--- gvpe/doc/gvpe.conf.5.pod 2004/12/04 18:38:28 1.3 +++ gvpe/doc/gvpe.conf.5.pod 2010/09/10 21:13:52 1.25 @@ -4,18 +4,21 @@ =head1 SYNOPSIS - enable-udp = yes + # global options for all nodes udp-port = 407 mtu = 1492 ifname = vpn0 + # first node is named branch1 and is at 1.2.3.4 node = branch1 hostname = 1.2.3.4 + # second node uses dns to resolve the address node = branch2 hostname = www.example.net udp-port = 500 # this host uses a different udp-port + # third node has no fixed ip address node = branch3 connect = ondemand @@ -24,29 +27,32 @@ The gvpe config file consists of a series of lines that contain C pairs. Empty lines are ignored. Comments start with a C<#> and extend to the end of the line. They can be used on their own lines, or -after any directives. Spaces are allowed before or after the C<=> sign or -after values, but not within the variable names or values themselves. +after any directives. Whitespace is allowed around the C<=> sign or after +values, but not within the variable names or values themselves. The only exception to the above is the "on" directive that can prefix any C setting and will only "execute" it on the named node, or (if the nodename starts with "!") on all nodes except the named one. - name = value +For example, set the MTU to C<1450> everywhere, loglevel to C on +branch1, and connect to C everywhere but on branch2: + + mtu = 1450 on branch1 loglevel = noise on !branch2 connect = ondemand -All settings are executed "in order", that is, later settings of the same +All settings are applied "in order", that is, later settings of the same variable overwrite earlier ones. =head1 ANATOMY OF A CONFIG FILE -Usually, a config file starts with global settings (like the udp port to -listen on), followed by node-specific sections that begin with a C line. +Usually, a config file starts with a few global settings (like the UDP +port to listen on), followed by node-specific sections that begin with a +C line. Every node that is part of the network must have a section that starts with C. The number and order of the nodes is important -and must be the same on all hosts. It is not uncommon for node sections to +and must be the same on all nodes. It is not uncommon for node sections to be completely empty - if the default values are right. Node-specific settings can be used at any time. If used before the first @@ -63,85 +69,76 @@ =over 4 -=item loglevel = noise|trace|debug|info|notice|warn|error|critical +=item dns-forw-host = hostname/ip -Set the logging level. Connection established messages are logged at level -C, notable errors are logged with C. Default is C. +The DNS server to forward DNS requests to for the DNS tunnel protocol +(default: C<127.0.0.1>, changing it is highly recommended). -=item node = nickname +=item dns-forw-port = port-number -Not really a config setting but introduces a node section. The nickname is -used to select the right configuration section and must be passed as an -argument to the gvpe daemon. +The port where the C is to be contacted (default: C<53>, +which is fine in most cases). -=item private-key = relative-path-to-key +=item dns-max-outstanding = integer-number-of-requests -Sets the path (relative to the config directory) to the private key -(default: C). This is a printf format string so every C<%> must -be doubled. A single C<%s> is replaced by the hostname, so you could -use paths like C to fetch the files at the location where -C puts them. +The maximum number of outstanding DNS transport requests +(default: C<100>). GVPE will never issue more requests then the given +limit without receiving replies. In heavily overloaded situations it might +help to set this to a low number (e.g. C<3> or even C<1>) to limit the +number of parallel requests. -Since only the private key file of the current node is used and the -private key file should be kept secret per-host to avoid spoofings, it is -not recommended to use this feature. +The default should be working OK for most links. -=item ifpersist = yes|true|on | no|false|off +=item dns-overlap-factor = float -Should the tun/tap device be made persistent, that is, should the device -stay up even when gvpe exits? Some versions of the tunnel device have -problems sending packets when gvpe is restarted in persistent mode, so -if the connections can be established but you cannot send packets from -the local node, try to set this to C and do an ifconfig down on the -device. +The DNS transport uses the minimum request latency (B) seen +during a connection as it's timing base. This factor (default: C<0.5>, +must be > 0) is multiplied by B to get the maximum sending +rate (= minimum send interval), i.e. a factor of C<1> means that a new +request might be generated every B seconds, which means on +average there should only ever be one outstanding request. A factor of +C<0.5> means that GVPE will send requests twice as often as the minimum +latency measured. -=item ifname = devname +For congested or picky DNS forwarders you could use a value nearer to or +exceeding C<1>. -Sets the tun interface name to the given name. The default is OS-specific -and most probably something like C. +The default should be working OK for most links. -=item rekey = seconds +=item dns-send-interval = send-interval-in-seconds -Sets the rekeying interval in seconds (default: C<3600>). Connections are -reestablished every C seconds. +The minimum send interval (= maximum rate) that the DNS transport will +use to send new DNS requests. GVPE will not exceed this rate even when +the latency is very low. The default is C<0.01>, which means GVPE will +not send more than 100 DNS requests per connection per second. For +high-bandwidth links you could go lower, e.g. to C<0.001> or so. For +congested or rate-limited links, you might want to go higher, say C<0.1>, +C<0.2> or even higher. -=item keepalive = seconds +The default should be working OK for most links. -Sets the keepalive probe interval in seconds (default: C<60>). After this -many seconds of inactivity the daemon will start to send keepalive probe -every 5 seconds until it receives a reply from the other end. If no reply -is received within 30 seconds, the peer is considered unreachable and the -connection is closed. +=item dns-timeout-factor = float -=item mtu = bytes +Factor to multiply the C (see C) by to +get request timeouts. The default of C<8> means that the DNS transport +will resend the request when no reply has been received for longer than +eight times the minimum (= expected) latency, assuming the request or +reply has been lost. -Sets the maximum MTU that should be used on outgoing packets (basically -the MTU of the outgoing interface) The daemon will automatically calculate -maximum overhead (e.g. udp header size, encryption blocksize...) and pass -this information to the C script. - -Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). - -This value must be the minimum of the mtu values of all hosts. - -=item ip-proto = numerical-ip-protocol +For congested links a higher value might be necessary (e.g. C<30>). If +the link is very stable lower values (e.g. C<2>) might work +nicely. Values near or below C<1> makes no sense whatsoever. -Sets the protocol number to be used for the rawip protocol. This is a -global option because all hosts must use the same protocol, and since -there are no port numbers, you cannot easily run more than one gvpe -instance using the same protocol, nor can you share the protocol with -other programs. - -The default is 47 (GRE), which has a good chance of tunneling through -firewalls (but note that the rawip protocol is not GRE compatible). Other -common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 (IPIP tunnels) or 98 -(ENCAP, rfc1241) +The default should be working OK for most links but will result in low +throughput if packet loss is high. =item if-up = relative-or-absolute-path Sets the path of a script that should be called immediately after the -network interface is initialized (but not neccessarily up). The following -environment variables are passed to it (the values are just examples): +network interface is initialized (but not necessarily up). The following +environment variables are passed to it (the values are just examples). + +Variables that have the same value on all nodes: =over 4 @@ -151,59 +148,179 @@ =item IFNAME=vpn0 -The interface to initialize. +The network interface to initialize. + +=item IFTYPE=native # or tincd + +=item IFSUBTYPE=linux # or freebsd, darwin etc.. + +The interface type (C or C) and the subtype (usually the +OS name in lowercase) that this GVPE was configured for. Can be used to +select the correct syntax to use for network-related commands. =item MTU=1436 The MTU to set the interface to. You can use lower values (if done -consistently on all hosts), but this is usually ineffective. +consistently on all nodes), but this is usually either inefficient or +simply ineffective. -=item MAC=fe:fd:80:00:00:01 +=item NODES=5 -The MAC address to set the interface to. The script *must* set the -interface MAC to this value. You will most likely use one of these: +The number of nodes in this GVPE network. - ip link set $IFNAME address $MAC mtu $MTU up # GNU/Linux - ifconfig $IFNAME ether $MAC mtu $MTU up # FreeBSD +=back -Please see the C manpage for platform-specific information. +Variables that are node-specific and with values pertaining to the node +running this GVPE: -=item IFTYPE=native # or tincd +=over 4 -=item IFSUBTYPE=linux # or freebsd, darwin etc.. +=item IFUPDATA=string -The interface type (C or C) and the subtype (usually the os -name in lowercase) that this gvpe was configured for. Can be used to select -the correct syntax to use for network-related commands. +The value of the configuration directive C. + +=item MAC=fe:fd:80:00:00:01 + +The MAC address the network interface has to use. + +Might be used to initialize interfaces on platforms where GVPE does not +do this automatically. Please see the C man page for +platform-specific information. =item NODENAME=branch1 -The nickname of the current node, as passed to the gvpe daemon. +The nickname of the node. =item NODEID=1 -The numerical node id of the current node. The first node mentioned in the -config file gets ID 1, the second ID 2 and so on. +The numerical node ID of the node running this instance of GVPE. The first +node mentioned in the config file gets ID 1, the second ID 2 and so on. =back +In addition, all node-specific variables (except C) will be +available with a postfix of C<_nodeid>, which contains the value for that +node, e.g. the C variable contains the MAC address of node #1, while +the C variable contains the name of node #22. + Here is a simple if-up script: #!