Adding upstream version 4.23.0.upstream/4.23.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 111 insertions, 118 deletions

diff --git a/upstream/debian-unstable/man8/pppd.8 b/upstream/debian-unstable/man8/pppd.8
index 36156d6e..79b5bea5 100644
--- a/upstream/debian-unstable/man8/pppd.8
+++ b/upstream/debian-unstable/man8/pppd.8
@@ -55,8 +55,8 @@ non-privileged user.
 .I speed
 An option that is a decimal number is taken as the desired baud rate
 for the serial device.  On systems such as
-4.4BSD and NetBSD, any speed can be specified.  Other systems
-(e.g. Linux, SunOS) only support the commonly-used baud rates.
+Linux, 4.4BSD and NetBSD, any speed can be specified.  Other systems
+(e.g. SunOS) only support the commonly-used baud rates.
 .TP
 .B asyncmap \fImap
 This option sets the Async-Control-Character-Map (ACCM) for this end
@@ -127,12 +127,6 @@ is no other default route with the same metric.  With the default
 value of -1, the route is only added if there is no default route at
 all.
 .TP
-.B defaultroute6
-Add a default IPv6 route to the system routing tables, using the peer as
-the gateway, when IPv6CP negotiation is successfully completed.
-This entry is removed when the PPP connection is broken.  This option
-is privileged if the \fInodefaultroute6\fR option has been specified.
-.TP
 .B replacedefaultroute
 This option is a flag to the defaultroute option. If defaultroute is
 set and this flag is also set, pppd replaces an existing default route
@@ -218,11 +212,14 @@ Set the local and/or remote 64-bit interface identifier. Either one may be
 omitted. The identifier must be specified in standard ASCII notation of
 IPv6 addresses (e.g. ::dead:beef). If the
 \fIipv6cp\-use\-ipaddr\fR
-option is given, the local identifier is the local IPv4 address (see above).
+option is given, the local identifier is the local IPv4 address and the
+remote identifier is the remote IPv4 address (see above).
+If the \fIipv6cp-use-remotenumber\fR option is given, the remote identifier
+is set to the value from \fIremotenumber\fR option.
 On systems which supports a unique persistent id, such as EUI\-48 derived
 from the Ethernet MAC address, \fIipv6cp\-use\-persistent\fR option can be
-used to replace the \fIipv6 <local>,<remote>\fR option. Otherwise the 
-identifier is randomized.
+used to set local identifier.  Otherwise both local and remote identifiers
+are randomized.
 .TP
 .B active\-filter \fIfilter\-expression
 Specifies a packet filter to be applied to data packets to determine
@@ -266,10 +263,16 @@ compression in the corresponding direction.  Use \fInobsdcomp\fR or
 \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
 .TP
 .B ca \fIca-file
-(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority
+(EAP-TLS, or PEAP) Use the file \fIca-file\fR as the X.509 Certificate Authority
 (CA) file (in PEM format), needed for setting up an EAP-TLS connection.
 This option is used on the client-side in conjunction with the \fBcert\fR
-and \fBkey\fR options.
+and \fBkey\fR options.  Either \fIca\fR, or \fIcapath\fR options are required
+for PEAP. EAP-TLS may also use the entry in eaptls-client or eaptls-server
+for a CA certificate associated with a particular peer.
+.TP
+.B capath \fIpath
+(EAP-TLS, or PEAP) Specify a location that contains public CA certificates.
+Either \fIca\fR, or \fIcapath\fR options are required for PEAP.
 .TP
 .B cdtrcts
 Use a non-standard hardware flow control (i.e. DTR/CTS) to control
@@ -326,15 +329,15 @@ negotiation by sending its first LCP packet.  The default value is
 or \fBpty\fR option is used.
 .TP
 .B crl \fIfilename
-(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List
+(EAP-TLS, or PEAP) Use the file \fIfilename\fR as the Certificate Revocation List
 to check for the validity of the peer's certificate. This option is not
-mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR
+mandatory for setting up a TLS connection. Also see the \fBcrl-dir\fR
 option.
 .TP
 .B crl-dir \fIdirectory
-(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in
+(EAP-TLS, or PEAP) Use the directory \fIdirectory\fR to scan for CRL files in
 has format ($hash.r0) to check for the validity of the peer's certificate.
-This option is not mandatory for setting up an EAP-TLS connection.
+This option is not mandatory for setting up a TLS connection.
 Also see the \fBcrl\fR option.
