682 lines
18 KiB
Groff
682 lines
18 KiB
Groff
.SH NAME
|
|
.PP
|
|
startup-config - configuration file for l2tpns
|
|
.SH SYNOPSIS
|
|
.PP
|
|
/etc/l2tpns/startup-config
|
|
.SH DESCRIPTION
|
|
.PP
|
|
\f[B]startup-config\f[R] is the configuration file for \f[B]l2tpns\f[R]
|
|
.PP
|
|
The format is plain text, in the same format as accepted by the
|
|
configuration mode of l2tpns\[cq]s telnet administrative interface.
|
|
Comments are indicated by either the character # or !.
|
|
.SS SETTINGS
|
|
.PP
|
|
Settings are specified with
|
|
.IP \[bu] 2
|
|
\f[B]set\f[R] \f[C]variable\f[R] \f[C]value\f[R]
|
|
.PP
|
|
A list of the possible configuration directives follows.
|
|
Each of these should be set by a line like:
|
|
.IP \[bu] 2
|
|
\f[B]set\f[R] \f[I]configstring\f[R] \f[I]\[lq]value\[rq]\f[R]
|
|
.IP \[bu] 2
|
|
\f[B]set\f[R] \f[I]ipaddress\f[R] \f[I]192.168.1.1\f[R]
|
|
.IP \[bu] 2
|
|
\f[B]set\f[R] \f[I]boolean\f[R] \f[I]true\f[R]
|
|
.PP
|
|
The following \f[C]variables\f[R] may be set:
|
|
.IP \[bu] 2
|
|
\f[B]accounting_dir\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
If set to a directory, then every 5 minutes the current usage for every
|
|
connected use will be dumped to a file in this directory.
|
|
Each file dumped begins with a header, where each line is prefixed by #.
|
|
Following the header is a single line for every connected user, fields
|
|
separated by a space.
|
|
.PP
|
|
The fields are username, ip, qos, uptxoctets, downrxoctets, origin
|
|
(optional).
|
|
The qos field is 1 if a standard user, and 2 if the user is throttled.
|
|
The origin field is dump if \f[B]account_all_origin\f[R] is set to true
|
|
(origin value: L=LAC data, R=Remote LNS data, P=PPPOE data).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]account_all_origin\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
If set to true, all origin of the usage is dumped to the accounting file
|
|
(LAC+Remote LNS+PPPOE)(default false).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]allow_duplicate_users\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
Allow multiple logins with the same username.
|
|
If false (the default), any prior session with the same username will be
|
|
dropped when a new session is established.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]auth_tunnel_change_addr_src\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
This parameter authorize to change the source IP of the tunnels l2tp.
|
|
This parameter can be used when the remotes BAS/LAC are l2tpns server
|
|
configured in cluster mode, but that the interface to remote LNS are not
|
|
clustered (the tunnel can be coming from different source IP) (default:
|
|
no).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]bind_address\f[R] (ip address)
|
|
.RS 2
|
|
.PP
|
|
It\[cq]s the listen address of the l2tp udp protocol sent and received
|
|
to LAC.
|
|
This address is also assigned to the tun interface if no iftun_address
|
|
is specified.
|
|
Packets containing user traffic should be routed via this address if
|
|
given, otherwise the primary address of the machine.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]bind_multi_address\f[R] (ip address)
|
|
.RS 2
|
|
.PP
|
|
This parameter permit one to listen several address of the l2tp udp
|
|
protocol (and set several address to the tun interface).
|
|
.PP
|
|
WHEN this parameter is set, It OVERWRITE the parameters
|
|
\[lq]bind_address\[rq] and \[lq]iftun_address\[rq].
|
|
.PP
|
|
these can be interesting when you want do load-balancing in cluster mode
|
|
of the uploaded from the LAC.
|
|
For example you can set a bgp.prepend(MY_AS) for Address1 on LNS1 and a
|
|
bgp.prepend(MY_AS) for Address2 on LNS2 (see BGP AS-path prepending).
