| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
sstp: ipv6/unix sock & proxy protocol support
|
|
|
|
currently the only ssl value is supported
|
|
|
|
|
|
|
|
if not set, fallback to private key in the same ssl-pemfile
|
|
|
|
|
|
Warning: config options are changed aligned with general accel-ppp style.
Following cases, including no-openssl build are supported:
ssl | ssl-pemfile | behavior
1 set get both sha1 & sha256 from the certificate
0 set get both sha1 & sha256 from the certificate
0 unset use cert-hash-sha1 and/or cert-hash-sha256 hex options
no-openssl use cert-hash-sha1 and/or cert-hash-sha256 hex options
cert-hash-sha1 and/or cert-hash-sha256 hex options override certificate's,
so it's possible to turn certficate hash verification off with just empty
values (default).
|
|
|
|
|
|
new config options:
[ipoe]
weight=N - global weight
interface=ethX,weight=N - per-interface weight
How it works:
On reception of DHCPDISCOVER accel-ppp sends broadcast DHCP message to port 67 with same xid and add special vendor-specific option
where encodes its current session count multipled by weight.
On reception of such message accel-ppp searches session with same xid and compares weight.
If received weight is less than session's weight then it terminates this session.
per-interface weight=0 has special meaning as backup (fail-over) interface, f.e. it terminates session on any received weight.
By default weight based load balancing is disabled.
To enable need to specify global or/and per-interface weight.
|
|
If pool specified with /128 prefix length, then initialize intf_id by gw_ip6_address and peer_intf_id by generated pool address.
|
|
config changes:
[ip-pool]
x.x.x.x/mask,name=pool1
y.y.y.y/mask,name=pool2,next=pool1
|
|
Reuse exsisting radius functionality and allow set iterface name
template for pppoe/pptp/l2tp, '%d' specification will be replaced
automagically to the next available index by kernel.
PPP interface rename allows to easy differ client's interfaces from
the other ppp ones, for example, with just netfilter interface rules.
Example:
[pptp]
ifname=pptp%d will produce pptp0, pptp1, ...
|
|
default value for renew-time fixed
|
|
[ppppd-compat]
fork-limit=N
Specifies number of simultaneously running background processes.
|
|
introduced new config option:
[ipoe]
vendor=Name
this affects to all attributes specified in attr-xxx options
|
|
new config option:
[common]
max-sessions=N
If set then accel-pppd stops reply to new connection requests if total number of sessions (active and starting) is reached specified limit.
|
|
This reverts commit 88a908974b0b2e9c7eee8ad9a8b0b4432e95d167.
|
|
new config option:
[common]
max-sessions=N
If set then accel-pppd stops reply to new connection requests if total number of sessions (active and starting) is reached specified limit.
|
|
This reverts commit 9ea88bac7d5bf8fc5cf2d5f7d0a734ec7a9e6df6.
|
|
new config option:
[common]
max-sessions=N
If set then accel-pppd stops reply to new connection requests if total number of sessions (active and starting) is reached specified limit.
|
|
To keep clients from losing adresses, T1 should be set less that lease time.
|
|
If set to 1 then allocate unit (interface) before authorization, so Nas-Port and Nas-Port-Id would be defined in Access-Request phase
|
|
|
|
|
|
If start=auto is specified then accel-pppd automatically starts session with username = interface name on shared=0 interfaces.
Use it with conjuction vlan_mon. So any packet may start session.
|
|
local-net is used to filter incomming packets which may start UP session
|
|
|
|
|
|
introduced new module "vlan-mon"
|
|
|
|
This option specifies value of Calling-Station-Id value.
Available options are 'mac' and 'ip'.
|
|
Default behaviour of accel-ppp when it receives DHCP request with same Option 82 but different MAC address
is termination of old session (with previous MAC address).
This option can turn off such behaviour, so multiple sessions with same Option 82 but different MAC may coesist.
|
|
Introducesed 2 new options:
[ipoe]
attr-dhcp-opt82-remote-id=
attr-dhcp-opt82-circuit-id=
|
|
|
|
|
|
* radius: major improvments
* radius: use NAS-Port-Id in Access-Accept for interface renaming
* radius: introduced "weight" and "backup" per-server options
* radius: introduced "attr-tunnel-type" option
* radius: introduced "max-fail" option
* ipoe: introduced "ip-unnumbered" option
* ipoe: improved vlan monitor
* ipoe: introduced "attr-dhcp-lease-time" option
* ipoe: send option 82 from DHCP request to radius
* ipoe: fixed passing packets in 'redirect on reject' mode
* ipoe: implemented handling relayed DHCP clients
* ipoe: implemented "L4 redirect on reject" for DHCP sessions
* ipoe: implemneted ability to send L4 redirect table/L4 redirect ipset via radius attributes
* pppoe: introduced "called-sid" option
* pppoe: improved AC-Cookie mechanism
* ippool: introduced "shuffle" option
* core: improved "single-session=replace" handling
* shaper: apply rate multiplier to integer values
* shaper: implemented fq_codel leaf qdisc
* shaper: fixed passing quantum parameter to kernel
* shaper: introduced "moderate-quantum" option
* shaper: introduced "fwmark" option
* ipv6: add support for prefixes greater than 64
* ppp: make LCP magic number negotiation not mandatory
* ppp: implement address/control and protocol field compression
* ppp: implemented delayed unit close via unit cache
* pppd_compat: pass IPV6_PREFIX and IPV6_DELEGATED_PREFIX to ip-up/ip-down scripts
* cli: introduced verbose option
|
|
If specified then fwmark filters will be installed to bypass shaper
|
|
shaper: introduced moderate-quantum option
If fixed quantum is not specified and moderate-quantum is specified then shaper module
will check for quantum value to be in valid range (1000-200000).
This suppresses annoying kernel messages.
Remark: quantum is rate/r2q, rate is in bytes/sec.
|
|
radius attributes
Introduced following options:
attr-l4-redirect-table (type integer)
attr-l4-redirect-ipset (type string)
Please note, to enable L4 redirect attr-l4-redirect must be specified and sent
|
|
If authentication rejects session, but l4-redirect-on-reject is specified in config then
temporary session will be created and l4 redirect rule will be applied to IP of that session.
Session will be terminated after specified number of seconds.
Also if l4-redirect-ip-pool option is specified then IP will be allocated from that special pool.
|
|
|
|
Due to kernel slowly destroys interfaces closing unit file descriptor blocks working threads which causes overall stuck.
Thus (if unit-cache option is not zero) do not close unit file descriptor immediatly, but put it into unit cache.
Additional helper thread was introduced which closes descriptors from unit cache which overruns configured unit cache size.
|