 .TP
 .B debug
@@ -354,6 +357,17 @@ Disable MRU [Maximum Receive Unit] negotiation.  With this option,
 pppd will use the default MRU value of 1500 bytes for both the
 transmit and receive direction.
 .TP
+.B defaultroute6
+Add a default IPv6 route to the system routing tables, using the peer as
+the gateway, when IPv6CP negotiation is successfully completed.
+This entry is removed when the PPP connection is broken.  This option
+is privileged if the \fInodefaultroute6\fR option has been specified.
+\fBWARNING: Do not enable this option by default\fR.  IPv6 routing tables
+are managed by kernel (as apposite to IPv4) and IPv6 default route is
+configured by kernel automatically too based on ICMPv6 Router Advertisement
+packets.  This option may conflict with kernel IPv6 route setup and should
+be used only for broken IPv6 networks.
+.TP
 .B deflate \fInr,nt
 Request that the peer compress packets that it sends, using the
 Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and
@@ -493,12 +507,25 @@ to send configure-Rejects instead to \fIn\fR (default 10).
 Set the maximum number of IPCP terminate-request transmissions to
 \fIn\fR (default 3).
 .TP
+.B ipcp\-no\-address
+Disable negotiation of addresses via IP-Address IPCP option.
+.TP
+.B ipcp\-no\-addresses
+Disable negotiation of addresses via old-style deprecated IP-Addresses
+IPCP option. pppd by default try to use new-style IP-Address IPCP option.
+If new-style is not supported by peer or is disabled by \fBipcp\-no\-address\fR
+option then pppd fallbacks to old-style deprecated IP-Addresses IPCP option.
+When both new-style and old-style are disabled by both \fBipcp\-no\-address\fR
+and \fBipcp\-no\-addresses\fR options then negotiation of IP addresses
+is completely disabled.
+.TP
 .B ipcp\-restart \fIn
 Set the IPCP restart interval (retransmission timeout) to \fIn\fR
 seconds (default 3).
 .TP
 .B ipparam \fIstring
-Provides an extra parameter to the ip\-up, ip\-pre\-up and ip\-down
+Provides an extra parameter most of the notification scripts, most notably
+ip\-up, ip\-pre\-up, ip\-down, ipv6\-up, ipv6\-down, auth\-up and auth\-down
 scripts.  If this
 option is given, the \fIstring\fR supplied is given as the 6th
 parameter to those scripts.
@@ -513,6 +540,23 @@ With this option, pppd will accept the peer's idea of its (remote)
 IPv6 interface identifier, even if the remote IPv6 interface
 identifier was specified in an option.
 .TP
+.B ipv6cp\-noremote
+Allow pppd to operate without having an IPv6 link local address for the peer.
+This option is only available under Linux.  Normally, pppd will request the
+peer's IPv6 interface identifier (used for composing IPv6 link local address),
+and if the peer does not supply it, pppd will generate one for the peer.
+With this option, if the peer does not supply its IPv6 interface identifier,
+pppd will not ask the peer for it, and will not set the destination IPv6
+link local address of the ppp interface.  In this situation, the ppp interface
+can be used for routing by creating device routes, but the peer itself cannot
+be addressed directly for IPv6 traffic until the peer starts announcing ICMPv6
+Router Advertisement or ICMPv6 Neighbor Advertisement packets.  Note that IPv6
+router must announce ICMPv6 Router Advertisement packets.
+.TP
+.B ipv6cp\-nosendip
+Don't send our local IPv6 interface identifier to peer during IPv6 interface
+identifier negotiation.
+.TP
 .B ipv6cp\-max\-configure \fIn
 Set the maximum number of IPv6CP configure-request transmissions to
 \fIn\fR (default 10).
@@ -529,70 +573,6 @@ Set the maximum number of IPv6CP terminate-request transmissions to
 Set the IPv6CP restart interval (retransmission timeout) to \fIn\fR
 seconds (default 3).
 .TP
-.B ipx
-Enable the IPXCP and IPX protocols.  This option is presently only
-supported under Linux, and only if your kernel has been configured to
-include IPX support.
-.TP
-.B ipx\-network \fIn
-Set the IPX network number in the IPXCP configure request frame to
-\fIn\fR, a hexadecimal number (without a leading 0x).  There is no
-valid default.  If this option is not specified, the network number is
-obtained from the peer.  If the peer does not have the network number,
-the IPX protocol will not be started.
-.TP
-.B ipx\-node \fIn\fB:\fIm
-Set the IPX node numbers. The two node numbers are separated from each
-other with a colon character. The first number \fIn\fR is the local
-node number. The second number \fIm\fR is the peer's node number. Each
-node number is a hexadecimal number, at most 10 digits long. The node
-numbers on the ipx\-network must be unique. There is no valid
-default. If this option is not specified then the node numbers are
-obtained from the peer.
