* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
/*
* TODO:
*/
static int default_route_set[NUM_PPP]; /* Have set up a default route */
static int proxy_arp_set[NUM_PPP]; /* Have created proxy arp entry */
static bool usepeerdns; /* Ask peer for DNS addrs */
+ static bool usepeerwins; /* Ask peer for WINS addrs */
static int ipcp_is_up; /* have called np_up() */
static int ipcp_is_open; /* haven't called np_finished() */
static bool ask_for_local; /* request our address from peer */
{ "usepeerdns", o_bool, &usepeerdns,
"Ask peer for DNS address(es)", 1 },
+ { "usepeerwins", o_bool, &usepeerwins,
+ "Ask peer for WINS address(es)", 1 },
+
{ "netmask", o_special, (void *)setnetmask,
"set netmask", OPT_PRIO | OPT_A2STRVAL | OPT_STATIC, netmask_str },
ipcp_options *go = &ipcp_gotoptions[f->unit];
ipcp_options *ao = &ipcp_allowoptions[f->unit];
- wo->req_addr = (wo->neg_addr || wo->old_addrs) &&
- (ao->neg_addr || ao->old_addrs);
+ wo->req_addr = ((wo->neg_addr || wo->old_addrs) &&
+ (ao->neg_addr || ao->old_addrs)) ||
+ (wo->hisaddr && !wo->accept_remote);
if (wo->ouraddr == 0)
wo->accept_local = 1;
if (wo->hisaddr == 0)
wo->accept_remote = 1;
wo->req_dns1 = usepeerdns; /* Request DNS addresses from the peer */
wo->req_dns2 = usepeerdns;
+ wo->req_wins1 = usepeerwins; /* Request WINS addresses from the peer */
+ wo->req_wins2 = usepeerwins;
*go = *wo;
if (!ask_for_local)
go->ouraddr = 0;
LENCIADDR(go->neg_addr) +
LENCIDNS(go->req_dns1) +
LENCIDNS(go->req_dns2) +
- LENCIWINS(go->winsaddr[0]) +
- LENCIWINS(go->winsaddr[1])) ;
+ LENCIWINS(go->req_wins1) +
+ LENCIWINS(go->req_wins2)) ;
}
neg = 0; \
}
- #define ADDCIWINS(opt, addr) \
- if (addr) { \
+ #define ADDCIWINS(opt, neg, addr) \
+ if (neg) { \
if (len >= CILEN_ADDR) { \
u_int32_t l; \
PUTCHAR(opt, ucp); \
PUTLONG(l, ucp); \
len -= CILEN_ADDR; \
} else \
- addr = 0; \
+ neg = 0; \
}
ADDCIADDRS(CI_ADDRS, !go->neg_addr && go->old_addrs, go->ouraddr,
ADDCIDNS(CI_MS_DNS2, go->req_dns2, go->dnsaddr[1]);
- ADDCIWINS(CI_MS_WINS1, go->winsaddr[0]);
+ ADDCIWINS(CI_MS_WINS1, go->req_wins1, go->winsaddr[0]);
- ADDCIWINS(CI_MS_WINS2, go->winsaddr[1]);
+ ADDCIWINS(CI_MS_WINS2, go->req_wins2, go->winsaddr[1]);
*lenp -= len;
}
goto bad; \
}
- #define ACKCIWINS(opt, addr) \
- if (addr) { \
+ #define ACKCIWINS(opt, neg, addr) \
+ if (neg) { \
u_int32_t l; \
if ((len -= CILEN_ADDR) < 0) \
goto bad; \
ACKCIDNS(CI_MS_DNS2, go->req_dns2, go->dnsaddr[1]);
- ACKCIWINS(CI_MS_WINS1, go->winsaddr[0]);
+ ACKCIWINS(CI_MS_WINS1, go->req_wins1, go->winsaddr[0]);
- ACKCIWINS(CI_MS_WINS2, go->winsaddr[1]);
+ ACKCIWINS(CI_MS_WINS2, go->req_wins2, go->winsaddr[1]);
/*
* If there are any remaining CIs, then this packet is bad.
static int
ipcp_nakci(fsm *f, u_char *p, int len, int treat_as_reject)
{
+ ipcp_options *wo = &ipcp_wantoptions[f->unit];
ipcp_options *go = &ipcp_gotoptions[f->unit];
u_char cimaxslotindex, cicflag;
u_char citype, cilen, *next;
u_short cishort;
- u_int32_t ciaddr1, ciaddr2, l, cidnsaddr;
+ u_int32_t ciaddr1, ciaddr2, l, cidnsaddr, ciwinsaddr;
ipcp_options no; /* options we've seen Naks for */
ipcp_options try; /* options to request next time */
code \
}
+ #define NAKCIWINS(opt, neg, code) \
+ if (go->neg && \
+ ((cilen = p[1]) == CILEN_ADDR) && \
+ len >= cilen && \
+ p[0] == opt) { \
+ len -= cilen; \
+ INCPTR(2, p); \
+ GETLONG(l, p); \
+ ciwinsaddr = htonl(l); \
+ no.neg = 1; \
+ code \
+ }
+
/*
* Accept the peer's idea of {our,his} address, if different
* from our idea, only if the accept_{local,remote} flag is set.