|
|
.PP
|
|
example of use with 2 address:
|
|
.PP
|
|
\f[B]set\f[R] \f[I]bind_multi_address\f[R] \[lq]64.14.13.41,
|
|
64.14.13.42\[rq]
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]cluster_address\f[R] (ip address)
|
|
.RS 2
|
|
.PP
|
|
Multicast cluster address (default: 239.192.13.13).
|
|
See the section on Clustering for more information.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]Bcluster_port\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
UDP cluster port (default: 32792).
|
|
See the section on Clustering for more information.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]cluster_interface\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
Interface for cluster packets (default: eth0).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]cluster_mcast_ttl\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
TTL for multicast packets (default: 1).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]cluster_hb_interval\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Interval in tenths of a second between cluster heartbeat/pings.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]cluster_hb_timeout\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Cluster heartbeat timeout in tenths of a second.
|
|
A new master will be elected when this interval has been passed without
|
|
seeing a heartbeat from the master.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]cluster_master_min_adv\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Determines the minimum number of up to date slaves required before the
|
|
master will drop routes (default: 1).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]debug\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Set the level of debugging messages written to the log file.
|
|
The value should be between 0 and 5, with 0 being no debugging, and 5
|
|
being the highest.
|
|
A rough description of the levels is:
|
|
\[bu] .RS 2
|
|
.IP "0." 3
|
|
Critical Errors - Things are probably broken
|
|
.RE
|
|
\[bu] .RS 2
|
|
.IP "1." 3
|
|
Errors - Things might have gone wrong, but probably will recover
|
|
.RE
|
|
\[bu] .RS 2
|
|
.IP "2." 3
|
|
Warnings - Just in case you care what is not quite perfect
|
|
.RE
|
|
\[bu] .RS 2
|
|
.IP "3." 3
|
|
Information - Parameters of control packets
|
|
.RE
|
|
\[bu] .RS 2
|
|
.IP "4." 3
|
|
Calls - For tracing the execution of the code
|
|
.RE
|
|
\[bu] .RS 2
|
|
.IP "5." 3
|
|
Packets - Everything, including a hex dump of all packets processed\&...
|
|
probably twice
|
|
.RE
|
|
.PP
|
|
Note that the higher you set the debugging level, the slower the program
|
|
will run.
|
|
Also, at level 5 a LOT of information will be logged.
|
|
This should only ever be used for working out why it doesn\[cq]t work at
|
|
all.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]dump_speed\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
If set to true, then the current bandwidth utilization will be logged
|
|
every second.
|
|
Even if this is disabled, you can see this information by running the
|
|
uptime command on the CLI.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]disable_sending_hello\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
Disable l2tp sending HELLO message for Apple compatibility.
|
|
Some OS X implementation of l2tp no manage the L2TP \[lq]HELLO
|
|
message\[rq].
|
|
(default: no).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]echo_timeout\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Time between last packet sent and LCP ECHO generation (default: 10
|
|
(seconds)).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]guest_account\f[R]
|
|
.RS 2
|
|
.PP
|
|
Allow multiple logins matching this specific username.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]icmp_rate\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Maximum number of host unreachable ICMP packets to send per second.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]idle_echo_timeout\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Drop sessions who have not responded within idle_echo_timeout seconds
|
|
(default: 240 (seconds))
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]iftun_address\f[R] (ip address)
|
|
.RS 2
|
|
.PP
|
|
This parameter is used when you want a tun interface address different
|
|
from the address of \[lq]bind_address\[rq] (For use in cases of specific
|
|
configuration).
|
|
If no address is given to iftun_address and bind_address, 1.1.1.1 is
|
|
used.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]l2tp_mtu\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
MTU of interface for L2TP traffic (default: 1500).
|
|
Used to set link MRU and adjust TCP MSS.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]l2tp_secret\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
The secret used by l2tpns for authenticating tunnel request.
|
|
Must be the same as the LAC, or authentication will fail.
