number_per_ident = <replaceable>number</replaceable>;
number_per_ip = <replaceable>number</replaceable>;
number_per_ip_global = <replaceable>number</replaceable>;
- cidr_bitlen = <replaceable>number</replaceable>;
+ cidr_ipv4_bitlen = <replaceable>number</replaceable>;
+ cidr_ipv6_bitlen = <replaceable>number</replaceable>;
number_per_cidr = <replaceable>number</replaceable>;
max_number = <replaceable>number</replaceable>;
sendq = <replaceable>size</replaceable>;
</listitem>
</varlistentry>
<varlistentry>
- <term>cidr_bitlen</term>
+ <term>cidr_ipv4_bitlen</term>
<listitem>
- <para>The netblock length to use with CIDR-based client limiting for this class.</para>
+ <para>The netblock length to use with CIDR-based client limiting for IPv4 users in this class (between 0 and 32).</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>cidr_ipv6_bitlen</term>
+ <listitem>
+ <para>The netblock length to use with CIDR-based client limiting for IPv6 users in this class (between 0 and 128).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>number_per_cidr</term>
<listitem>
<para>The amount of clients which may be connected from a single netblock.</para>
+ <para>If this needs to differ between IPv4 and IPv6, make different classes for IPv4 and IPv6 users.</para>
</listitem>
</varlistentry>
<varlistentry>
<para>Users in this auth{} block must have identd, otherwise they will be rejected.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>need_ssl</term>
+ <listitem>
+ <para>Users in this auth{} block must be connected via SSL/TLS, otherwise they will be rejected.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>need_sasl</term>
<listitem>
</varlistentry>
</variablelist>
</sect2>
+ <sect2>
+ <title>privset {} block</title>
+ <synopsis>
+privset {
+ extends = "<replaceable>name</replaceable>";
+ privs = <replaceable>list</replaceable>;
+};</synopsis>
+ <para>
+ A privset (privilege set) block specifies a set of
+ operator privileges.
+ </para>
+ <variablelist>
+ <title>privset {} variables</title>
+ <varlistentry>
+ <term>extends</term>
+ <listitem>
+ <para>An optional privset to inherit. The new privset will have all privileges that the given privset has.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>privs</term>
+ <listitem>
+ <para>Privileges to grant to this privset. These are described in the operator privileges section.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect2>
<sect2>
<title>operator {} block</title>
<synopsis>
</listitem>
</varlistentry>
<varlistentry>
- <term>flags</term>
+ <term>privset</term>
<listitem>
<para>
- A listing of privileges granted to operators using this block.
- By default, the mass_notice, operwall, remoteban and resv privileges are granted;
- use ~mass_notice, ~operwall, ~remoteban and ~resv to disable them if necessary.
- </para>
- <para>
- In addition, a flag designating if the password is encrypted is here.
- Privileges are documented elsewhere in this guide.
+ The privilege set granted to successfully opered clients.
+ This must be defined before this operator{} block.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>flags</term>
+ <listitem>
+ <para>A list of flags to apply to this operator{} block. They are listed below.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <variablelist>
+ <title>operator {} flags</title>
+ <varlistentry>
+ <term>encrypted</term>
+ <listitem>
+ <para>The password used has been encrypted. This is enabled by default, use ~encrypted to disable it.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>need_ssl</term>
+ <listitem>
+ <para>Restricts use of this operator{} block to SSL/TLS connections only.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</sect2>
<sect2>
<listitem>
<para>The hostname or IP to connect to.</para>
<note><para>
- Charybdis uses solely DNS for all hostname/address lookups
- (no <filename>/etc/hosts</filename> or anything else).
Furthermore, if a hostname is used, it must have an A or AAAA
record (no CNAME) and it must be the primary
hostname for inbound connections to work.
<varlistentry>
<term>all</term>
<listitem>
- <para>All of the above; this does not include locops or rehash</para>
+ <para>All of the above; this does not include locops, rehash, dline, tdline or undline.</para>
</listitem>
</varlistentry>
<varlistentry>
<para>REHASH commands; all options can be used</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>dline (D)</term>
+ <listitem>
+ <para>Permanent and temporary D:lines</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>tdline (d)</term>
+ <listitem>
+ <para>Temporary D:lines</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>undline (E)</term>
+ <listitem>
+ <para>D:line removals</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>none</term>
<listitem>
</variablelist>
</sect2>
</sect1>
+ <sect1>
+ <title>Hostname resolution (DNS)</title>
+ <para>
+ Charybdis uses solely DNS for all hostname/address lookups
+ (no <filename>/etc/hosts</filename> or anything else).
+ The DNS servers are taken from <filename>/etc/resolv.conf</filename>.
+ If this file does not exist or no valid IP addresses are listed in it,
+ the local host (127.0.0.1) is used. (Note that the latter part
+ did not work in older versions of Charybdis.)
+ </para>
+ <para>
+ IPv4 as well as IPv6 DNS servers are supported, but it is not
+ possible to use both IPv4 and IPv6 in
+ <filename>/etc/resolv.conf</filename>.
+ </para>
+ <para>
+ For both security and performance reasons, it is recommended
+ that a caching nameserver such as BIND be run on the same machine
+ as Charybdis and that <filename>/etc/resolv.conf</filename> only
+ list 127.0.0.1.
+ </para>
+ </sect1>
</chapter>
<!-- Keep this comment at the end of the file
Local variables: