<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Interface layer</TITLE>
</HEAD>
<BODY text="#000000" bgcolor="#ffffff">
<A HREF="mpd.html"><EM>Mpd 5.8 User Manual</EM></A>
<b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
<b>:</b> <EM>Interface layer</EM><BR>
<b>Previous:</b> <A HREF="mpd27.html"><EM>IPv6CP layer</EM></A><BR>
<b>Next:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A>
<HR NOSHADE>
<H2><A NAME="28"></A>4.9. Interface layer<A NAME="interface"></A></H2>
<p>This chapter describes commands that configure the interface layer.
All of these commands apply to the currently active bundle.</p>
<p>Note that while most of the time mpd is used for transmitting
IP traffic, it is designed to support other (currently unimplemented)
protocols such as AppleTalk, IPX, etc. This is why the Interface
layer (which is protocol independent) is distinct from the
<A HREF="mpd26.html#ipcp">ipcp</A> which is specific to IP.</p>
<p>
<dl>
<dt><b><code>set iface name [ <em>name</em> ]</code></b><dd><p>This command changes interface name from default ngX to specified one.
If name argument is not specified, original ngX name is restored.
Note that inside Netgraph original ngX name is always used.</p>
<dt><b><code>set iface description [ <em>description</em> ]</code></b><dd><p>This command changes interface description.</p>
<p>Template may contain conversion specifications:
<pre>
%% expands to single % sign;
%a for interface local address;
%A for peer local address;
%i for system interface index;
%I for interface name;
%l for name of bundle's first link
%M for peer MAC address of bundle's first link
%o for local outer ("physical") address of bundle's first link
%O for peer outer ("physical") address of bundle's first link
%P for peer outer ("physical") port of bundle's first link
%S for interface status (DoD/UP/DOWN)
%t for type of bundle's first link (pppoe, pptp, l2tp etc.)
%u for self auth name (or dash if self auth name not used)
%U for peer auth name (or dash if peer has not authenticated)
</pre>
</p>
<dt><b><code>set iface group [ <em>group</em> ]</code></b><dd><p>This command add interface to specific group.</p>
<dt><b><code>set iface addrs [!]<em>local-ip</em> [!]<em>remote-ip</em></code></b><dd><p>This command is usually required when dial-on-demand is enabled.
Normally, mpd configures the interface with the IP addresses that
were negotiated when connecting the link. Since dial-on-demand
configures the interface before actually connecting, mpd has to be
told initial local and remote IP addresses to give the interface.
These addresses don't have to correspond to the ``real'' ones; in
fact, both addresses can be completely fictional. If and when
different addresses are negotiated later, mpd will automatically
renumber the interface and adjust the routes.</p>
<p>Also this command may be used to force specified addresses usage
instead of negotiated ones. It may be useful in some specific cases,
for example, to avoid routing loop with misconfigured PPTP server.
In such case '!' mark specifies IPs to be forced.</p>
<dt><b><code>set iface route <em>address[/width]</em></code></b><dd><p>This command associates a route with the bundle. Whenever the
interface is configured up, all associated routes are added.
A route of <code><b>default</b></code> indicates the default route.
Otherwise, the route is a network address with optional netmask
width (e.g., <code><b>192.168.1.0/24</b></code>). If the netmask
width is omitted, a single host route is assumed (i.e., a width
of 32).</p>
<p>Routes are automatically removed when the interface is brought down.</p>
<dt><b><code>set iface mtu <em>value</em></code></b><dd><p>This command sets an upper bound on the MTU that will be configured
on the interface when the bundle comes up.
This value is not used at all during link negotiation; there are
separate bundle and link commands for configuring that.
Even if a higher bundle MTU is negotiated, this limit will still apply.</p>
<p>This command is useful when you want to manually restrict the MTU
of the interface for other reasons, e.g., if you're also doing IPSec.</p>
<p>The default is 1500.</p>
<dt><b><code>set iface idle <em>seconds</em></code></b><dd><p>Sets the idle timeout value for the bundle. If no incoming or
outgoing packets are transmitted for <code><em>seconds</em></code>
seconds, the connection is brought down. An idle timeout of
zero disables this feature.</p>
<p>When the idle timeout occurs, if the dial-on-demand option is
enabled, mpd goes back into dial-on-demand mode. Otherwise, the
interface is brought down and all associated routes removed.</p>
<p>The default is 0.</p>
<dt><b><code>set iface session <em>seconds</em></code></b><dd><p>Sets the session timeout value for the bundle. An session timeout of
zero disables this feature.</p>
<p>The default is 0.</p>
<dt><b><code>set iface up-script <em>script</em> </code></b><dd>
<dt><b><code>set iface down-script <em>script</em> </code></b><dd>
<p>Mpd can optionally run a user program every time one of network
protocols (IPCP/IPv6CP) at the interface is brought up or down.
