Commit | Line | Data |
---|---|---|
558fa3fb SE |
1 | secnet - flexible VPN software |
2 | ||
8dea8d37 SE |
3 | * Copying |
4 | ||
c215a4bc IJ |
5 | secnet is |
6 | Copyright 1995-2003 Stephen Early <steve@greenend.org.uk> | |
7 | Copyright 2002-2014 Ian Jackson <ijackson@chiark.greenend.org.uk> | |
8 | Copyright 1991 Massachusetts Institute of Technology | |
9 | Copyright 1998 Ross Anderson, Eli Biham, Lars Knudsen | |
10 | Copyright 1993 Colin Plumb | |
11 | Copyright 1998 James H. Brown, Steve Reid | |
12 | Copyright 2000 Vincent Rijmen, Antoon Bosselaers, Paulo Barreto | |
13 | Copyright 2001 Saul Kravitz | |
14 | Copyright 2004 Fabrice Bellard | |
15 | Copyright 2002 Guido Draheim | |
16 | Copyright 2005-2010 Free Software Foundation, Inc. | |
17 | Copyright 1995-2001 Jonathan Amery | |
18 | Copyright 1995-2003 Peter Benie | |
19 | Copyright 2011 Richard Kettlewell | |
20 | Copyright 2012 Matthew Vernon | |
21 | Copyright 2013 Mark Wooding | |
22 | Copyright 1995-2013 Simon Tatham | |
23 | ||
24 | secnet is distributed under the terms of the GNU General Public | |
25 | License, version 3 or later. Some individual files have more | |
26 | permissive licences; where this is the case, it is documented in the | |
27 | header comment for the files in question. | |
28 | ||
29 | secnet is distributed in the hope that it will be useful, but WITHOUT | |
30 | ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
31 | FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
32 | for more details. | |
33 | ||
34 | The file COPYING contains a copy of the GNU GPL v3. | |
8dea8d37 | 35 | |
8dea8d37 | 36 | |
558fa3fb SE |
37 | * Introduction |
38 | ||
39 | secnet allows large virtual private networks to be constructed | |
40 | spanning multiple separate sites. It is designed for the case where a | |
41 | private network connecting many hosts is 'hidden' behind a single | |
42 | globally-routable IP address, but can also be applied in other | |
43 | circumstances. It communicates entirely using UDP, and works well | |
44 | with gateways that implement network address translation. | |
45 | ||
46 | If you are installing secnet to join an existing VPN, you should read | |
47 | the 'INSTALL' file and your particular VPN's documentation now. You | |
48 | may need to refer back to this file for information on the netlink and | |
49 | comm sections of the configuration file. | |
50 | ||
51 | If you are thinking about setting up a new VPN of any size (from one | |
52 | providing complete links between multiple sites to a simple | |
53 | laptop-to-host link), read the section in this file on 'Creating a | |
54 | VPN'. | |
55 | ||
469fd1d9 SE |
56 | * Mailing lists and bug reporting |
57 | ||
58 | There are two mailing lists associated with secnet: an 'announce' list | |
59 | and a 'discuss' list. Their addresses are: | |
60 | http://www.chiark.greenend.org.uk/mailman/listinfo/secnet-announce | |
61 | http://www.chiark.greenend.org.uk/mailman/listinfo/secnet-discuss | |
62 | ||
63 | The -announce list receives one message per secnet release. The | |
64 | -discuss list is for general discussion, including help with | |
65 | configuration, bug reports, feature requests, etc. | |
66 | ||
67 | Bug reports should be sent to <steve@greenend.org.uk>; they will be | |
68 | forwarded to the -discuss list by me. | |
69 | ||
558fa3fb SE |
70 | * Creating a VPN |
71 | ||
72 | XXX TODO | |
73 | ||
74 | * secnet configuration file format | |
75 | ||
76 | By default secnet on linux reads /etc/secnet/secnet.conf. The default | |
77 | may be different on other platforms. | |
78 | ||
79 | This file defines a dictionary (a mapping from keys to values) full of | |
80 | configuration information for secnet. Two keys must be defined in | |
81 | this file for secnet to start. One is "system", a dictionary | |
82 | containing systemwide control parameters. The other is "sites", a | |
83 | list of all the sites that you intend to communicate with. | |
