X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fpppd.8;h=79b5bea5c4a3fdf3220dfb158cfec8b5ad7051df;hp=781f4dbf109e2dcf723027a7fb548afa57ea1f7c;hb=a12ffcd5b0a1cf9a4920064295c9b02b127465b3;hpb=34a4091bb6d7dd96921880ab6c00bc9dd2bd2fdc diff --git a/pppd/pppd.8 b/pppd/pppd.8 index 781f4db..79b5bea 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 @@ -55,8 +55,8 @@ non-privileged user. .I speed An option that is a decimal number is taken as the desired baud rate for the serial device. On systems such as -4.4BSD and NetBSD, any speed can be specified. Other systems -(e.g. Linux, SunOS) only support the commonly-used baud rates. +Linux, 4.4BSD and NetBSD, any speed can be specified. Other systems +(e.g. SunOS) only support the commonly-used baud rates. .TP .B asyncmap \fImap This option sets the Async-Control-Character-Map (ACCM) for this end @@ -127,12 +127,6 @@ is no other default route with the same metric. With the default value of -1, the route is only added if there is no default route at all. .TP -.B defaultroute6 -Add a default IPv6 route to the system routing tables, using the peer as -the gateway, when IPv6CP negotiation is successfully completed. -This entry is removed when the PPP connection is broken. This option -is privileged if the \fInodefaultroute6\fR option has been specified. -.TP .B replacedefaultroute This option is a flag to the defaultroute option. If defaultroute is set and this flag is also set, pppd replaces an existing default route @@ -218,11 +212,14 @@ Set the local and/or remote 64-bit interface identifier. Either one may be omitted. The identifier must be specified in standard ASCII notation of IPv6 addresses (e.g. ::dead:beef). If the \fIipv6cp\-use\-ipaddr\fR -option is given, the local identifier is the local IPv4 address (see above). +option is given, the local identifier is the local IPv4 address and the +remote identifier is the remote IPv4 address (see above). +If the \fIipv6cp-use-remotenumber\fR option is given, the remote identifier +is set to the value from \fIremotenumber\fR option. On systems which supports a unique persistent id, such as EUI\-48 derived from the Ethernet MAC address, \fIipv6cp\-use\-persistent\fR option can be -used to replace the \fIipv6 ,\fR option. Otherwise the -identifier is randomized. +used to set local identifier. Otherwise both local and remote identifiers +are randomized. .TP .B active\-filter \fIfilter\-expression Specifies a packet filter to be applied to data packets to determine @@ -266,10 +263,16 @@ compression in the corresponding direction. Use \fInobsdcomp\fR or \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. .TP .B ca \fIca-file -(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority +(EAP-TLS, or PEAP) Use the file \fIca-file\fR as the X.509 Certificate Authority (CA) file (in PEM format), needed for setting up an EAP-TLS connection. This option is used on the client-side in conjunction with the \fBcert\fR -and \fBkey\fR options. +and \fBkey\fR options. Either \fIca\fR, or \fIcapath\fR options are required +for PEAP. EAP-TLS may also use the entry in eaptls-client or eaptls-server +for a CA certificate associated with a particular peer. +.TP +.B capath \fIpath +(EAP-TLS, or PEAP) Specify a location that contains public CA certificates. +Either \fIca\fR, or \fIcapath\fR options are required for PEAP. .TP .B cdtrcts Use a non-standard hardware flow control (i.e. DTR/CTS) to control @@ -326,15 +329,15 @@ negotiation by sending its first LCP packet. The default value is or \fBpty\fR option is used. .TP .B crl \fIfilename -(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List +(EAP-TLS, or PEAP) Use the file \fIfilename\fR as the Certificate Revocation List to check for the validity of the peer's certificate. This option is not -mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR +mandatory for setting up a TLS connection. Also see the \fBcrl-dir\fR option. .TP .B crl-dir \fIdirectory -(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in +(EAP-TLS, or PEAP) Use the directory \fIdirectory\fR to scan for CRL files in has format ($hash.r0) to check for the validity of the peer's certificate. -This option is not mandatory for setting up an EAP-TLS connection. +This option is not mandatory for setting up a TLS connection. Also see the \fBcrl\fR option. .TP .B debug @@ -354,6 +357,17 @@ Disable MRU [Maximum Receive Unit] negotiation. With this option, pppd will use the default MRU value of 1500 bytes for both the transmit and receive direction. .TP +.B defaultroute6 +Add a default IPv6 route to the system routing tables, using the peer as +the gateway, when IPv6CP negotiation is successfully completed. +This entry is removed when the PPP connection is broken. This option +is privileged if the \fInodefaultroute6\fR option has been specified. +\fBWARNING: Do not enable this option by default\fR. IPv6 routing tables +are managed by kernel (as apposite to IPv4) and IPv6 default route is +configured by kernel automatically too based on ICMPv6 Router Advertisement +packets. This option may conflict with kernel IPv6 route setup and should +be used only for broken IPv6 networks. +.TP .B deflate \fInr,nt Request that the peer compress packets that it sends, using the Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and @@ -510,7 +524,8 @@ Set the IPCP restart interval (retransmission timeout) to \fIn\fR seconds (default 3). .TP .B ipparam \fIstring -Provides an extra parameter to the ip\-up, ip\-pre\-up and ip\-down +Provides an extra parameter most of the notification scripts, most notably +ip\-up, ip\-pre\-up, ip\-down, ipv6\-up, ipv6\-down, auth\-up and auth\-down scripts. If this option is given, the \fIstring\fR supplied is given as the 6th parameter to those scripts. @@ -525,6 +540,23 @@ With this option, pppd will accept the peer's idea of its (remote) IPv6 interface identifier, even if the remote IPv6 interface identifier was specified in an option. .TP +.B ipv6cp\-noremote +Allow pppd to operate without having an IPv6 link local address for the peer. +This option is only available under Linux. Normally, pppd will request the +peer's IPv6 interface identifier (used for composing IPv6 link local address), +and if the peer does not supply it, pppd will generate one for the peer. +With this option, if the peer does not supply its IPv6 interface identifier, +pppd will not ask the peer for it, and will not set the destination IPv6 +link local address of the ppp interface. In this situation, the ppp interface +can be used for routing by creating device routes, but the peer itself cannot +be addressed directly for IPv6 traffic until the peer starts announcing ICMPv6 +Router Advertisement or ICMPv6 Neighbor Advertisement packets. Note that IPv6 +router must announce ICMPv6 Router Advertisement packets. +.TP +.B ipv6cp\-nosendip +Don't send our local IPv6 interface identifier to peer during IPv6 interface +identifier negotiation. +.TP .B ipv6cp\-max\-configure \fIn Set the maximum number of IPv6CP configure-request transmissions to \fIn\fR (default 10). @@ -541,70 +573,6 @@ Set the maximum number of IPv6CP terminate-request transmissions to Set the IPv6CP restart interval (retransmission timeout) to \fIn\fR seconds (default 3). .TP -.B ipx -Enable the IPXCP and IPX protocols. This option is presently only -supported under Linux, and only if your kernel has been configured to -include IPX support. -.TP -.B ipx\-network \fIn -Set the IPX network number in the IPXCP configure request frame to -\fIn\fR, a hexadecimal number (without a leading 0x). There is no -valid default. If this option is not specified, the network number is -obtained from the peer. If the peer does not have the network number, -the IPX protocol will not be started. -.TP -.B ipx\-node \fIn\fB:\fIm -Set the IPX node numbers. The two node numbers are separated from each -other with a colon character. The first number \fIn\fR is the local -node number. The second number \fIm\fR is the peer's node number. Each -node number is a hexadecimal number, at most 10 digits long. The node -numbers on the ipx\-network must be unique. There is no valid -default. If this option is not specified then the node numbers are -obtained from the peer. -.TP -.B ipx\-router\-name \fI -Set the name of the router. This is a string and is sent to the peer -as information data. -.TP -.B ipx\-routing \fIn -Set the routing protocol to be received by this option. More than one -instance of \fIipx\-routing\fR may be specified. The '\fInone\fR' -option (0) may be specified as the only instance of ipx\-routing. The -values may be \fI0\fR for \fINONE\fR, \fI2\fR for \fIRIP/SAP\fR, and -\fI4\fR for \fINLSP\fR. -.TP -.B ipxcp\-accept\-local -Accept the peer's NAK for the node number specified in the ipx\-node -option. If a node number was specified, and non-zero, the default is -to insist that the value be used. If you include this option then you -will permit the peer to override the entry of the node number. -.TP -.B ipxcp\-accept\-network -Accept the peer's NAK for the network number specified in the -ipx\-network option. If a network number was specified, and non-zero, the -default is to insist that the value be used. If you include this -option then you will permit the peer to override the entry of the node -number. -.TP -.B ipxcp\-accept\-remote -Use the peer's network number specified in the configure request -frame. If a node number was specified for the peer and this option was -not specified, the peer will be forced to use the value which you have -specified. -.TP -.B ipxcp\-max\-configure \fIn -Set the maximum number of IPXCP configure request frames which the -system will send to \fIn\fR. The default is 10. -.TP -.B ipxcp\-max\-failure \fIn -Set the maximum number of IPXCP NAK frames which the local system will -send before it rejects the options. The default value is 3. -.TP -.B ipxcp\-max\-terminate \fIn -Set the maximum number of IPXCP terminate request frames before the -local system considers that the peer is not listening to them. The -default value is 3. -.TP .B kdebug \fIn Enable debugging code in the kernel-level PPP driver. The argument values depend on the specific kernel driver, but in general a value of @@ -719,6 +687,11 @@ network control protocol comes up). Terminate after \fIn\fR consecutive failed connection attempts. A value of 0 means no limit. The default value is 10. .TP +.B max-tls-version \fIstring +(EAP-TLS, or PEAP) Configures the max allowed TLS version used during +negotiation with a peer. The default value for this is \fI1.2\fR. Values +allowed for this option is \fI1.0.