The <code><b>up-script</b></code> is called like this:
<blockquote><code>
<code><em>script</em> <em>interface</em> <em>proto</em> <em>local-ip</em> <em>remote-ip</em> <em>authname</em> [ dns1 <em>server-ip</em> ] [ dns2 <em>server-ip</em> ]
<em>peer-address</em></code>
</code></blockquote>
</p>
<p>If up-script exit status is not 0, mpd will kill respective protocol.</p>
<p>The <code><b>down-script</b></code> is called like this:
<blockquote><code>
<code><em>script</em> <em>interface</em> <em>proto</em> <em>local-ip</em> <em>remote-ip</em> <em>authname</em> <em>peer-address</em></code>
</code></blockquote>
</p>
<dt><b><code>set iface enable <em>option ...</em><br>
set iface disable <em>option ...</em></code></b><dd><p>Enable and disable the various interface layer options for the bundle.</p>
</dl>
</p>
<p>The options available at the interface layer are:</p>
<p>
<dl>
<dt><b><code>on-demand</code></b><dd><p>This option causes the interface to operate in dial-on-demand mode,
allowing you to have a ``virtual full time'' connection.
An OPEN event causes the interface to be configured, but the actual
connection of the link is delayed until qualifying outgoing traffic
is detected. Moreover, after an idle timeout, the interface is not
brought down; further traffic will bring the link back up again.</p>
<p>The default is disable.</p>
<dt><b><code>proxy-arp</code></b><dd><p>When this option is enabled, if after link negotiation the peer's
IP address is determined to lie on a local subnet, then mpd will
arrange for the local machine to install a proxy ARP entry for
the remote machine's IP address.</p>
<p>For example, suppose the local machine lies on a LAN with address
192.168.1.10, and another machine will be connecting via mpd
and using the LAN address 192.168.1.20. Then these commands would
set up proxy ARP for the remote machine:
<blockquote><code>
<code>set iface enable proxy-arp<br>
set ipcp ranges 192.168.1.10/32 192.168.1.20/32</code>
</code></blockquote>
</p>
<p>The default is disable.</p>
<dt><b><code>keep-timeout</code></b><dd><p>When this option is enabled, we are not clear ``session timeout''
counter. This is useful together with CoA requests.</p>
<p>The default is disable.</p>
<dt><b><code>tcpmssfix</code></b><dd><p>This option causes mpd to adjust incoming and outgoing TCP SYN
segments so that the requested maximum segment size is not greater
than the amount allowed by the interface MTU.</p>
<p>This is necessary in many setups to avoid problems caused by routers
that drop ICMP Datagram Too Big messages. Without these messages,
the originating machine sends data, it passes the rogue router then
hits a machine that has an MTU that is not big enough for the data.
Because the IP Don't Fragment option is set, this machine sends an
ICMP Datagram Too Big message back to the originator and drops the
packet. The rogue router drops the ICMP message and the originator
never gets to discover that it must reduce the fragment size or drop
the IP Don't Fragment option from its outgoing data.</p>
<p>The code is based on tcpmssd wich was written by Ruslan Ermilov
<A href="mailto:<ru@FreeBSD.org>">mailto:<ru@FreeBSD.org></A>
based on work done by Patrick Bihan-Faou
<A href="mailto:<patrick@mindstep.com>">mailto:<patrick@mindstep.com></A>.</p>
<p>The default is disable.</p>
<dt><b><code>tee</code></b><dd><p>If enabled, a ng_tee(4) node will be inserted
into the bundle graph, right after the interface node. The tee node
can be useful for debugging or traffic accounting.</p>
<p>The default is disable.</p>
<dt><b><code>nat</code></b><dd><p>Enable NAT for this bundle.
See
<A HREF="mpd39.html#nat">nat</A> for more information.</p>
<p>The default is disable.</p>
<dt><b><code>netflow-in</code></b><dd>
<dt><b><code>netflow-out</code></b><dd>
<dt><b><code>netflow-once</code></b><dd><p>If enabled, the bundle will participate in
NetFlow generation. See
<A HREF="mpd34.html#netflow">netflow</A>
for more information. The netflow-out option is like netflow-in, but
generates NetFlow data for outgoing packets instead of incoming.
If netflow-once enabled - packet will be accounted only once while
in kernel.</p>
<p>The default is disable.</p>
<dt><b><code>ipacct</code></b><dd><p>If enabled, the bundle will participate in IP accounting with ng_ipacct node.
See
<A HREF="mpd35.html#ipacct">ipacct</A> for more information.</p>
<p>The default is disable.</p>
</dl>
</p>
<HR NOSHADE>
<A HREF="mpd.html"><EM>Mpd 5.8 User Manual</EM></A>
<b>:</b> <A HREF="mpd17.html"><EM>Configuring Mpd</EM></A>
<b>:</b> <EM>Interface layer</EM><BR>
<b>Previous:</b> <A HREF="mpd27.html"><EM>IPv6CP layer</EM></A><BR>
<b>Next:</b> <A HREF="mpd29.html"><EM>Authentication, Authorization and Accounting (AAA)</EM></A>
</BODY>
</HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>