|
|
Only actually be used if the LAC requests authentication.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]lock_pages\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
Keep all pages mapped by the l2tpns process in memory.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]log_file\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
This will be where all logging and debugging information is written
|
|
to.This may be either a filename, such as /var/log/l2tpns, or the string
|
|
syslog:facility, where facility is any one of the syslog logging
|
|
facilities, such as local5.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]multi_read_count\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Number of packets to read off each of the UDP and TUN fds when returned
|
|
as readable by select (default: 10).
|
|
Avoids incurring the unnecessary system call overhead of select on busy
|
|
servers.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]packet_limit\f[R] (int>
|
|
.RS 2
|
|
.PP
|
|
Maximum number of packets of downstream traffic to be handled each tenth
|
|
of a second per session.
|
|
If zero, no limit is applied (default: 0).
|
|
Intended as a DoS prevention mechanism and not a general throttling
|
|
control (packets are dropped, not queued).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]peer_address\f[R] (ip address)
|
|
.RS 2
|
|
.PP
|
|
Address to send to clients as the default gateway.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]pid_file\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
If set, the process id will be written to the specified file.
|
|
The value must be an absolute path.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]ppp_keepalive\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
Change this value to no to force generation of LCP ECHO every
|
|
echo_timeout seconds, even there are activity on the link (default: yes)
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]ppp_restart_time\f[R] (int)
|
|
.IP \[bu] 2
|
|
\f[B]ppp_max_configure\f[R] (int)
|
|
.IP \[bu] 2
|
|
\f[B]ppp_max_failure\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
PPP counter and timer values, as described in Section 4.1 of RFC1661.
|
|
.PP
|
|
\f[I]ppp_restart_time\f[R], Restart timer for PPP protocol negotiation
|
|
in seconds (default: 3).
|
|
.PP
|
|
\f[I]ppp_max_configure\f[R], Number of configure requests to send before
|
|
giving up (default: 10).
|
|
.PP
|
|
\f[I]ppp_max_failure\f[R], Number of Configure-Nak requests to send
|
|
before sending a Configure-Reject (default: 5).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]primary_dns\f[R] (ip address), \f[B]secondary_dns\f[R] (ip address)
|
|
.RS 2
|
|
.PP
|
|
Whenever a PPP connection is established, DNS servers will be sent to
|
|
the user, both a primary and a secondary.
|
|
If either is set to 0.0.0.0, then that one will not be sent.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]primary_radius\f[R] (ip address), \f[B]secondary_radius\f[R] (ip
|
|
address)
|
|
.RS 2
|
|
.PP
|
|
Sets the RADIUS servers used for both authentication and accounting.
|
|
If the primary server does not respond, then the secondary RADIUS server
|
|
will be tried.
|
|
.PP
|
|
Note: in addition to the source IP address and identifier, the RADIUS
|
|
server must include the source port when detecting duplicates to
|
|
suppress (in order to cope with a large number of sessions coming
|
|
on-line simultaneously l2tpns uses a set of udp sockets, each with a
|
|
separate identifier).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]primary_radius_port\f[R] (short), \f[B]secondary_radius_port\f[R]
|
|
(short)
|
|
.RS 2
|
|
.PP
|
|
Sets the authentication ports for the primary and secondary RADIUS
|
|
servers.
|
|
The accounting port is one more than the authentication port.
|
|
If no RADIUS ports are given, the authentication port defaults to 1645,
|
|
and the accounting port to 1646.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]radius_accounting\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
If set to true, then RADIUS accounting packets will be sent.
|
|
This means that a \f[B]Start\f[R] record will be sent when the session
|
|
is successfully authenticated, and a \f[B]Stop\f[R] record will be sent
|
|
when the session is closed.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]radius_interim\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
If radius_accounting is on, defines the interval between sending of
|
|
RADIUS interim accounting records (in seconds).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]radius_secret\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
This secret will be used in all RADIUS queries.
