diff options
| -rw-r--r-- | docs/_include/interface-common.txt | 4 | ||||
| -rw-r--r-- | docs/configuration/interfaces/pppoe.rst | 70 |
2 files changed, 70 insertions, 4 deletions
diff --git a/docs/_include/interface-common.txt b/docs/_include/interface-common.txt index 4c6ebbe8..5a997482 100644 --- a/docs/_include/interface-common.txt +++ b/docs/_include/interface-common.txt @@ -22,10 +22,6 @@ :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: /_include/interface-adjust-mss.txt - :var0: {{ var0 }} - :var1: {{ var1 }} - .. cmdinclude:: /_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 41f22ed6..ae6a8cba 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -177,6 +177,41 @@ PPPoE options PPPoE connection must be established over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs. +.. cfgcmd:: set interfaces pppoe <interface> ip adjust-mss <mss> + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface <name> adjust-mss <value>`` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + +.. cfgcmd:: set interfaces pppoe <interface> ip disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces pppoe <interface> ip source-validation <strict | loose | disable> + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation + IPv6 ---- @@ -189,6 +224,41 @@ IPv6 :var0: pppoe :var1: pppoe0 +.. cfgcmd:: set interfaces pppoe <interface> ipv6 adjust-mss <mss> + + As Internet wide PMTU discovery rarely works, we sometimes need to clamp our + TCP MSS value to a specific value. This is a field in the TCP options part of + a SYN packet. By setting the MSS value, you are telling the remote side + unequivocally 'do not try to send me packets bigger than this value'. + + .. note:: This command was introduced in VyOS 1.4 - it was previously called: + ``set firewall options interface <name> adjust-mss <value>`` + + .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in + 1452 bytes on a 1492 byte MTU. + +.. cfgcmd:: set interfaces pppoe <interface> ipv6 disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + +.. cfgcmd:: set interfaces pppoe <interface> ipv6 source-validation <strict | loose | disable> + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation + ********* Operation ********* |