Name

aftr.conf — configuration file for aftr

Synopsis

aftr.conf

DESCRIPTION

The aftr daemon requires a configuration file. By default it is named aftr.conf, and is located in $src_path. The AFTRCONFIG environment variable and the -c argument give an alternate path. A sample configuration file is provided in $src_path/confs/aftr.conf (OS independent).

The configuration file consists of a set of one-line configuration commands. Commands are not case sensitive. Any line beginning with '#' or whitespace is ignored as a comment.

Configuration and interactive commands belong to sections:

  • section zero is for global parameters which must be defined before anything else when they are not kept to their default values, for instance defmtu.

  • section one is for required parameters, for instance acl6.

  • section two is for reloadable parameters, for instance nat.

  • interactive only commands are in the section three.

GLOBAL CONFIGURATION COMMANDS

autotunnel on|off

Alias of default tunnel auto on|off.

bucket tcp|udp|icmp size size

Specifies the bucket size. Compile time options are [TCP|UDP|ICMP]BUCKSZ, default values are: TCPBUCKSZ 10, UDPBUCKSZ 8, ICMPBUCKSZ 3. Minimum is 0 (excluded) and maximum 255.

decay 1|5|15 decay

Specifies decay values for 1, 5 and 15 mn rates. Compile time options are DECAY{1,5,15}, default values are: DECAY1 exp(-1/60), DECAY5 exp(-1/300), DECAY15 exp(-1/900). Minimum is 0.0 and maximum 1.0.

default fragment equal on|off

Enables or disables equalizing the length of IPv6 fragments. Default is off.

default fragment lifetime lifetime

Specifies the lifetime of fragments in reassembly queues. Compile time option is FRAG_LIFETIME, default value is 30 seconds. Minimum is 0 (excluded) and maximum 1200.

default fragment ipv6|in|out maxcount maxcount

Maximum number of entries in reassembly queues ('in' is IPv4 from clients to the Internet, 'out' is IPv4 from the Internet to clients). Compile time options are FRAG{6,IN,OUT}_MAXCNT, default values are 1024. Minimum is 0 (included so it is possible to disable reassembly), maximum is 16535.

default hold lifetime lifetime

Specifies the lifetime of expired NAT entries in the hold queue. Compile time option is HOLD_LIFETIME, default value is 120 seconds. Minimum is 0 (included), maximum is 600.

default nat lifetime tcp|closed|udp|icmp|retrans lifetime

Specifies the lifetime of dynamic NAT entries ('closed' is for closed TCP sessions, 'retrans' is used for response not yet received). Compile time options are [TCP|CLOSED_TCP|UDP|ICMP|RETRANS]_LIFETIME, default values are TCP (600), closed TCP (120, aka 2*MSL), UDP (300), ICMP (30), retrans (10). Minimum is 0 (excluded), maximum 36000 (10 hours).

default pool tcp|udp|echo min-max

Specifies the default port (or id for icmp echo) ranges for pools. Compile time options are [TCP|UDP]_[MIN|MAX]PORT, ICMP_[MIN|MAX]ID, default values are TCP_MINPORT 2048, UDP_MINPORT 512, ICMP_MINID 0, TCP_MAXPORT 65535, UDP_MAXPORT 65535, ICMP_MAXID 65535. Minimum is 1 (0 for ICMP), maximum 63535.

default tunnel auto on|off

Enables or disables on-the-fly tunnel creation. Default is on.

default tunnel mss on|off

This enables or disables TCP MSS patching on packets going from and to tunnels. Can be overridden by per-tunnel configuration. If any tunnels are explicitly configured, this must be specified before them. Default is off.

default tunnel mtu mtu

Specifies mtu as the default IPv6 MTU of tunnels. Can be overridden by per-tunnel configuration.

default tunnel toobig on|off|strict

This specifies the policy for packets from the Internet which are too big (i.e., they don't fit in one IPv6 encapsulating packet) and are marked as don't fragment. 'On' means a ICMPv4 packet too big error is returned to the source, 'off' the packet just go through, and 'strict' the packet is dropped with a ICMPv4 error. Default is on (i.e., the packet is encapsulated into some IPv6 fragments and a ICMP error is returned for path MTU determination).

default tunnel fragment ipv6|ipv4 maxcount maxcount

Specifies the maximum number of reassembly queue entries per tunnel. Compile time options are FRAGTN[46]_MAXCNT, default values are FRAGTN6_MAXCNT 16, FRAGTN4_MAXCNT 64. Mininum is 0 (included for reassembly disable), maximum is 255.