/bin/sh - ip link set $IFNAME address $MAC mtu $MTU up + ip link set $IFNAME up [ $NODENAME = branch1 ] && ip addr add 10.0.0.1 dev $IFNAME [ $NODENAME = branch2 ] && ip addr add 10.1.0.1 dev $IFNAME ip route add 10.0.0.0/8 dev $IFNAME -More complicated examples (using routing to reduce arp traffic) can be -found in the etc/ subdirectory of the distribution. +More complicated examples (using routing to reduce ARP traffic) can be +found in the F subdirectory of the distribution. + +=item ifname = devname + +Sets the tun interface name to the given name. The default is OS-specific +and most probably something like C. + +=item ifpersist = yes|true|on | no|false|off + +Should the tun/tap device be made persistent, that is, should the device +stay up even when gvpe exits? Some versions of the tunnel device have +problems sending packets when gvpe is restarted in persistent mode, so +if the connections can be established but you cannot send packets from +the local node, try to set this to C and do an ifconfig down on the +device. + +=item ip-proto = numerical-ip-protocol + +Sets the protocol number to be used for the rawip protocol. This is a +global option because all nodes must use the same protocol, and since +there are no port numbers, you cannot easily run more than one gvpe +instance using the same protocol, nor can you share the protocol with +other programs. + +The default is 47 (GRE), which has a good chance of tunneling +through firewalls (but note that gvpe's rawip protocol is not GRE +compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 +(IPIP tunnels) or 98 (ENCAP, rfc1241). + +Many versions of Linux seem to have a bug that causes them to reorder +packets for some ip protocols (GRE, ESP) but not for others (AH), so +choose wisely (that is, use 51, AH). + +=item http-proxy-host = hostname/ip + +The C family of options are only available if gvpe was +compiled with the C<--enable-http-proxy> option and enable tunneling of +tcp connections through a http proxy server. + +C and C should specify the hostname and +port number of the proxy server. See C if your proxy +requires authentication. + +Please note that gvpe will still try to resolve all hostnames in the +configuration file, so if you are behind a proxy without access to a DNS +server better use numerical IP addresses. + +To make best use of this option disable all protocols except TCP in your +config file and make sure your routers (or all other nodes) are listening +on a port that the proxy allows (443, https, is a common choice). + +If you have a router, connecting to it will suffice. Otherwise TCP must be +enabled on all nodes. + +Example: + + http-proxy-host = proxy.example.com + http-proxy-port = 3128 # 8080 is another common choice + http-proxy-auth = schmorp:grumbeere + +=item http-proxy-port = proxy-tcp-port + +The port where your proxy server listens. + +=item http-proxy-auth = login:password + +The optional login and password used to authenticate to the proxy server, +separated by a literal colon (C<:>). Only basic authentication is +currently supported. + +=item keepalive = seconds + +Sets the keepalive probe interval in seconds (default: C<60>). After this +many seconds of inactivity the daemon will start to send keepalive probe +every 3 seconds until it receives a reply from the other end. If no reply +is received within 15 seconds, the peer is considered unreachable and the +connection is closed. + +=item loglevel = noise|trace|debug|info|notice|warn|error|critical + +Set the logging level. Connection established messages are logged at level +C, notable errors are logged with C. Default is C. + +=item mtu = bytes + +Sets the maximum MTU that should be used on outgoing packets (basically +the MTU of the outgoing interface) The daemon will automatically calculate +maximum overhead (e.g. UDP header size, encryption blocksize...) and pass +this information to the C script. + +Recommended values are 1500 (ethernet), 1492 (pppoe), 1472 (pptp). + +This value must be the minimum of the MTU values of all nodes. + +=item node = nickname + +Not really a config setting but introduces a node section. The nickname is +used to select the right configuration section and must be passed as an +argument to the gvpe daemon. =item node-up = relative-or-absolute-path -Sets a command (default: no script) that should be called whenever a -connection is established (even on rekeying operations). In addition -to the variables passed to C scripts, the following environment -variables will be set: +Sets a command (default: none) that should be called whenever a connection +is established (even on