}
);
+ NAKCIWINS(CI_MS_WINS1, req_wins1,
+ if (treat_as_reject) {
+ try.req_wins1 = 0;
+ } else {
+ try.winsaddr[0] = ciwinsaddr;
+ }
+ );
+
+ NAKCIWINS(CI_MS_WINS2, req_wins2,
+ if (treat_as_reject) {
+ try.req_wins2 = 0;
+ } else {
+ try.winsaddr[1] = ciwinsaddr;
+ }
+ );
+
/*
* There may be remaining CIs, if the peer is requesting negotiation
* on an option that we didn't include in our request packet.
GETLONG(l, p);
ciaddr1 = htonl(l);
if (ciaddr1 && go->accept_local)
- try.ouraddr = ciaddr1;
+ try.ouraddr = wo->old_addrs ? ciaddr1 : 0;
GETLONG(l, p);
ciaddr2 = htonl(l);
if (ciaddr2 && go->accept_remote)
ciaddr1 = htonl(l);
if (ciaddr1 && go->accept_local)
try.ouraddr = ciaddr1;
- if (try.ouraddr != 0)
+ if (try.ouraddr != 0 && wo->neg_addr)
try.neg_addr = 1;
no.neg_addr = 1;
break;
no.req_dns2 = 1;
break;
case CI_MS_WINS1:
+ if (go->req_wins1 || no.req_wins1 || cilen != CILEN_ADDR)
+ goto bad;
+ GETLONG(l, p);
+ try.winsaddr[0] = htonl(l);
+ try.req_wins1 = 1;
+ no.req_wins1 = 1;
+ break;
case CI_MS_WINS2:
- if (cilen != CILEN_ADDR)
+ if (go->req_wins2 || no.req_wins2 || cilen != CILEN_ADDR)
goto bad;
GETLONG(l, p);
- ciaddr1 = htonl(l);
- if (ciaddr1)
- try.winsaddr[citype == CI_MS_WINS2] = ciaddr1;
+ try.winsaddr[1] = htonl(l);
+ try.req_wins2 = 1;
+ no.req_wins2 = 1;
break;
}
p = next;
return 0;
}
-
/*
* ipcp_rejci - Reject some of our CIs.
* Callback from fsm_rconfnakrej.
try.neg = 0; \
}
- #define REJCIWINS(opt, addr) \
- if (addr && \
+ #define REJCIWINS(opt, neg, addr) \
+ if (go->neg && \
((cilen = p[1]) == CILEN_ADDR) && \
len >= cilen && \
p[0] == opt) { \
/* Check rejected value. */ \
if (cilong != addr) \
goto bad; \
- try.winsaddr[opt == CI_MS_WINS2] = 0; \
+ try.neg = 0; \
}
REJCIADDRS(CI_ADDRS, !go->neg_addr && go->old_addrs,
REJCIDNS(CI_MS_DNS2, req_dns2, go->dnsaddr[1]);
- REJCIWINS(CI_MS_WINS1, go->winsaddr[0]);
+ REJCIWINS(CI_MS_WINS1, req_wins1, go->winsaddr[0]);
- REJCIWINS(CI_MS_WINS2, go->winsaddr[1]);
+ REJCIWINS(CI_MS_WINS2, req_wins2, go->winsaddr[1]);
/*
* If there are any remaining CIs, then this packet is bad.
if (ciaddr2 != wo->ouraddr) {
if (ciaddr2 == 0 || !wo->accept_local) {
orc = CONFNAK;
- if (!reject_if_disagree) {
+ if (!reject_if_disagree && wo->old_addrs) {
DECPTR(sizeof(u_int32_t), p);
tl = ntohl(wo->ouraddr);
PUTLONG(tl, p);
/* Microsoft primary or secondary WINS request */
d = citype == CI_MS_WINS2;
- /* If we do not have a DNS address then we cannot send it */
+ /* If we do not have a WINS address then we cannot send it */
if (ao->winsaddr[d] == 0 ||
cilen != CILEN_ADDR) { /* Check CI length */
orc = CONFREJ; /* Reject CI */
* option safely.
