X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/f5071c422df06800e59bb1be0218c0f6ec2ba831..c3633ceaba83fc443e2703367e05b16d87ad71aa:/Docs/startup-config.5?ds=inline diff --git a/Docs/startup-config.5 b/Docs/startup-config.5 index 35527f3..174a253 100644 --- a/Docs/startup-config.5 +++ b/Docs/startup-config.5 @@ -2,7 +2,7 @@ .de Id .ds Dt \\$4 \\$5 .. -.Id $Id: startup-config.5,v 1.1 2004/11/17 15:08:19 bodea Exp $ +.Id $Id: startup-config.5,v 1.17 2006/04/27 14:38:14 bodea Exp $ .TH STARTUP-CONFIG 5 "\*(Dt" L2TPNS "File Formats and Conventions" .SH NAME startup\-config \- configuration file for l2tpns @@ -51,6 +51,11 @@ is any one of the syslog logging facilities, such as If set, the process id will be written to the specified file. The value must be an absolute path. .TP +.B random_device +Path to random data source (default +.BR /dev/urandom ). +Use "" to use the rand() library function. +.TP .B l2tp_secret The secret used by .B l2tpns @@ -58,19 +63,25 @@ for authenticating tunnel request. Must be the same as the LAC, or authentication will fail. Only actually be used if the LAC requests authentication. .TP +.B l2tp_mtu +MTU of interface for L2TP traffic (default: 1500). Used to set link +MRU and adjust TCP MSS. +.TP +.B ppp_restart_time +Restart timer for PPP protocol negotiation in seconds (default: 3). +.TP +.B ppp_max_configure +Number of configure requests to send before giving up (default: 10). +.TP +.B ppp_max_failure +Number of Configure-Nak requests to send before sending a +Configure-Reject (default: 5). +.TP .BR primary_dns , " secondary_dns" Whenever a PPP connection is established, DNS servers will be sent to the user, both a primary and a secondary. If either is set to 0.0.0.0, then that one will not be sent. .TP -.B save_state -When -.B l2tpns -receives a STGTERM it will write out its current ip_address_pool, -session and tunnel tables to disk prior to exiting to be re-loaded at -startup. The validity of this data is obviously quite short and the -intent is to allow an sessions to be retained over a software upgrade. -.TP .BR primary_radius , " secondary_radius" Sets the RADIUS servers used for both authentication and accounting. If the primary server does not respond, then the secondary RADIUS @@ -90,9 +101,31 @@ and a .B Stop record when the session is closed. .TP +.B radius_interim +If +.B radius_accounting +is on, defines the interval between sending of RADIUS interim +accounting records (in seconds). +.TP .B radius_secret Secret to be used in RADIUS packets. .TP +.B radius_authtypes +A comma separated list of supported RADIUS authentication methods +("pap" or "chap"), in order of preference (default "pap"). +.TP +.B radius_dae_port +Port for DAE RADIUS (Packet of Death/Disconnect, Change of Authorization) +requests (default: 3799). +.TP +.B allow_duplicate_users +Allow multiple logins with the same username. If false (the default), +any prior session with the same username will be dropped when a new +session is established. +.TP +.B guest_account +Allow multiple logins matching this specific username. +.TP .B bind_address When the tun interface is created, it is assigned the address specified here. If no address is given, 1.1.1.1 is used. Packets @@ -105,7 +138,7 @@ Address to send to clients as the default gateway. .B send_garp Determines whether or not to send a gratuitous ARP for the .B bind_address -when the server is ready to handle traffic (default: true). This +when the server is ready to handle traffic (default: true). This setting is ignored if BGP is configured. .TP .B throttle_speed @@ -119,21 +152,13 @@ session requires two buckets (in and out). If set to a directory, then every 5 minutes the current usage for every connected use will be dumped to a file in this directory. .TP -.B setuid -After starting up and binding the