rekeying operations). Note that node-up/down +scripts will be run asynchronously, but execution is serialised, so there +will only ever be one such script running. + +In addition to all the variables passed to C scripts, the following +environment variables will be set (values are just examples): =over 4 @@ -215,24 +332,29 @@ The node id of the remote node. +=item DESTSI=rawip/88.99.77.55:0 + +The "socket info" of the target node, protocol dependent but usually in +the format protocol/ip:port. + =item DESTIP=188.13.66.8 -The numerical IP address of the remote host (gvpe accepts connections from -everywhere, as long as the other host can authenticate itself). +The numerical IP address of the remote node (gvpe accepts connections from +everywhere, as long as the other node can authenticate itself). =item DESTPORT=655 # deprecated -The UDP port used by the other side. +The protocol port used by the other side, if applicable. -=item STATE=UP +=item STATE=up -Node-up scripts get called with STATE=UP, node-down scripts get called -with STATE=DOWN. +Node-up scripts get called with STATE=up, node-change scripts get called +with STATE=change and node-down scripts get called with STATE=down. =back Here is a nontrivial example that uses nsupdate to update the name => ip -mapping in some dns zone: +mapping in some DNS zone: #!/bin/sh { @@ -241,50 +363,51 @@ echo } | nsupdate -d -k $CONFBASE:key.example.net. -=item node-down = relative-or-absolute-path +=item node-change = relative-or-absolute-path -Same as C, but gets called whenever a connection is lost. +Same as C, but gets called whenever something about a +connection changes (such as the source IP address). -=item http-proxy-host = hostname/ip - -The C family of options are only available if gvpe was -compiled with the C<--enable-http-proxy> option and enable tunneling of -tcp connections through a http proxy server. - -C and C should specify the hostname and -port number of the proxy server. See C if your proxy -requires authentication. +=item node-down = relative-or-absolute-path -Please note that gvpe will still try to resolve all hostnames in the -configuration file, so if you are behind a proxy without access to a dns -server better use numerical IP addresses. +Same as C, but gets called whenever a connection is lost. -To make best use of this option disable all protocols except tcp in your -config file and make sure your routers (or all other hosts) are listening -on a port that the proxy allows (443, https, is a common choice). +=item pid-file = path -If you have a router, connecting to it will suffice. Otherwise tcp must be -enabled on all hosts. +The path to the pid file to check and create +(default: C). -Example: +=item private-key = relative-path-to-key - http-proxy-host = proxy.example.com - http-proxy-port = 3128 # 8080 is another common choice - http-proxy-auth = schmorp:grumbeere +Sets the path (relative to the config directory) to the private key +(default: C). This is a printf format string so every C<%> must +be doubled. A single C<%s> is replaced by the hostname, so you could +use paths like C to fetch the files at the location where +C puts them. -=item http-proxy-port = proxy-tcp-port +Since only the private key file of the current node is used and the +private key file should be kept secret per-node to avoid spoofing, it is +not recommended to use this feature. -The port where your proxy server listens. +=item rekey = seconds -=item http-proxy-auth = login:password +Sets the rekeying interval in seconds (default: C<3600>). Connections are +reestablished every C seconds, making them use a new encryption +key. -The optional login and password used to authenticate to the proxy server, -seperated by a literal colon (C<:>). Only basic authentication is -currently supported. +=item nfmark = integer -=item pid-file = path +This advanced option, when set to a nonzero value (default: C<0>), tries +to set the netfilter mark (or fwmark) value on all sockets gvpe uses to +send packets. + +This can be used to make gvpe use a different set of routing rules. For +example, on GNU/Linux, the C could set C to 1000 and then +put all routing rules into table C<99> and then use an ip rule to make +gvpe traffic avoid that routing table, in effect routing normal traffic +via gvpe and gvpe traffic via the normal system routing tables: -The path to the pid file to check and create (Default: + ip rule add not fwmark 1000 lookup 99 =back @@ -292,69 +415,152 @@ The following settings are node-specific, that is, every node can have different settings, even within the same gvpe instance. Settings that are -executed before the first node section set the defaults, settings that are -executed within a node section only apply to the given node. +set before the first node section set the defaults, settings that are +set within a node section only apply to the given node. =over 4 -=item udp-port = port-number +=item allow-direct = nodename -Sets the port number used by the UDP protocol (default: C<655>, not -officially assigned by IANA!). +Allow direct connections to this node. See C for more info. -=item