*/
if (rc != CONFREJ && !ho->neg_addr && !ho->old_addrs &&
- wo->req_addr && !reject_if_disagree && !noremoteip) {
+ wo->req_addr && !reject_if_disagree &&
+ ((wo->hisaddr && !wo->accept_remote) || !noremoteip)) {
if (rc == CONFACK) {
rc = CONFNAK;
ucp = inp; /* reset pointer */
/*
* We must have a non-zero IP address for both ends of the link.
*/
+
+ if (wo->hisaddr && !wo->accept_remote && (!(ho->neg_addr || ho->old_addrs) || ho->hisaddr != wo->hisaddr)) {
+ error("Peer refused to agree to his IP address");
+ ipcp_close(f->unit, "Refused his IP address");
+ return;
+ }
if (!ho->neg_addr && !ho->old_addrs)
ho->hisaddr = wo->hisaddr;
create_resolv(go->dnsaddr[0], go->dnsaddr[1]);
}
+ if (go->winsaddr[0])
+ script_setenv("WINS1", ip_ntoa(go->winsaddr[0]), 0);
+ if (go->winsaddr[1])
+ script_setenv("WINS2", ip_ntoa(go->winsaddr[1]), 0);
+ if (usepeerwins && (go->winsaddr[0] || go->winsaddr[1]))
+ script_setenv("USEPEERWINS", "1", 0);
+
/*
* Check that the peer is allowed to use the IP address it wants.
*/
wo->ouraddr = go->ouraddr;
} else
script_unsetenv("OLDIPLOCAL");
- if (ho->hisaddr != wo->hisaddr && wo->hisaddr != 0) {
+ if (ho->hisaddr != wo->hisaddr) {
warn("Remote IP address changed to %I", ho->hisaddr);
- script_setenv("OLDIPREMOTE", ip_ntoa(wo->hisaddr), 0);
+ if (wo->hisaddr != 0)
+ script_setenv("OLDIPREMOTE", ip_ntoa(wo->hisaddr), 0);
wo->hisaddr = ho->hisaddr;
} else
script_unsetenv("OLDIPREMOTE");
.I speed
An option that is a decimal number is taken as the desired baud rate
for the serial device. On systems such as
-4.4BSD and NetBSD, any speed can be specified. Other systems
-(e.g. Linux, SunOS) only support the commonly-used baud rates.
+Linux, 4.4BSD and NetBSD, any speed can be specified. Other systems
+(e.g. SunOS) only support the commonly-used baud rates.
.TP
.B asyncmap \fImap
This option sets the Async-Control-Character-Map (ACCM) for this end
value of -1, the route is only added if there is no default route at
all.
.TP
-.B defaultroute6
-Add a default IPv6 route to the system routing tables, using the peer as
-the gateway, when IPv6CP negotiation is successfully completed.
-This entry is removed when the PPP connection is broken. This option
-is privileged if the \fInodefaultroute6\fR option has been specified.
-.TP
.B replacedefaultroute
This option is a flag to the defaultroute option. If defaultroute is
set and this flag is also set, pppd replaces an existing default route
\fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
.TP
.B ca \fIca-file
-(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority
+(EAP-TLS, or PEAP) Use the file \fIca-file\fR as the X.509 Certificate Authority
(CA) file (in PEM format), needed for setting up an EAP-TLS connection.
This option is used on the client-side in conjunction with the \fBcert\fR
-and \fBkey\fR options.
+and \fBkey\fR options. Either \fIca\fR, or \fIcapath\fR options are required
+for PEAP. EAP-TLS may also use the entry in eaptls-client or eaptls-server
+for a CA certificate associated with a particular peer.
+.TP
+.B capath \fIpath
+(EAP-TLS, or PEAP) Specify a location that contains public CA certificates.
+Either \fIca\fR, or \fIcapath\fR options are required for PEAP.
.TP
.B cdtrcts
Use a non-standard hardware flow control (i.e. DTR/CTS) to control
or \fBpty\fR option is used.
.TP
.B crl \fIfilename
-(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List
+(EAP-TLS, or PEAP) Use the file \fIfilename\fR as the Certificate Revocation List
to check for the validity of the peer's certificate. This option is not
-mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR
+mandatory for setting up a TLS connection. Also see the \fBcrl-dir\fR
option.
.TP
.B crl-dir \fIdirectory
-(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in
+(EAP-TLS, or PEAP) Use the directory \fIdirectory\fR to scan for CRL files in
has format ($hash.r0) to check for the validity of the peer's certificate.
-This option is not mandatory for setting up an EAP-TLS connection.
+This option is not mandatory for setting up a TLS connection.
Also see the \fBcrl\fR option.
.TP
.B debug
pppd will use the default MRU value of 1500 bytes for both the
transmit and receive direction.
.TP
+.B defaultroute6
+Add a default IPv6 route to the system routing tables, using the peer as
+the gateway, when IPv6CP negotiation is successfully completed.