\fR, \fI1.1\fR, \fI1.2\fR, \fI1.3\fR. +.TP .B modem Use the modem control lines. This option is the default. With this option, pppd will wait for the CD (Carrier Detect) signal from the @@ -858,11 +831,6 @@ hostname. With this option, the peer will have to supply the local IP address during IPCP negotiation (unless it specified explicitly on the command line or in an options file). .TP -.B noipx -Disable the IPXCP and IPX protocols. This option should only be -required if the peer is buggy and gets confused by requests from pppd -for IPXCP negotiation. -.TP .B noktune Opposite of the \fIktune\fR option; disables pppd from changing system settings. @@ -1168,6 +1136,16 @@ The device used by pppd with this option must have sync support. Currently supports Microgate SyncLink adapters under Linux and FreeBSD 2.2.8 and later. .TP +.B tls-verify-method \fIstring +(EAP-TLS, or PEAP) Match the value specified for \fIremotename\fR to that that +of the X509 certificates subject name, common name, or suffix of the common +name. Respective values allowed for this option is: \fInone\fR, \fIsubject\fR, +\fIname\fR, or \fIsuffix\fR. The default value for this option is \fIname\fR. +.TP +.B tls-verify-key-usage +(EAP-TLS, or PEAP) Enables examination of peer certificate's purpose, and +extended key usage attributes. +.TP .B unit \fInum Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound connections. If the unit is already in use a dynamically allocated number will @@ -1214,6 +1192,16 @@ USEPEERDNS will be set to 1. In addition, pppd will create an /etc/ppp/resolv.conf file containing one or two nameserver lines with the address(es) supplied by the peer. .TP +.B usepeerwins +Ask the peer for up to 2 WINS server addresses. The addresses supplied +by the peer (if any) are passed to the /etc/ppp/ip\-up script in the +environment variables WINS1 and WINS2, and the environment variable +USEPEERWINS will be set to 1. +.LP +Please note that some modems (like the Huawei E220) requires this option in +order to avoid a race condition that results in the incorrect DNS servers +being assigned. +.TP .B user \fIname Sets the name used for authenticating the local system to the peer to \fIname\fR. @@ -1258,8 +1246,9 @@ Attach to existing PPPoE session. For backward compatibility also \fBrp_pppoe_sess\fP option name is supported. .TP .B pppoe-verbose \fIn -Be verbose about discovered access concentrators. For backward -compatibility also \fBrp_pppoe_verbose\fP option name is supported. +Be verbose about discovered access concentrators. When set to 2 or bigger +value then dump also discovery packets. For backward compatibility also +\fBrp_pppoe_verbose\fP option name is supported. .TP .B pppoe-mac \fImacaddr Connect to specified MAC address. @@ -1816,6 +1805,15 @@ option was given). If the peer supplies DNS server addresses, this variable is set to the second DNS server address supplied (whether or not the usepeerdns option was given). +.TP +.B WINS1 +If the peer supplies WINS server addresses, this variable is set to the +first WINS server address supplied. +.TP +.B WINS2 +If the peer supplies WINS server addresses, this variable is set to the +second WINS server address supplied. +.P .P Pppd invokes the following scripts, if they exist. It is not an error if they don't exist. @@ -1824,7 +1822,7 @@ if they don't exist. A program or script which is executed after the remote system successfully authenticates itself. It is executed with the parameters .IP -\fIinterface\-name peer\-name user\-name tty\-device speed\fR +\fIinterface\-name peer\-name user\-name tty\-device speed ipparam\fR .IP Note that this script is not executed if the peer doesn't authenticate itself, for example when the \fInoauth\fR option is used. @@ -1871,34 +1869,6 @@ Similar to /etc/ppp/ip\-down, but it is executed when IPv6 packets can no longer be transmitted on the link. It is executed with the same parameters as the ipv6\-up script. .TP -.B /etc/ppp/ipx\-up -A program or script which is executed when the link is available for -sending and receiving IPX packets (that is, IPXCP has come up). It is -executed with the parameters -.IP -\fIinterface\-name tty\-device speed network\-number local\-IPX\-node\-address -remote\-IPX\-node\-address local\-IPX\-routing\-protocol remote\-IPX\-routing\-protocol -local\-IPX\-router\-name remote\-IPX\-router\-name ipparam pppd\-pid\fR -.IP -The local\-IPX\-routing\-protocol and remote\-IPX\-routing\-protocol field -may be one of the following: -.IP -NONE to indicate that there is no routing protocol -.br -RIP to indicate that RIP/SAP should be used -.br -NLSP to indicate that Novell NLSP should be used -.br -RIP NLSP to indicate that both RIP/SAP and NLSP should be used -.TP -.B /etc/ppp/ipx\-down -A program or script which is executed when the link is no longer -available for sending and receiving IPX packets. This script can be -used for undoing the effects of the /etc/ppp/ipx\-up script. It is -invoked in the same manner and with the same parameters as the ipx\-up -script. -.SH FILES -.TP .B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others) Process-ID for pppd process on ppp interface unit \fIn\fR. .TP