tcp-port = port-number +=item compress = yes|true|on | no|false|off -Similar to C (default: C<655>), but sets the TCP port number. +Wether to compress data packets sent to this node (default: C). +Compression is really cheap even on slow computers and has no size +overhead at all, so enabling this is often a good idea. + +=item connect = ondemand | never | always | disabled + +Sets the connect mode (default: C). It can be C (always +try to establish and keep a connection to the given node), C +(never initiate a connection to the given host, but accept connections), +C (try to establish a connection when there are outstanding +packets in the queue and take it down after the keepalive interval) or +C (node is bad, don't talk to it). + +Routers will automatically be forced to C unless they are +C, to ensure all nodes can talk to each other. + +=item deny-direct = nodename | * + +Deny direct connections to the specified node (or all nodes when C<*> +is given). Only one node can be specified, but you can use multiple +C and C statements. This only makes sense in +networks with routers, as routers are required for indirect connections. + +Sometimes, a node cannot reach some other nodes for reasons of network +connectivity. For example, a node behind a firewall that only allows +connections to/from a single other node in the network. In this case one +should specify C and C (the other +node I be a router for this to work). + +The algorithm to check whether a connection may be direct is as follows: + +1. Other node mentioned in an C? If yes, allow the connection. + +2. Other node mentioned in a C? If yes, deny direct connections. + +3. Allow the connection. + +That is, C takes precedence over C. + +The check is done in both directions, i.e. both nodes must allow a direct +connection before one is attempted, so you only need to specify connect +limitations on one node. + +=item dns-domain = domain-suffix + +The DNS domain suffix that points to the DNS tunnel server for this node. + +The domain must point to a NS record that points to the I, +i.e. + + dns-domainname = tunnel.example.net + dns-hostname = tunnel-server.example.net + +Corresponds to the following DNS entries in the C domain: + + tunnel.example.net. NS tunnel-server.example.net. + tunnel-server.example.net. A 13.13.13.13 + +=item dns-hostname = hostname/ip + +The address to bind the DNS tunnel socket to, similar to the C, +but for the DNS tunnel protocol only. Default: C<0.0.0.0>, but that might +change. + +=item dns-port = port-number + +The port to bind the DNS tunnel socket to. Must be C<53> on DNS tunnel servers. + +=item enable-dns = yes|true|on | no|false|off + +See gvpe.protocol(7) for a description of the DNS transport +protocol. Avoid this protocol if you can. + +Enable the DNS tunneling protocol on this node, either as server or as +client. Support for this transport protocol is only available when gvpe +was compiled using the C<--enable-dns> option. + +=item enable-icmp = yes|true|on | no|false|off + +See gvpe.protocol(7) for a description of the ICMP transport protocol. + +Enable the ICMP transport using ICMP packets of type C on this +node. =item enable-rawip = yes|true|on | no|false|off +See gvpe.protocol(7) for a description of the RAW IP transport protocol. + Enable the RAW IPv4 transport using the C protocol -(default: C). This is the best choice, since the overhead per packet -is only 38 bytes, as opposed to UDP's 58 (or TCP's 60+). +(default: C). + +=item enable-tcp = yes|true|on | no|false|off + +See gvpe.protocol(7) for a description of the TCP transport protocol. + +Enable the TCPv4 transport using the C port +(default: C). Support for this transport protocol is only available +when gvpe was compiled using the C<--enable-tcp> option. =item enable-udp = yes|true|on | no|false|off -Enable the UDPv4 transport using the C port (default: C, -but this will change!). This is a good general choice since UDP tunnels -well through many firewalls. +See gvpe.protocol(7) for a description of the UDP transport protocol. -NOTE: Please specify C even though it is the default, as -some future version will have all protocols disabled by default. +Enable the UDPv4 transport using the C port (default: C, +unless no other protocol is enabled for a node, in which case this +protocol is enabled automatically). -=item enable-tcp = yes|true|on | no|false|off +NOTE: Please specify C if you want to use it even though +it might get switched on automatically, as some future version might +default to another default protocol. -Enable the TCPv4 transport using the C port -(default: C). Support for this horribly unsuitable protocol is only -available when gvpe was compiled using the C<--enable-tcp> option. Never -use this transport unless you really must, it is horribly ineffiecent and -resource-intensive compared to the other transports. - -=item router-priority = 0 | 1 | positive-number>2 - -Sets the router priority of the given host (default: C<0>, disabled). If -some host tries to connect to another host without a hostname, it asks -the router host for it's IP address. The