+This entry is removed when the PPP connection is broken. This option
+is privileged if the \fInodefaultroute6\fR option has been specified.
+\fBWARNING: Do not enable this option by default\fR. IPv6 routing tables
+are managed by kernel (as apposite to IPv4) and IPv6 default route is
+configured by kernel automatically too based on ICMPv6 Router Advertisement
+packets. This option may conflict with kernel IPv6 route setup and should
+be used only for broken IPv6 networks.
+.TP
.B deflate \fInr,nt
Request that the peer compress packets that it sends, using the
Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and
Set the maximum number of IPCP terminate-request transmissions to
\fIn\fR (default 3).
.TP
+.B ipcp\-no\-address
+Disable negotiation of addresses via IP-Address IPCP option.
+.TP
+.B ipcp\-no\-addresses
+Disable negotiation of addresses via old-style deprecated IP-Addresses
+IPCP option. pppd by default try to use new-style IP-Address IPCP option.
+If new-style is not supported by peer or is disabled by \fBipcp\-no\-address\fR
+option then pppd fallbacks to old-style deprecated IP-Addresses IPCP option.
+When both new-style and old-style are disabled by both \fBipcp\-no\-address\fR
+and \fBipcp\-no\-addresses\fR options then negotiation of IP addresses
+is completely disabled.
+.TP
.B ipcp\-restart \fIn
Set the IPCP restart interval (retransmission timeout) to \fIn\fR
seconds (default 3).
Terminate after \fIn\fR consecutive failed connection attempts. A
value of 0 means no limit. The default value is 10.
.TP
+.B max-tls-version \fIstring
+(EAP-TLS, or PEAP) Configures the max allowed TLS version used during
+negotiation with a peer. The default value for this is \fI1.2\fR. Values
+allowed for this option is \fI1.0.\fR, \fI1.1\fR, \fI1.2\fR, \fI1.3\fR.
+.TP
.B modem
Use the modem control lines. This option is the default. With this
option, pppd will wait for the CD (Carrier Detect) signal from the
device routes, but the peer itself cannot be addressed directly for IP
traffic.
.TP
+.B nosendip
+Don't send our local IP address to peer during IP address negotiation.
+.TP
.B notty
Normally, pppd requires a terminal device. With this option, pppd
will allocate itself a pseudo-tty master/slave pair and use the slave
Currently supports Microgate SyncLink adapters
under Linux and FreeBSD 2.2.8 and later.
.TP
+.B tls-verify-method \fIstring
+(EAP-TLS, or PEAP) Match the value specified for \fIremotename\fR to that that
+of the X509 certificates subject name, common name, or suffix of the common
+name. Respective values allowed for this option is: \fInone\fR, \fIsubject\fR,
+\fIname\fR, or \fIsuffix\fR. The default value for this option is \fIname\fR.
+.TP
+.B tls-verify-key-usage
+(EAP-TLS, or PEAP) Enables examination of peer certificate's purpose, and
+extended key usage attributes.
+.TP
.B unit \fInum
Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound
connections. If the unit is already in use a dynamically allocated number will
/etc/ppp/resolv.conf file containing one or two nameserver lines with
the address(es) supplied by the peer.
.TP
+ .B usepeerwins
+ Ask the peer for up to 2 WINS server addresses. The addresses supplied
+ by the peer (if any) are passed to the /etc/ppp/ip\-up script in the
+ environment variables WINS1 and WINS2, and the environment variable
+ USEPEERWINS will be set to 1.
+ .LP
+ Please note that some modems (like the Huawei E220) requires this option in
+ order to avoid a race condition that results in the incorrect DNS servers
+ being assigned.
+ .TP
.B user \fIname
Sets the name used for authenticating the local system to the peer to
\fIname\fR.
The IP address for the remote end of the link. This is only set when
IPCP has come up.
.TP
+.B LLLOCAL
+The Link-Local IPv6 address for the local end of the link. This is only
+set when IPV6CP has come up.
+.TP
+.B LLREMOTE
+The Link-Local IPv6 address for the remote end of the link. This is only
+set when IPV6CP has come up.
+.TP
.B PEERNAME
The authenticated name of the peer. This is only set if the peer
authenticates itself.
If the peer supplies DNS server addresses, this variable is set to the
second DNS server address supplied (whether or not the usepeerdns
option was given).
+ .TP
+ .B WINS1
+ If the peer supplies WINS server addresses, this variable is set to the
+ first WINS server address supplied.
+ .TP
+ .B WINS2
+ If the peer supplies WINS server addresses, this variable is set to the
+ second WINS server address supplied.
+ .P
.P
Pppd invokes the following scripts, if they exist. It is not an error
if they don't exist.