84 | ||
85 | The configuration file has a very simple syntax; keys are defined as | |
86 | follows: | |
87 | ||
88 | key definition; | |
89 | or | |
90 | key = definition; | |
91 | ||
92 | (the "=" is optional) | |
93 | ||
94 | Keys must match the following regular expression: | |
95 | [[:alpha:]_][[:alnum:]\-_]* | |
96 | ||
97 | i.e. the first character must be an alpha or an underscore, and the | |
98 | remaining characters may be alphanumeric, '-' or '_'. | |
99 | ||
100 | Keys can be defined to be a comma-separated list of any of the | |
101 | following types: | |
102 | ||
103 | a boolean | |
104 | a string, in quotes | |
105 | a number, in decimal | |
106 | a dictionary of definitions, enclosed in { } | |
107 | a "closure", followed by arguments | |
108 | a path to a key that already exists, to reference that definition | |
109 | ||
110 | Note that dictionaries can be nested: a key in one dictionary can | |
111 | refer to another dictionary. When secnet looks for a key in a | |
112 | particular directory and can't find it, it looks in the dictionary's | |
113 | lexical 'parents' in turn until it finds it (or fails to find it at | |
114 | all and stops with an error). | |
115 | ||
116 | Definitions can refer to previous definitions by naming them with a | |
117 | path. Paths are key1/key2/key3... (starting from wherever we find | |
118 | key1, i.e. in the current dictionary or any of its parents), or | |
119 | alternatively /key1/key2/key3... (to start from the root). | |
120 | Definitions cannot refer to future definitions. | |
121 | ||
122 | Example: | |
123 | ||
124 | a=1; | |
125 | b=2; | |
126 | c={ d=3; e=a; }; | |
127 | f={ a=4; g=c; }; | |
128 | ||
129 | The following paths are valid: | |
130 | a is 1 | |
131 | b is 2 | |
132 | c is a dictionary: | |
133 | c/d is 3 | |
134 | c/e is 1 | |
135 | f is a dictionary: | |
136 | f/a is 4 | |
137 | f/g is a dictionary: | |
138 | f/g/d is 3 | |
139 | f/g/e is 1 | |
140 | ||
141 | Note that f/g/e is NOT 4. | |
142 | ||
558fa3fb SE |
143 | Elements that are lists are inserted into lists in definitions, not |
144 | referenced by them (i.e. you can't have lists of lists). | |
145 | ||
146 | Some closures may be followed by an argument list in ( ), and may | |
147 | return any number of whatever type they like (including other | |
148 | closures). Some types of closure (typically those returned from | |
149 | invokations of other closures) cannot be invoked. | |
150 | ||
151 | closure { definitions } is short for closure({definitions}). | |
152 | ||
153 | The main body of secnet, and all the additional modules, predefine | |
154 | some keys in the root dictionary. The main ones are: | |
155 | ||
fe5e9cc4 SE |
156 | yes, true, True, TRUE, on: the boolean value True |
157 | no, false, False, FALSE, off: the boolean value False | |
558fa3fb SE |
158 | makelist: turns a dictionary (arg1) into a list of definitions |
159 | (ignoring the keys) | |
160 | readfile: reads a file (arg1) and returns it as a string | |
3b83c932 SE |
161 | map: applies the closure specified as arg1 to each of the |
162 | remaining elements in the list in turn. Returns a list | |
163 | made up of the outputs of the closure. | |
558fa3fb SE |
164 | |
165 | Keys defined by modules are described below, in the module | |
166 | documentation. | |
167 | ||
168 | Other configuration files can be included inline by writing "include | |
169 | filename" at the start of a line. | |
170 | ||
171 | After the configuration file is read, secnet looks for particular keys | |
172 | in configuration space to tell it what to do: | |
173 | ||
174 | system: a dictionary which can contain the following keys: | |
175 | log (log closure): a destination for system messages | |
176 | userid (string): the userid for secnet to run as once it drops privileges | |
177 | pidfile (string): where to store its PID | |
178 | ||
179 | sites: a list of closures of type 'site', which define other tunnel | |