|
|
If this is not set then RADIUS queries will fail.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]radius_authtypes\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
A comma separated list of supported RADIUS authentication methods
|
|
(\[lq]pap\[rq] or \[lq]chap\[rq]), in order of preference (default
|
|
\[lq]pap\[rq]).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]radius_dae_port\f[R] (short)
|
|
.RS 2
|
|
.PP
|
|
Port for DAE RADIUS (Packet of Death/Disconnect, Change of
|
|
Authorization) requests (default: 3799).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]radius_bind_min\f[R], \f[B]radius_bind_max\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Define a port range in which to bind sockets used to send and receive
|
|
RADIUS packets.
|
|
Must be at least RADIUS_FDS (64) wide.
|
|
Simplifies firewalling of RADIUS ports (default: dynamically assigned).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]random_device\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
Path to random data source (default /dev/urandom).
|
|
Use \[dq]\[dq] to use the rand() library function.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]scheduler_fifo\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
Sets the scheduling policy for the l2tpns process to SCHED_FIFO.
|
|
This causes the kernel to immediately preempt any currently running
|
|
SCHED_OTHER (normal) process in favour of l2tpns when it becomes
|
|
runnable.
|
|
Ignored on uniprocessor systems.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]send_garp\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
Determines whether or not to send a gratuitous ARP for the bind_address
|
|
when the server is ready to handle traffic (default: true).
|
|
This value is ignored if BGP is configured.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]tundevicename\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
Name of the tun interface (default: \[lq]tun0\[rq]).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]throttle_speed\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Sets the default speed (in kbits/s) which sessions will be limited to.
|
|
If this is set to 0, then throttling will not be used at all.
|
|
Note: You can set this by the CLI, but changes will not affect currently
|
|
connected users.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]throttle_buckets\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
Number of token buckets to allocate for throttling.
|
|
Each throttled session requires two buckets (in and out).
|
|
.RE
|
|
.SS DHCPv6 And IPv6 SETTINGS
|
|
.IP \[bu] 2
|
|
\f[B]dhcp6_preferred_lifetime\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
The preferred lifetime for the IPv6 address and the IPv6 prefix address,
|
|
expressed in units of seconds (see rfc3315).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]dhcp6_valid_lifetime\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
The valid lifetime for the IPv6 address and the IPv6 prefix address,
|
|
expressed in units of seconds (see rfc3315).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]dhcp6_server_duid\f[R] (int)
|
|
.RS 2
|
|
.PP
|
|
DUID Based on Link-layer Address (DUID-LL) (see rfc3315).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]primary_ipv6_dns\f[R], \f[B]secondary_ipv6_dns\f[R] (Ipv6 address)
|
|
.RS 2
|
|
.PP
|
|
IPv6 DNS servers will be sent to the user (see rfc3646).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]default_ipv6_domain_list\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
The Domain Search List (ex: \[lq]fdn.fr\[rq]) (see rfc3646).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]ipv6_prefix\f[R] (Ipv6 address)
|
|
.RS 2
|
|
.PP
|
|
Enable negotiation of IPv6.
|
|
This forms the the first 64 bits of the client allocated address.
|
|
The remaining 64 come from the allocated IPv4 address and 4 bytes of 0.
|
|
.RE
|
|
.SS LAC SETTINGS
|
|
.IP \[bu] 2
|
|
\f[B]bind_address_remotelns\f[R] (ip address)
|
|
.RS 2
|
|
.PP
|
|
Address of the interface to listen the remote LNS tunnels.
|
|
If no address is given, all interfaces are listened (Any Address).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]bind_portremotelns\f[R] (short)
|
|
.RS 2
|
|
.PP
|
|
Port to bind for the Remote LNS (default: 65432).
|
|
.RE
|
|
.PP
|
|
A static REMOTES LNS configuration can be entered by the command:
|
|
.IP \[bu] 2
|
|
\f[B]setforward\f[R] \f[I]MASK\f[R] \f[I]IP\f[R] \f[I]PORT\f[R]
|
|
\f[I]SECRET\f[R]
|
|
.RS 2
|
|
.PP
|
|
where MASK specifies the mask of users who have forwarded to remote LNS
|
|
(ex: \[lq]/friendISP\[at]company.com\[rq]).