-.TP
-.B ipx\-router\-name \fI<string>
-Set the name of the router. This is a string and is sent to the peer
-as information data.
-.TP
-.B ipx\-routing \fIn
-Set the routing protocol to be received by this option. More than one
-instance of \fIipx\-routing\fR may be specified. The '\fInone\fR'
-option (0) may be specified as the only instance of ipx\-routing. The
-values may be \fI0\fR for \fINONE\fR, \fI2\fR for \fIRIP/SAP\fR, and
-\fI4\fR for \fINLSP\fR.
-.TP
-.B ipxcp\-accept\-local
-Accept the peer's NAK for the node number specified in the ipx\-node
-option. If a node number was specified, and non-zero, the default is
-to insist that the value be used. If you include this option then you
-will permit the peer to override the entry of the node number.
-.TP
-.B ipxcp\-accept\-network
-Accept the peer's NAK for the network number specified in the
-ipx\-network option. If a network number was specified, and non-zero, the
-default is to insist that the value be used. If you include this
-option then you will permit the peer to override the entry of the node
-number.
-.TP
-.B ipxcp\-accept\-remote
-Use the peer's network number specified in the configure request
-frame. If a node number was specified for the peer and this option was
-not specified, the peer will be forced to use the value which you have
-specified.
-.TP
-.B ipxcp\-max\-configure \fIn
-Set the maximum number of IPXCP configure request frames which the
-system will send to \fIn\fR. The default is 10.
-.TP
-.B ipxcp\-max\-failure \fIn
-Set the maximum number of IPXCP NAK frames which the local system will
-send before it rejects the options. The default value is 3.
-.TP
-.B ipxcp\-max\-terminate \fIn
-Set the maximum number of IPXCP terminate request frames before the
-local system considers that the peer is not listening to them. The
-default value is 3.
-.TP
 .B kdebug \fIn
 Enable debugging code in the kernel-level PPP driver.  The argument
 values depend on the specific kernel driver, but in general a value of
@@ -707,6 +687,11 @@ network control protocol comes up).
 Terminate after \fIn\fR consecutive failed connection attempts.  A
 value of 0 means no limit.  The default value is 10.
 .TP
+.B max-tls-version \fIstring
+(EAP-TLS, or PEAP) Configures the max allowed TLS version used during
+negotiation with a peer.  The default value for this is \fI1.2\fR.  Values
+allowed for this option is \fI1.0.\fR, \fI1.1\fR, \fI1.2\fR, \fI1.3\fR.
+.TP
 .B modem
 Use the modem control lines.  This option is the default.  With this
 option, pppd will wait for the CD (Carrier Detect) signal from the
@@ -846,11 +831,6 @@ hostname.  With this option, the peer will have to supply the local IP
 address during IPCP negotiation (unless it specified explicitly on the
 command line or in an options file).
 .TP
-.B noipx
-Disable the IPXCP and IPX protocols.  This option should only be
-required if the peer is buggy and gets confused by requests from pppd
-for IPXCP negotiation.
-.TP
 .B noktune
 Opposite of the \fIktune\fR option; disables pppd from changing system
 settings.
@@ -924,6 +904,9 @@ situation, the ppp interface can be used for routing by creating
 device routes, but the peer itself cannot be addressed directly for IP
 traffic.
 .TP
+.B nosendip
+Don't send our local IP address to peer during IP address negotiation.
+.TP
 .B notty
 Normally, pppd requires a terminal device.  With this option, pppd
 will allocate itself a pseudo-tty master/slave pair and use the slave
@@ -1153,6 +1136,16 @@ The device used by pppd with this option must have sync support.
 Currently supports Microgate SyncLink adapters
 under Linux and FreeBSD 2.2.8 and later.
 .TP
+.B tls-verify-method \fIstring
+(EAP-TLS, or PEAP) Match the value specified for \fIremotename\fR to that that
+of the X509 certificates subject name, common name, or suffix of the common
+name.  Respective values allowed for this option is: \fInone\fR, \fIsubject\fR,
+\fIname\fR, or \fIsuffix\fR.  The default value for this option is \fIname\fR.
+.TP
+.B tls-verify-key-usage
+(EAP-TLS, or PEAP) Enables examination of peer certificate's purpose, and
+extended key usage attributes.