180 | endpoints that secnet will attempt to communicate with | |
181 | ||
182 | * secnet command line options | |
183 | ||
469fd1d9 SE |
184 | Usage: secnet [OPTION]... |
185 | ||
186 | -f, --silent, --quiet suppress error messages | |
187 | -w, --nowarnings suppress warnings | |
188 | -v, --verbose output extra diagnostics | |
189 | -c, --config=filename specify a configuration file | |
190 | -j, --just-check-config stop after reading configfile | |
191 | -n, --nodetach do not run in background | |
192 | -d, --debug=item,... set debug options | |
193 | --help display this help and exit | |
194 | --version output version information and exit | |
558fa3fb SE |
195 | |
196 | * secnet builtin modules | |
197 | ||
198 | ** resolver | |
199 | ||
200 | Defines: | |
201 | adns (closure => resolver closure) | |
202 | ||
3454dce4 SE |
203 | adns: dict argument |
204 | config (string): optional, a resolv.conf for ADNS to use | |
205 | ||
558fa3fb SE |
206 | ** random |
207 | ||
208 | Defines: | |
209 | randomsrc (closure => randomsrc closure) | |
210 | ||
3454dce4 SE |
211 | randomsrc: string[,bool] |
212 | arg1: filename of random source | |
213 | arg2: if True then source is blocking | |
214 | ||
558fa3fb SE |
215 | ** udp |
216 | ||
217 | Defines: | |
218 | udp (closure => comm closure) | |
219 | ||
3454dce4 | 220 | udp: dict argument |
9c44ef13 IJ |
221 | address (string list): IPv6 or IPv4 addresses to listen and send on; |
222 | default is all local addresses | |
223 | port (integer): UDP port to listen and send on; optional if you | |
224 | don't need to have a stable address for your peers to talk to | |
225 | (in which case your site ought probably to have `local-mobile true'). | |
3454dce4 | 226 | buffer (buffer closure): buffer for incoming packets |
b2a56f7c | 227 | authbind (string): optional, path to authbind-helper program |
3454dce4 | 228 | |
ce5c098f IJ |
229 | ** polypath |
230 | ||
231 | Defines: | |
232 | polypath (closure => comm closure) | |
233 | ||
234 | polypath: dict argument | |
235 | port (integer): UDP port to listen and send on | |
236 | buffer (buffer closure): buffer for incoming packets | |
237 | authbind (string): optional, path to authbind-helper program | |
238 | max-interfaces (number): optional, max number of different interfaces to | |
239 | use (also, maximum steady-state amount of packet multiplication) | |
240 | interfaces (string list): which interfaces to process; each entry is | |
241 | optionally `!' or `+' followed by a glob pattern (which is applied to a | |
242 | prospective interface using fnmatch with no flags). If no list is | |
243 | specified, or the list ends with a `!' entry, a default list is | |
244 | used/appended: "!tun*","!tap*","!sl*","!userv*","!lo","*". Patterns | |
245 | which do not start with `*' or an alphanumeric need to be preceded | |
246 | by `!' or `+'. | |
247 | monitor-command (string list): Program to use to monitor appearance | |
248 | and disappearance of addresses on local network interfaces. Should | |
249 | produce lines of the form `+|-<ifname> 4|6 <addr>' where <addr> is | |
250 | an address literal. Each - line should relate to a previously | |
251 | printed + line. On startup, should produce a + line for each | |
252 | currently existing address. secnet does filtering so there is no | |
253 | need to strip out tun interfaces, multicast addresses, and so on. | |
254 | The command is run as the user secnet is started as (not the one | |
255 | which secnet may drop privilege to due to the configured `userid'). | |
256 | The default depends on the operating system. | |
257 | permit-loopback (boolean): Normally, loopback IPv6 and IPv4 | |
258 | addresses on local interfaces are disregarded, because such | |
259 | interfaces are not interesting for communicating with distant | |
260 | hosts. Setting this option will ignore that check, which can be | |
261 | useful for testing. Setting this option also removes "!lo*" from | |
