This chapter describes commands that configure the interface layer. All of these commands apply to the currently active bundle.
Note that while most of the time mpd is used for transmitting IP traffic, it is designed to support other (currently unimplemented) protocols such as AppleTalk, IPX, etc. This is why the Interface layer (which is protocol independent) is distinct from the IP Control Protocol (IPCP) layer which is specific to IP.
set iface addrs local-ip remote-ipThis command is only required when dial-on-demand is enabled. Normally, mpd configures the interface with the IP addresses that were negotiated when connecting the link. Since dial-on-demand configures the interface before actually connecting, mpd has to be told initial local and remote IP addresses to give the interface. These addresses don't have to correspond to the ``real'' ones; in fact, both addresses can be completely fictional. If and when different addresses are negotiated later, mpd will automatically renumber the interface and adjust the routes.
set iface route address[/width]This command associates a route with the bundle. Whenever the
interface is configured up, all associated routes are added.
A route of default indicates the default route.
Otherwise, the route is a network address with optional netmask
width (e.g., 192.168.1.0/24). If the netmask
width is omitted, a single host route is assumed (i.e., a width
of 32).
Routes are automatically removed when the interface is brought down.
set iface mtu valueThis command sets an upper bound on the MTU that will be configured on the interface when the bundle comes up. This value is not used at all during link negotiation; there are separate bundle and link commands for configuring that. Even if a higher bundle MTU is negotiated, this limit will still apply.
This command is useful when you want to manually restrict the MTU of the interface for other reasons, e.g., if you're also doing IPSec. The default value is 1500.
set iface idle secondsSets the idle timeout value for the bundle. If no qualifying
outgoing packets are transmitted for seconds
seconds, the connection is brought down. An idle timeout of
zero disables this feature.
Mpd attempts to be intelligent about what a qualifying packet is. Idle time should only apply to packets that are generated locally and represent real local activity of some sort. For example, NTP traffic, ICMP echo replies, and TCP reset packets do not count as outgoing demand.
When the idle timeout occurs, if the dial-on-demand option is enabled, mpd goes back into dial-on-demand mode. Otherwise, the interface is brought down and all associated routes removed.
set iface session secondsSets the session timeout value for the bundle.
set iface up-script script set iface down-script script Mpd can optionally run a user program every time the interface
is brought up or down.
The up-script is called like this:
script interface inet local-ip remote-ip authname [ dns1 server-ip ] [ dns2 server-ip ]
The down-script is called like this:
script interface inet authname
set iface enable option ...
set iface disable option ...Enable and disable the various interface layer options for the bundle.
The options available at the interface layer are:
on-demandThis option causes the interface to operate in dial-on-demand mode, allowing you to have a ``virtual full time'' connection. An OPEN event causes the interface to be configured, but the actual connection of the link is delayed until qualifying outgoing traffic is detected. Moreover, after an idle timeout, the interface is not brought down; further traffic will bring the link back up again.
proxy-arpWhen this option is enabled, if after link negotiation the peer's IP address is determined to lie on a local subnet, then mpd will arrange for the local machine to install a proxy ARP entry for the remote machine's IP address.
For example, suppose the local machine lies on a LAN with address 192.168.1.10, and another machine will be connecting via mpd and using the LAN address 192.168.1.20. Then these commands would set up proxy ARP for the remote machine:
set iface enable proxy-arp
set ipcp 192.168.1.10/32 192.168.1.20/32
tcpmssfixThis option causes mpd to adjust outgoing TCP data so that the requested segment size is not greater than the amount allowed by the interface MTU.
This is necessary in many setups to avoid problems caused by routers that drop ICMP Datagram Too Big messages. Without these messages, the originating machine sends data, it passes the rogue router then hits a machine that has an MTU that is not big enough for the data. Because the IP Don't Fragment option is set, this machine sends an ICMP Datagram Too Big message back to the originator and drops the packet. The rogue router drops the ICMP message and the originator never gets to discover that it must reduce the fragment size or drop the IP Don't Fragment option from its outgoing data.
The code is based on tcpmssd wich was written by Ruslan Ermilov <ru@FreeBSD.org> based on work done by Patrick Bihan-Faou <patrick@mindstep.com>.
This option is disabled by default.
radius-mtuThis option causes mpd to use the MTU from the RADIUS server.
It has the same effect as set iface mtu.
radius-idleThis option causes mpd to use the idle timeout from the RADIUS server.
It has the same effect as set iface idle.
radius-sessionThis option causes mpd to use the session timeout from the RADIUS server.
It has the same effect as set iface session.
radius-routeThis option causes mpd to use the routes list from the RADIUS server.
It has the same effect as set iface route.
radius-aclThis option causes mpd to use the Access Control Lists (ACLs) taken from the RADIUS server. This ACLs may include ipfw rules, dummynet pipes and dummynet queues. To use this feature you should add to your RADIUS server such dictionary:
#----------------------------------------------------------
# dictionary.mpd
VENDOR mpd 12341
ATTRIBUTE mpd-rule 1 string mpd
ATTRIBUTE mpd-pipe 2 string mpd
ATTRIBUTE mpd-queue 3 string mpd
#----------------------------------------------------------
After this you can write in your RADIUS configuration something like:
mpd-pipe += "1=bw 10Kbyte/s", mpd-pipe += "5=bw 20Kbyte/s", mpd-rule += "1=pipe %p1 all from any to any in", mpd-rule += "2=pipe %p5 all from any to any out", mpd-rule += "100=allow all from any to any",
When mpd receives these parameters it will
ipfw(8)to create firewall rules, pipes and queues with unique numbers starting from 10000. To the end of each rule will be added "via ngX" to make the rule apply only to that client's networking interface.
As a result of this example we would get these commands executed:
ipfw pipe 10000 config bw 10Kbyte/s ipfw pipe 10001 config bw 20Kbyte/s ipfw add 10000 pipe 10000 all from any to any in via ng0 ipfw add 10001 pipe 10001 all from any to any out via ng0 ipfw add 10002 allow all from any to any via ng0
When the link goes down, all created rules will be removed.