router host is the one with the -highest priority larger than C<1> that is currently reachable. +=item hostname = hostname | ip [can not be defaulted] -Make sure all hosts always connect (C) to the router -hosts, otherwise connecting to them might be impossible. +Forces the address of this node to be set to the given DNS hostname or IP +address. It will be resolved before each connect request, so dyndns should +work fine. If this setting is not specified and a router is available, +then the router will be queried for the address of this node. Otherwise, +the connection attempt will fail. -The special value C<1> allows other hosts to route through the router -host, but they will never route through it by default. The value C<0> -disables routing. The idea behind this is that some hosts can, if -required, bump the C setting to higher than C<1> in their -local config to route through specific hosts. If C is -C<0>, then routing will be refused, so C<1> serves as a "enable, but do -not use by default" switch. +Note that DNS resolving is done synchronously, pausing the daemon. If that +is an issue you need to specify IP addresses. -=item connect = ondemand | never | always | disabled +=item icmp-type = integer -Sets the connect mode (default: C). It can be C (always -try to establish and keep a connection to the given host), C -(never initiate a connection to the given host, but accept connections), -C (try to establish a connection on the first packet sent, and -take it down after the keepalive interval) or C (node is bad, -don't talk to it). +Sets the type value to be used for outgoing (and incoming) packets sent +via the ICMP transport. + +The default is C<0> (which is C, also known as +"ping-reply"). Other useful values include C<8> (C, a.k.a. +"ping") and C<11> (C), but any 8-bit value can be used. + +=item if-up-data = value + +The value specified using this directive will be passed to the C +script in the environment variable C. =item inherit-tos = yes|true|on | no|false|off @@ -363,20 +569,65 @@ outgoing tunnel packets will have the same TOS setting as the packets sent to the tunnel device, which is usually what you want. -=item compress = yes|true|on | no|false|off - -Wether to compress data packets sent to this host (default: C). -Compression is really cheap even on slow computers and has no size -overhead at all, so enabling this is a good idea. - =item max-retry = positive-number -The maximum interval in seconds (default: C<28800>, 8 hours) between +The maximum interval in seconds (default: C<3600>, one hour) between retries to establish a connection to this node. When a connection cannot -be established, gvpe uses exponential backoff capped at this value. It's +be established, gvpe uses exponential back-off capped at this value. It's sometimes useful to set this to a much lower value (e.g. C<120>) on connections to routers that usually are stable but sometimes are down, to -assure quick reconnections. +assure quick reconnections even after longer downtimes. + +=item max-ttl = seconds + +Expire packets that couldn't be sent after this many seconds +(default: C<60>). Gvpe will normally queue packets for a node without an +active connection, in the hope of establishing a connection soon. This +value specifies the maximum lifetime a packet will stay in the queue, if a +packet gets older, it will be thrown away. + +=item max-queue = positive-number>=1 + +The maximum number of packets that will be queued (default: C<512>) +for this node. If more packets are sent then earlier packets will be +expired. See C, above. + +=item router-priority = 0 | 1 | positive-number>=2 + +Sets the router priority of the given node (default: C<0>, disabled). + +If some node tries to connect to another node but it doesn't have a +hostname, it asks a router node for it's IP address. The router node +chosen is the one with the highest priority larger than C<1> that is +currently reachable. This is called a I connection, as the +connection itself will still be direct, but it uses another node to +mediate between the two nodes. + +The value C<0> disables routing, that means if the node receives a packet +not for itself it will not forward it but instead drop it. + +The special value C<1> allows other hosts to route through the router +host, but they will never route through it by default (i.e. the config +file of another node needs to specify a router priority higher than one +to choose such a node for routing). + +The idea behind this is that some hosts can, if required, bump the +C setting to higher than C<1> in their local config to +route through specific hosts. If C is C<0>, then routing +will be refused, so C<1> serves as a "enable, but do not use by default" +switch. + +Nodes with C set to C<2> or higher will always be forced +to C = C (unless they are C). + +=item tcp-port = port-number + +Similar to C (default: C<655>), but sets the TCP port number. + +=item udp-port = port-number + +Sets the port number used by the UDP protocol (default: C<655>, not +officially assigned by IANA!). =back @@ -414,5 +665,5 @@ =head1 AUTHOR -Marc Lehmann +Marc Lehmann