aftr.conf
— configuration file for aftr
aftr.conf
The aftr daemon requires a configuration file.
By default it is named aftr.conf
, and is
located in $src_path
.
The AFTRCONFIG
environment
variable and the -c
argument give an alternate path.
Sample configuration files are provided in
$src_path/conf/aftr.conf
(OS independent).
The configuration file consists of a set of one-line configuration commands. Commands are not case sensitive. Any line beginning with '#' or whitespace is ignored as a comment.
Configuration and interactive commands belong to sections:
section zero is for global parameters which must be defined before anything else when they are not kept to their default values, for instance defmtu.
section one is for required parameters, for instance pool.
section two is for reloadable parameters, for instance nat.
interactive only commands are in the section three.
Only the section one commands are required; reasonable defaults are
provided for all other configuration parameters. See
conf/aftr.conf
for an example of a minimal
configuration file.
Alias of default tunnel auto on|off
.
size
Specifies the bucket size. Compile time options are
[TCP|UDP|ICMP]BUCKSZ
,
default values are: TCPBUCKSZ
10,
UDPBUCKSZ
8, ICMPBUCKSZ
3.
Minimum is 0 (excluded) and maximum 255.
decay
Specifies decay values for 1, 5 and 15 mn rates. Compile time
options are DECAY{1,5,15}
, default values are:
DECAY1
exp(-1/60), DECAY5
exp(-1/300), DECAY15
exp(-1/900).
Minimum is 0.0 and maximum 1.0.
Enables or disables equalizing the length of IPv6 fragments. Default is off.
lifetime
Specifies the lifetime of fragments in reassembly queues. Compile
time option is FRAG_LIFETIME
, default value is
30 seconds.
Minimum is 0 (excluded) and maximum 1200.
maxcount
Maximum number of entries in reassembly queues ('in' is IPv4 from
clients to the Internet, 'out' is IPv4 from the Internet to clients).
Compile time options are FRAG{6,IN,OUT}_MAXCNT
,
default values are 1024. Minimum is 0 (included so it is possible to
disable reassembly), maximum is 16535.
lifetime
Specifies the lifetime of expired NAT entries in the hold queue.
Compile time option is HOLD_LIFETIME
, default
value is 120 seconds. Minimum is 0 (included), maximum is 600.
lifetime
Specifies the lifetime of dynamic NAT entries ('closed' is for closed
TCP sessions, 'retrans' is used for response not yet received).
Compile time options are
[TCP|CLOSED_TCP|UDP|ICMP|RETRANS]_LIFETIME
,
default values are TCP (600), closed TCP (120, aka 2*MSL), UDP (300),
ICMP (30), retrans (10). Minimum is 0 (excluded), maximum 36000
(10 hours).
Specified the PCP daemon state. Compile time option is
PCPD_STATE
. Default is disable.
When enable (or encapsulate): the creation of new dynamic
mappings must be enabled by the PCP daemon (using the
dynamic command). In the encapsulate state
the aftr daemon works as a proxy with the PCP daemon
for encapsulated PCP packets.
min
-max
Specifies the default port ranges for PCP port forwarding entries.
Compile time options are [TCP|UDP]_[MIN|MAX]PPCP
,
default values are 0, i.e., this feature is disabled.
Minimum is 0 (1 when not disabled), maximum 63535.
min
-max
Specifies the default port (or id for icmp echo) ranges for pools.
Compile time options are [TCP|UDP]_[MIN|MAX]PORT
,
ICMP_[MIN|MAX]ID
, default values are
TCP_MINPORT
2048, UDP_MINPORT
512, ICMP_MINID
0, TCP_MAXPORT
65535, UDP_MAXPORT
65535,
ICMP_MAXID
65535.
Minimum is 1 (0 for ICMP), maximum 63535.
IPv4_prefix
/prefix_length
Add a private prefix to IPv4 ACLs. The default is RFC 1918 prefixes and the 192.0.0.0/29 from the ds-lite draft.
Enables or disables on-the-fly tunnel creation. Default is on.
This enables or disables TCP MSS patching on packets going from and to tunnels. Can be overridden by per-tunnel configuration. If any tunnels are explicitly configured, this must be specified before them. Default is off.
mtu
Specifies mtu
as the default IPv6 MTU of
tunnels. Can be overridden by per-tunnel configuration.
This specifies the policy for packets from the Internet which are too big (i.e., they don't fit in one IPv6 encapsulating packet) and are marked as “don't fragment”. 'On' means a ICMPv4 packet too big error is returned to the source, 'off' the packet just go through, and 'strict' the packet is dropped with a ICMPv4 error. Default is on (i.e., the packet is encapsulated into some IPv6 fragments and a ICMP error is returned for path MTU determination).
maxcount
Specifies the maximum number of reassembly queue entries per tunnel.
