)</BR> +A comma separated list of supported RADIUS authentication methods +(<B>pap</B> or <B>chap</B>), in order of preference (default <B>pap</B>). +</LI> + +<LI><B>allow_duplicate_users</B> (boolean)</BR> +Allow multiple logins with the same username. If false (the default), +any prior session with the same username will be dropped when a new +session is established. +</LI> + <LI><B>bind_address</B> (ip address)<BR> When the tun interface is created, it is assigned the address specified here. If no address is given, 1.1.1.1 is used. Packets @@ -282,10 +286,6 @@ second. Even if this is disabled, you can see this information by running the <EM>uptime</EM> command on the CLI. </LI> -<LI><B>cleanup_interval</B> (int)<BR> -Interval between regular cleanups (in seconds). -</LI> - <LI><B>multi_read_count</B> (int)<BR> Number of packets to read off each of the UDP and TUN fds when returned as readable by select (default: 10). Avoids incurring the @@ -307,6 +307,13 @@ Keep all pages mapped by the l2tpns process in memory. Maximum number of host unreachable ICMP packets to send per second. </LI> +<LI><B>packet_limit</B> (int><BR> +Maximum number of packets of downstream traffic to be handled each +tenth of a second per session. If zero, no limit is applied (default: +0). Intended as a DoS prevention mechanism and not a general +throttling control (packets are dropped, not queued). +</LI> + <LI><B>cluster_address</B> (ip address)<BR> Multicast cluster address (default: 239.192.13.13). See the section on <A HREF="#Clustering">Clustering</A> for more information. @@ -325,6 +332,11 @@ Cluster heartbeat timeout in tenths of a second. A new master will be elected when this interval has been passed without seeing a heartbeat from the master. </LI> + +<LI><B>cluster_master_min_adv</B> (int)<BR> +Determines the minumum number of up to date slaves required before the +master will drop routes (default: 1). +</LI> </UL> <P>BGP routing configuration is entered by the command: @@ -360,23 +372,25 @@ define the body of the access-list. Standard access-list syntax: Extended access-lists: -<DL> - <DD>{<B>permit</B>|<B>deny</B>} <B>ip</B> +<DIV STYLE="margin-left: 4em; text-indent: -2em"> + <P>{<B>permit</B>|<B>deny</B>} <B>ip</B> {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>} - {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>} - <DD>{<B>permit</B>|<B>deny</B>} <B>udp</B> + {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>} [<B>fragments</B>] + <P>{<B>permit</B>|<B>deny</B>} <B>udp</B> {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>} [{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>] {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>} [{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>] - <DD>{<B>permit</B>|<B>deny</B>} <B>tcp</B> + [<B>fragments</B>] + <P>{<B>permit</B>|<B>deny</B>} <B>tcp</B> {<I>host</I>|<I>source source-wildcard</I>|<B>any</B>} [{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>] {<I>host</I>|<I>destination destination-wildcard</I>|<B>any</B>} [{<B>eq</B>|<B>neq</B>|<B>gt</B>|<B>lt</B>} <I>port</I>|<B>range</B> <I>from</I> <I>to</I>] [{<B>established</B>|{<B>match-any</B>|<B>match-all</B>} - {<B>+</B>|<B>-</B>}{<B>fin</B>|<B>syn</B>|<B>rst</B>|<B>psh</B>|<B>ack</B>|<B>urg</B>} ...] -</DL> + {<B>+</B>|<B>-</B>}{<B>fin</B>|<B>syn</B>|<B>rst</B>|<B>psh</B>|<B>ack</B>|<B>urg</B>} + ...|<B>fragments</B>] +</DIV> <H3 ID="users">users</H3> @@ -682,16 +696,15 @@ killall -HUP l2tpns </PRE> The signals understood are: -<UL> -<LI>SIGHUP - Reload the config from disk and re-open log file<P></LI> -<LI>SIGTERM / SIGINT - Shut down for a restart. This will dump the current -state to disk (if <EM>save_state</EM> is set to true). Upon restart, the -process will read this saved state to resume active sessions.<P> -<LI>SIGQUIT - Shut down cleanly. This will send a disconnect message for -every active session and tunnel before shutting down. This is a good idea -when upgrading the code, as no sessions will be left with the remote end -thinking they are open.</LI> -</UL> +<DL> +<DT>SIGHUP</DT><DD>Reload the config from disk and re-open log file.</DD> +<DT>SIGTERM, SIGINT</DT><DD>Stop process. Tunnels and sessions are not +terminated. This signal should be used to stop l2tpns on a +<A HREF="#Clustering">cluster node</A> where there are other machines to +continue handling traffic.</DD> +<DT>SIGQUIT</DT><DD>Shut down tunnels and sessions, exit process when +complete.</DD> +</DL> <H2 ID="Throttling">Throttling</H2> @@ -1021,6 +1034,22 @@ ibgp" for IBGP. If this is not supported by your IOS revision, you can use "maximum-paths" (which works for EBGP) and set <B>as_number</B> to a private value such as 64512.<P> +<H2 ID="AvoidingFragmentation">Avoiding Fragmentation</H2> + +Fragmentation of encapsulated return packets to the LAC may be avoided +for TCP sessions by adding a firewall rule to clamps the MSS on +outgoing SYN packets. + +The following is appropriate for interfaces with a typical MTU of +1500: + +<pre> +iptables -A FORWARD -i tun+ -o eth0 \ + -p tcp --tcp-flags SYN,RST SYN \ + -m tcpmss --mss 1413:1600 \ + -j TCPMSS --set-mss 1412 +</pre> + <H2 ID="Performance">Performance</H2> Performance is great.<P>