default tunnel nat tcp|udp|icmp maxcount maxcount

Specifies the maximum number of NAT entries per tunnel. Compile time options are [TCP|UDP|ICMP]_MAXTNATCNT, default values are TCP_MAXNATCNT 2000, UDP_MAXNATCNT 200, ICMP_MAXNATCNT 50. Minimum is 0 (included), maximum is 65535.

default tunnel nat tcp|udp|icmp rate limit

Specifies the maximum rate of dynamic NAT creation per second. Compile time options are [TCP|UDP|ICMP]_MAXTNATRT, default values are TCP_MAXNATRT 50, UDP_MAXNATRT 20, ICMP_MAXNATRT 5. Minimum is 0 (included), maximum 255.

defmss on|off

Alias of default tunnel mss on|off.

defmtu mtu

Alias of default tunnel mtu mtu.

deftoobig on|off|strict

Alias of default tunnel toobig on|off|strict.

eqfrag on|off

Alias of default fragment equal on|off.

quantum quantum

Specifies the number of packets dealt with in one main loop round (i.e., the size of a slice of work). Compile time option is QUANTUM, default value is 20. Minimum is 2 (included), maximum is 255.

REQUIRED CONFIGURATION COMMANDS

address endpoint IPv6_address

IPv6_address is the AFTR endpoint address of the Softwire tunnels. If the DHCPv6 ds-lite option is used, this address must match the advertised address.

It is a required command: it absolutely must be present in the aftr.conf file; the aftr daemon will not start without it.

address icmp IPv4_address

IPv4_address is a global IPv4 address used as the source for ICMP errors sent back to the Internet (i.e., the ICMPv4 errors will look like returned from an intermediate router that has this address). It is a required command.

pool IPv4_address [tcp|udp|echo min-max]

This specifies a global IPv4 address that will be used as the source address of NAT'ed packets sent to the Internet. Multiple global addresses can be specified, at least one is required.

The optional part limits the port (or id) range used for the protocol with the global IPv4 address in dynamical bindings (i.e., not static or A+P bindings which can use the reserved ports outside the range).

acl6 IPv6_prefix/prefix_length

This adds an (accept) entry in the IPv6 ACL. Note for a regular IPv6 packet the ACL is checked only when no tunnel was found, and the default is deny all, so at least one acl6 entry in the configuration file is required.

RELOADABLE CONFIGURATION COMMANDS

tunnel IPv6_remote [IPv4_src]

This specifies an IPv4-in-IPv6 tunnel configuration. IPv6_remote is the remote (ds-lite client) IPv6 address of the tunnel. Either the tunnel is associated with a source address in a round robin way or it is associated to the specified IPv4_src.

nat IPv6_remote tcp|udp IPv4_src port_src IPv4_new port_new

This defines a static binding/NAT entry for the client behind the tunnel at IPv6_remote. *_src are the source IPv4 address and port at the tunnel side of the NAT, *_new are the source IPv4 address and port at the Internet side of the NAT. IPv4_new should be a reserved source NAT address, port_new must not be inside a dynamic port range.

prr IPv6_remote tcp|udp IPv4 port

This defines a Port-Range Router/A+P null NAT entry for the client behind the tunnel at IPv6_remote. IPv4 and port are the source IPv4 address and port at the tunnel side of the NAT. They stay unchanged both ways: this entry is used to check authorization and perform port routing.

nonat IPv6_remote IPv4/prefix_length

This defines a No-NAT tunnel for the client behind the tunnel at IPv6_remote and the prefix IPv4/prefix_length. No translation is performed for matching packets.

mss IPv6_remote on|off

This enables or disables TCP MSS patching on packets going from and to the tunnel of IPv6_remote. Default is off.

mtu IPv6_remote mtu

This changes the IPv6 MTU of the tunnel of IPv6_remote to mtu.

toobig IPv6_remote on|off|strict

Per-tunnel configuration of the too big policy.

debug set [level]

Specifies the debug level. Default is 0. If set to non 0, verbose log messages will be dumped to stderr. The higher the level is, the noiser the logs are. At present, the meaningful levels are 1 (log tunnel creation), 3 (log packet reads and writes), and 10 (function entry tracing). If the level is omitted, it is set to 1.

try tunnel IPv6_remote

Create when it doesn't already exist an IPv4-in-IPv6 tunnel, returns in all cases the description of the tunnel entry. This command should be used by tools managing temporary port forwarding. IPv6_remote must be acceptable for IPv6 ACLs.

try nat IPv6_remote tcp|udp IPv4_src port_src IPv4_new port_new

Create when it doesn't already exist a static binding/NAT entry. This command should be used by tools managing temporary port forwarding. The tunnel must exist.

SEE ALSO

aftr(8), aftr.commands(5)

AUTHOR

Internet Systems Consortium