Table of Contents
The aftr process needs the root privilege to open the tunnel interface/device. The TCP over IPv4/IPv6 control channels are bound to localhost so are limited to the local node. There are many tools which provide a secure connection forwarding, for instance ssh -L. The PF_UNIX control channel relies on standard file system permissions (cf. umask), it should be used for finer control than node access.
The source address of encapsulated IPv4 in IPv6 packets must be a private address. The list of IPv4 private prefixes is initialized to RFC 1918 prefixes and the unpublished I-D, it is manageable by zone zero commands. IPv6 ACLs filter incoming IPv6 packets.
The try commands are protected against not authorized tunnel creation, i.e., both IPv6 and IPv4 ACLs are applied to try command arguments.
Unlimit the core dump size if you'd like to get core file on
crashes or with the abort command. On Linux twist the core
naming to something better than core
(cf. core(5)).
Please keep the binary associated to core files. As
the fork command is fun but eats memory put
enough memory in the aftr box...
When the aftr process is not (yet) crashed but seems no longer to forward packets:
go to an open session (try to keep on in case the alternative fails) or if none open a new one
check if it is responsive using the noop
(answer LOG: alive), if not
try to get a core file (attach in gdb and use
gcore), kill it
(another way to get a core file with ^\ /
kill)
and relaunch it
if not in a hurry try to understand the issue with show stat and show dropped
open a second session, send fork to get a child process where you can use extensive debug, including gdb, on it. If you don't know or you can't understand, abort the child process to get a core file.
update the config file if needed, reboot the parent/main process (it will lose all the state and restart from the beginning)
Summary for the busy operator:
noop -> nothing: go to the shell to kill and relaunch it
noop -> expected message: open another session, send fork, wait for the child pid message, send abort on this new session. On the previous session (where you sent noop), send reboot
Bug reports should be sent to: <aftr-bugs@isc.org>