|
|
.PP
|
|
where IP specifies the IP of the remote LNS (ex: \[lq]66.66.66.55\[rq]).
|
|
.PP
|
|
where PORT specifies the L2TP Port of the remote LNS (Normally should be
|
|
1701) (ex: 1701).
|
|
.PP
|
|
where SECRET specifies the secret password the remote LNS (ex:
|
|
mysecret).
|
|
.RE
|
|
.PP
|
|
The static REMOTE LNS configuration can be used when the friend ISP not
|
|
have a proxied Radius.
|
|
.PP
|
|
If a proxied Radius is used, It will return the RADIUS attributes:
|
|
.IP \[bu] 2
|
|
Tunnel-Type:1 = L2TP
|
|
.IP \[bu] 2
|
|
Tunnel-Medium-Type:1 = IPv4
|
|
.IP \[bu] 2
|
|
Tunnel-Password:1 = \[lq]LESECRETL2TP\[rq]
|
|
.IP \[bu] 2
|
|
Tunnel-Server-Endpoint:1 = \[lq]88.xx.xx.x1\[rq]
|
|
.IP \[bu] 2
|
|
Tunnel-Assignment-Id:1 = \[lq]friendisp_lns1\[rq]
|
|
.IP \[bu] 2
|
|
Tunnel-Type:2 += L2TP
|
|
.IP \[bu] 2
|
|
Tunnel-Medium-Type:2 += IPv4
|
|
.IP \[bu] 2
|
|
Tunnel-Password:2 += \[lq]LESECRETL2TP\[rq]
|
|
.IP \[bu] 2
|
|
Tunnel-Server-Endpoint:2 += \[lq]88.xx.xx.x2\[rq]
|
|
.IP \[bu] 2
|
|
Tunnel-Assignment-Id:2 += \[lq]friendisp_lns2\[rq]
|
|
.SS PPPOE SETTINGS
|
|
.IP \[bu] 2
|
|
\f[B]pppoe_if_to_bind\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
PPPOE server interface to bind (ex: \[lq]eth0.12\[rq]), If not specified
|
|
the server PPPOE is not enabled.
|
|
For the pppoe clustering, all the interfaces PPPOE of the clusters must
|
|
use the same HW address (MAC address).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]pppoe_service_name\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
PPPOE service name (default: NULL).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]pppoe_ac_name\f[R] (string)
|
|
.RS 2
|
|
.PP
|
|
PPPOE access concentrator name (default: \[lq]l2tpns-pppoe\[rq]).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]pppoe_only_equal_svc_name\f[R] (boolean)
|
|
.RS 2
|
|
.PP
|
|
If set to yes, the PPPOE server only accepts clients with a
|
|
\[lq]service-name\[rq] different from NULL and a \[lq]service-name\[rq]
|
|
equal to server \[lq]service-name\[rq] (default: no).
|
|
.RE
|
|
.SS BGP ROUTING
|
|
.PP
|
|
The routing configuration section is entered by the command
|
|
.PP
|
|
\f[B]router\f[R] \f[B]bgp\f[R] \f[I]as\f[R]
|
|
.PP
|
|
where \f[I]as\f[R] specifies the local AS number.
|
|
.PP
|
|
Subsequent lines prefixed with \f[B]neighbour\f[R] \f[I]peer\f[R] define
|
|
the attributes of BGP neighhbours.
|
|
Valid commands are:
|
|
.PP
|
|
\f[B]neighbour\f[R] \f[I]peer\f[R] \f[B]remote-as\f[R] \f[I]as\f[R]
|
|
.PP
|
|
\f[B]neighbour\f[R] \f[I]peer\f[R] \f[B]timers\f[R] \f[I]keepalive\f[R]
|
|
\f[I]hold\f[R]
|
|
.PP
|
|
Where \f[I]peer\f[R] specifies the BGP neighbour as either a hostname or
|
|
IP address, \f[I]as\f[R] is the remote AS number and
|
|
\f[I]keepalive\f[R], \f[I]hold\f[R] are the timer values in seconds.