+.TP
 .B unit \fInum
 Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound
 connections.  If the unit is already in use a dynamically allocated number will
@@ -1199,6 +1192,16 @@ USEPEERDNS will be set to 1.  In addition, pppd will create an
 /etc/ppp/resolv.conf file containing one or two nameserver lines with
 the address(es) supplied by the peer.
 .TP
+.B usepeerwins
+Ask the peer for up to 2 WINS server addresses.  The addresses supplied
+by the peer (if any) are passed to the /etc/ppp/ip\-up script in the
+environment variables WINS1 and WINS2, and the environment variable
+USEPEERWINS will be set to 1.
+.LP
+Please note that some modems (like the Huawei E220) requires this option in
+order to avoid a race condition that results in the incorrect DNS servers
+being assigned.
+.TP
 .B user \fIname
 Sets the name used for authenticating the local system to the peer to
 \fIname\fR.
@@ -1243,8 +1246,9 @@ Attach to existing PPPoE session. For backward compatibility also
 \fBrp_pppoe_sess\fP option name is supported.
 .TP
 .B pppoe-verbose \fIn
-Be verbose about discovered access concentrators. For backward
-compatibility also \fBrp_pppoe_verbose\fP option name is supported.
+Be verbose about discovered access concentrators. When set to 2 or bigger
+value then dump also discovery packets. For backward compatibility also
+\fBrp_pppoe_verbose\fP option name is supported.
 .TP
 .B pppoe-mac \fImacaddr
 Connect to specified MAC address.
@@ -1750,6 +1754,14 @@ IPCP has come up.
 The IP address for the remote end of the link.  This is only set when
 IPCP has come up.
 .TP
+.B LLLOCAL
+The Link-Local IPv6 address for the local end of the link.  This is only
+set when IPV6CP has come up.
+.TP
+.B LLREMOTE
+The Link-Local IPv6 address for the remote end of the link.  This is only
+set when IPV6CP has come up.
+.TP
 .B PEERNAME
 The authenticated name of the peer.  This is only set if the peer
 authenticates itself.
@@ -1793,6 +1805,15 @@ option was given).
 If the peer supplies DNS server addresses, this variable is set to the
 second DNS server address supplied (whether or not the usepeerdns
 option was given).
+.TP
+.B WINS1
+If the peer supplies WINS server addresses, this variable is set to the
+first WINS server address supplied.
+.TP
+.B WINS2
+If the peer supplies WINS server addresses, this variable is set to the
+second WINS server address supplied.
+.P
 .P
 Pppd invokes the following scripts, if they exist.  It is not an error
 if they don't exist.
@@ -1801,7 +1822,7 @@ if they don't exist.
 A program or script which is executed after the remote system
 successfully authenticates itself.  It is executed with the parameters
 .IP
-\fIinterface\-name peer\-name user\-name tty\-device speed\fR
+\fIinterface\-name peer\-name user\-name tty\-device speed ipparam\fR
 .IP
 Note that this script is not executed if the peer doesn't authenticate
 itself, for example when the \fInoauth\fR option is used.
@@ -1848,34 +1869,6 @@ Similar to /etc/ppp/ip\-down, but it is executed when IPv6 packets can no
 longer be transmitted on the link. It is executed with the same parameters 
 as the ipv6\-up script.
 .TP
-.B /etc/ppp/ipx\-up
-A program or script which is executed when the link is available for
-sending and receiving IPX packets (that is, IPXCP has come up).  It is
-executed with the parameters
-.IP
-\fIinterface\-name tty\-device speed network\-number local\-IPX\-node\-address
-remote\-IPX\-node\-address local\-IPX\-routing\-protocol remote\-IPX\-routing\-protocol
-local\-IPX\-router\-name remote\-IPX\-router\-name ipparam pppd\-pid\fR 
-.IP
-The local\-IPX\-routing\-protocol and remote\-IPX\-routing\-protocol field
-may be one of the following:
-.IP
-NONE      to indicate that there is no routing protocol
-.br
-RIP       to indicate that RIP/SAP should be used
-.br
-NLSP      to indicate that Novell NLSP should be used
-.br
-RIP NLSP  to indicate that both RIP/SAP and NLSP should be used
-.TP
-.B /etc/ppp/ipx\-down
-A program or script which is executed when the link is no longer
-available for sending and receiving IPX packets.  This script can be
-used for undoing the effects of the /etc/ppp/ipx\-up script.  It is
-invoked in the same manner and with the same parameters as the ipx\-up
-script.
-.SH FILES
-.TP
 .B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others)
 Process-ID for pppd process on ppp interface unit \fIn\fR.
 .TP