Compile time options are FRAGTN[46]_MAXCNT
,
default values are FRAGTN6_MAXCNT
16,
FRAGTN4_MAXCNT
64. Mininum is 0 (included for
reassembly disable), maximum is 255.
maxcount
Specifies the maximum number of NAT entries per tunnel. Compile time
options are [TCP|UDP|ICMP]_MAXTNATCNT
, default
values are TCP_MAXNATCNT
2000,
UDP_MAXNATCNT
200,
ICMP_MAXNATCNT
50.
Minimum is 0 (included), maximum is 65535.
limit
Specifies the maximum rate of dynamic NAT creation per second.
Compile time options are [TCP|UDP|ICMP]_MAXTNATRT
,
default values are TCP_MAXNATRT
50,
UDP_MAXNATRT
20,
ICMP_MAXNATRT
5.
Minimum is 0 (included), maximum 255.
IPv4_address
This removes the IPv4 private prefix with the IPv4 address. It is an error to have no private prefixes.
Alias of default tunnel mss on|off
.
mtu
Alias of default tunnel mtu
.
mtu
Alias of default tunnel toobig on|off|strict
.
Alias of default fragment equal on|off
.
quantum
Specifies the number of packets dealt with in one main loop round
(i.e., the size of a slice of work). Compile time option is
QUANTUM
, default value is 20. Minimum is
2 (included), maximum is 255.
IPv6_prefix
/prefix_length
This adds an (accept) entry in the IPv6 ACL. Note for a regular IPv6 packet the ACL is checked only when no tunnel was found, and the default is “deny all”, so at least one acl6 entry in the configuration file is required when the auto tunnel option is on.
IPv6_address
IPv6_address
is the AFTR endpoint
address of the Softwire tunnels.
If the DHCPv6 ds-lite option is used, this address must match the
advertised address.
It is a required command: it absolutely must be present in the
aftr.conf
file; the aftr
daemon will not start without it.
IPv4_address
IPv4_address
is a global IPv4 address
used as the source for ICMP errors sent back to the Internet (i.e.,
the ICMPv4 errors will look like returned from an intermediate
router that has this address). It is a required command.
IPv4_address
[tcp|udp|echo min
-max
]This specifies a global IPv4 address that will be used as the source address of NAT'ed packets sent to the Internet. Multiple global addresses can be specified, at least one is required.
The optional part limits the port (or id) range used for the protocol with the global IPv4 address in dynamical bindings (i.e., not static or A+P bindings which can use the reserved ports outside the range).
IPv4_address
tcp|udp min
-max
This is a clone of the previous pool command but specifies the port ranges for port forwarding entries managed by the PCP server. Only possible conflicts with the dynamic port ranges are checked.
IPv6_remote
[IPv4_src
]
This specifies an IPv4-in-IPv6 tunnel configuration.
IPv6_remote
is the remote (ds-lite
client) IPv6 address of the tunnel. Either the tunnel is associated
with a source address in a round robin way or it is associated to
the specified IPv4_src
.
IPv6_remote
tcp|udp IPv4_src
port_src
IPv4_new
port_new
This defines a static binding/NAT entry for the client
behind the tunnel at IPv6_remote
.
*_src
are the source IPv4 address
and port at the tunnel side of the NAT,
*_new
are the source IPv4 address
and port at the Internet side of the NAT.
IPv4_new
should be a reserved source
NAT address, port_new
must not be inside
a dynamic port range.
IPv6_remote
tcp|udp IPv4
port
This defines a Port-Range Router/A+P null NAT entry for the
client behind the tunnel at IPv6_remote
.
IPv4
and port
are the source IPv4 address and port at the tunnel side of the NAT.
They stay unchanged both ways: this entry is used to check
authorization and perform port routing.
IPv6_remote
IPv4
/prefix_length
This defines a No-NAT tunnel for the client behind the tunnel at
IPv6_remote
and the prefix
IPv4
/prefix_length
.
No translation is performed for matching packets.
IPv6_remote
on|off
This enables or disables TCP MSS patching on packets going
from and to the tunnel of IPv6_remote
.
Default is off.
IPv6_remote
mtu
This changes the IPv6 MTU of the tunnel of
IPv6_remote
to
mtu
.
IPv6_remote
on|off|strictPer-tunnel configuration of the too big policy.
level
]Specifies the debug level. Default is 0. If set to non 0, verbose log messages will be dumped to stderr. The higher the level is, the noiser the logs are. At present, the meaningful levels are 1 (log tunnel creation), 3 (log packet reads and writes), and 10 (function entry tracing). If the level is omitted, it is set to 1.
IPv6_remote
[IPv4_src
]
Create when it doesn't already exist an IPv4-in-IPv6 tunnel,
returns in all cases the description of the tunnel entry. This
command should be used by tools managing temporary port forwarding.
IPv6_remote
must be acceptable for IPv6
ACLs.
IPv6_remote
tcp|udp IPv4_src
port_src
IPv4_new
port_new
Create when it doesn't already exist a static binding/NAT entry. This command should be used by tools managing temporary port forwarding. The tunnel must exist.