|
|
.SS NAMED ACCESS LISTS
|
|
.PP
|
|
Named access lists may be defined with either of
|
|
.IP \[bu] 2
|
|
\f[B]ip\f[R] \f[B]access-list\f[R] \f[B]standard\f[R] \f[I]name\f[R]
|
|
.IP \[bu] 2
|
|
\f[B]ip\f[R] \f[B]access-list\f[R] \f[B]extended\f[R] \f[I]name\f[R]
|
|
.PP
|
|
Subsequent lines starting with permit or deny define the body of the
|
|
access-list.
|
|
.SS Standard Access Lists
|
|
.PP
|
|
Standard access lists are defined with:
|
|
.IP \[bu] 2
|
|
{\f[B]permit\f[R]|\f[B]deny\f[R]} \f[I]source\f[R] [\f[I]dest\f[R]]
|
|
.PP
|
|
Where \f[I]source\f[R] and \f[I]dest\f[R] specify IP matches using one
|
|
of:
|
|
.IP \[bu] 2
|
|
\f[I]address\f[R] \f[I]wildard\f[R]
|
|
.IP \[bu] 2
|
|
\f[B]host\f[R] \f[I]address\f[R]
|
|
.IP \[bu] 2
|
|
\f[B]any\f[R]
|
|
.PP
|
|
\f[I]address\f[R] and \f[I]wildard\f[R] are in dotted-quad notation,
|
|
bits in the \f[I]wildard\f[R] indicate which address bits in
|
|
\f[I]address\f[R] are relevant to the match (0 = exact match; 1 =
|
|
don\[cq]t care).
|
|
.PP
|
|
The shorthand `host address' is equivalent to `\f[I]address\f[R]
|
|
\f[B]0.0.0.0\f[R]'; `\f[B]any\f[R]' to `\f[B]0.0.0.0\f[R]
|
|
\f[B]255.255.255.255\f[R]'.
|
|
.SS Extended Access Lists
|
|
.PP
|
|
Extended access lists are defined with:
|
|
.IP \[bu] 2
|
|
{\f[B]permit\f[R]|\f[B]deny\f[R]} \f[I]proto\f[R] \f[I]source\f[R]
|
|
[\f[I]ports\f[R]] \f[I]dest\f[R] [\f[I]ports\f[R]] [\f[I]flags\f[R]]
|
|
.PP
|
|
Where \f[I]proto\f[R] is one of \f[B]ip\f[R], \f[B]tcp\f[R] or
|
|
\f[B]udp\f[R], and \f[I]source\f[R] and \f[I]dest\f[R] are as described
|
|
above for standard lists.
|
|
.PP
|
|
For TCP and UDP matches, source and destination may be optionally
|
|
followed by a ports specification:
|
|
.IP \[bu] 2
|
|
{\f[B]eq|neq|gt|lt\f[R]} \f[I]port\f[R]
|
|
.IP \[bu] 2
|
|
\f[B]range\f[R] \f[I]from\f[R] \f[I]to\f[R]
|
|
.PP
|
|
\f[I]flags\f[R] may be one of:
|
|
.IP \[bu] 2
|
|
{\f[B]match-any|match-all\f[R]}
|
|
{\f[B]+|-\f[R]}{\f[B]fin|syn|rst|psh|ack|urg\f[R]} \&...
|
|
.RS 2
|
|
.PP
|
|
Match packets with any or all of the tcp flags set (+) or clear (-).
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]established\f[R]
|
|
.RS 2
|
|
.PP
|
|
Match \[lq]established\[rq] TCP connections: packets with RST or ACK
|
|
set, and SYN clear.
|
|
.RE
|
|
.IP \[bu] 2
|
|
\f[B]fragments\f[R]
|
|
.RS 2
|
|
.PP
|
|
Match IP fragments.
|
|
May not be specified on rules with layer 4 matches.
|
|
.RE
|
|
.SH SEE ALSO
|
|
.PP
|
|
l2tpns(8) (http://man.he.net/man8/l2tpns)
|