interface, change UID to this. This -doesn't work properly. -.TP .B dump_speed If set to true, then the current bandwidth utilization will be logged every second. Even if this is disabled, you can see this information by running the -.B -uptime +.B uptime command on the CLI. .TP -.B cleanup_interval -Interval between regular cleanups (in seconds). -.TP .B multi_read_count Number of packets to read off each of the UDP and TUN fds when returned as readable by select (default: 10). Avoids incurring the @@ -160,12 +185,21 @@ process in memory. .B icmp_rate Maximum number of host unreachable ICMP packets to send per second. .TP +.B packet_limit +Maximum number of packets of downstream traffic to be handled each +tenth of a second per session. If zero, no limit is applied (default: +0). Intended as a DoS prevention mechanism and not a general +throttling control (packets are dropped, not queued). +.TP .B cluster_address Multicast cluster address (default: 239.192.13.13). .TP .B cluster_interface Interface for cluster packets (default: eth0). .TP +.B cluster_mcast_ttl +TTL for multicast packets (default: 1). +.TP .B cluster_hb_interval Interval in tenths of a second between cluster heartbeat/pings. .TP @@ -173,6 +207,15 @@ Interval in tenths of a second between cluster heartbeat/pings. Cluster heartbeat timeout in tenths of a second. A new master will be elected when this interval has been passed without seeing a heartbeat from the master. +.TP +.B cluster_master_min_adv +Determines the minumum number of up to date slaves required before the +master will drop routes (default: 1). +.TP +.B ipv6_prefix +Enable negotiation of IPv6. This forms the the first 64 bits of the +client allocated address. The remaining 64 come from the allocated +IPv4 address and 4 bytes of 0s. .RE .SS BGP ROUTING The routing configuration section is entered by the command @@ -199,5 +242,121 @@ is the remote AS number and .IR keepalive , .I hold are the timer values in seconds. +.SS NAMED ACCESS LISTS +Named access lists may be defined with either of +.IP +.BI "ip access\-list standard " name +.br +.BI "ip access\-list extended " name +.PP +Subsequent lines starting with +.B permit +or +.B deny +define the body of the access\-list. +.PP +.B Standard Access Lists +.RS 4n +Standard access lists are defined with: +.IP +.RB { permit | deny } +.IR source " [" dest ] +.PP +Where +.I source +and +.I dest +specify IP matches using one of: +.IP +.I address +.I wildard +.br +.B host +.I address +.br +.B any +.PP +.I address +and +.I wildard +are in dotted-quad notation, bits in the +.I wildard +indicate which address bits in +.I address +are relevant to the match (0 = exact match; 1 = don't care). +.PP +The shorthand +.RB ' host +.IR address ' +is equivalent to +.RI ' address +.BR 0.0.0.0 '; +.RB ' any ' +to +.RB ' 0.0.0.0 +.BR 255.255.255.255 '. +.RE +.PP +.B Extended Access Lists +.RS 4n +Extended access lists are defined with: +.IP +.RB { permit | deny } +.I proto +.IR source " [" ports "] " dest " [" ports "] [" flags ] +.PP +Where +.I proto +is one of +.BR ip , +.B tcp +or +.BR udp , +and +.I source +and +.I dest +are as described above for standard lists. +.PP +For TCP and UDP matches, source and destination may be optionally +followed by a +.I ports +specification: +.IP +.RB { eq | neq | gt | lt } +.I port +.br +.B +range +.I from to +.PP +.I flags +may be one of: +.RS +.HP +.RB { match\-any | match\-all } +.RB { + | - }{ fin | syn | rst | psh | ack | urg } +\&... +.br +Match packets with any or all of the tcp flags set +.RB ( + ) +or clear +.RB ( - ). +.HP +.B established +.br +Match "established" TCP connections: packets with +.B RST +or +.B ACK +set, and +.B SYN +clear. +.HP +.B fragments +.br +Match IP fragments. May not be specified on rules with layer 4 +matches. +.RE .SH SEE ALSO .BR l2tpns (8)