262 | the default interface pattern list. | |
263 | ||
264 | When using this comm, packets are sent out of every active interface | |
265 | on the host (where possible). It is important that interfaces created | |
266 | by secnet itself are not included! secnet's default filter list tries | |
267 | to do this. | |
268 | ||
269 | This comm only makes sense for sites which are mobile. That is, the | |
270 | site closures used with this comm should all have the `local-mobile' | |
271 | parameter set to `true'. When the local site site is not marked | |
272 | mobile the address selection machinery might fixate on an unsuitable | |
273 | address. | |
274 | ||
275 | For an interface to work with polypath, it must either have a suitable | |
276 | default route, or be a point-to-point interface. In the general case | |
277 | this might mean that the host would have to have multiple default | |
278 | routes. However in practice the most useful configuration is two | |
279 | interfaces being (1) wifi (2) mobile internet. | |
280 | ||
281 | I have had success on Linux by using network-manager for wifi and | |
282 | invoking ppp directly for mobile internet. ppp sets up a | |
283 | point-to-point link, and does not add a default route if there already | |
284 | is one. network-manager always sets up a default route. The result | |
285 | is that the wifi always has a default route (so is useable); ppp | |
286 | (being a point-to-point link) does not need one. | |
287 | ||
93cdea57 IJ |
288 | The use of polypath requires that secnet be started with root |
289 | privilege, to make the setsockopt(,,SO_BINDTODEVICE,) calls. If the | |
290 | configuration specifies that secnet should drop privilege (see | |
291 | `userid' above), secnet will keep a special process around for this | |
292 | purpose; that process will handle local network interface changes but | |
293 | does not deal with any packets, key exchange, etc. | |
ce5c098f IJ |
294 | |
295 | polypath support is only available when secnet is built against an | |
296 | IPv6-capable version of adns (because it wants features in the newer | |
297 | adns). | |
298 | ||
042a8da9 | 299 | ** log |
558fa3fb SE |
300 | |
301 | Defines: | |
302 | logfile (closure => log closure) | |
b2a56f7c | 303 | syslog (closure => log closure) |
558fa3fb | 304 | |
b2a56f7c SE |
305 | logfile: dict argument |
306 | filename (string): where to log to | |
307 | class (string list): what type of messages to log | |
308 | { "debug-config", M_DEBUG_CONFIG }, | |
309 | { "debug-phase", M_DEBUG_PHASE }, | |
310 | { "debug", M_DEBUG }, | |
311 | { "all-debug", M_DEBUG|M_DEBUG_PHASE|M_DEBUG_CONFIG }, | |
312 | { "info", M_INFO }, | |
313 | { "notice", M_NOTICE }, | |
314 | { "warning", M_WARNING }, | |
315 | { "error", M_ERROR }, | |
316 | { "security", M_SECURITY }, | |
317 | { "fatal", M_FATAL }, | |
318 | { "default", M_WARNING|M_ERROR|M_SECURITY|M_FATAL }, | |
319 | { "verbose", M_INFO|M_NOTICE|M_WARNING|M_ERROR|M_SECURITY|M_FATAL }, | |
320 | { "quiet", M_FATAL } | |
321 | ||
042a8da9 SE |
322 | logfile will close and reopen its file upon receipt of SIGHUP. |
323 | ||
b2a56f7c SE |
324 | syslog: dict argument |
325 | ident (string): include this string in every log message | |
326 | facility (string): facility to log as | |
327 | { "authpriv", LOG_AUTHPRIV }, | |
328 | { "cron", LOG_CRON }, | |
329 | { "daemon", LOG_DAEMON }, | |
330 | { "kern", LOG_KERN }, | |
331 | { "local0", LOG_LOCAL0 }, | |
332 | { "local1", LOG_LOCAL1 }, | |
333 | { "local2", LOG_LOCAL2 }, | |
334 | { "local3", LOG_LOCAL3 }, | |
335 | { "local4", LOG_LOCAL4 }, | |
336 | { "local5", LOG_LOCAL5 }, | |
337 | { "local6", LOG_LOCAL6 }, | |
338 | { "local7", LOG_LOCAL7 }, | |
339 | { "lpr", LOG_LPR }, | |
340 | { "mail", LOG_MAIL }, | |
341 | { "news", LOG_NEWS }, | |
342 | { "syslog", LOG_SYSLOG }, | |
343 | { "user", LOG_USER }, | |
344 | { "uucp", LOG_UUCP } | |
345 | ||
042a8da9 SE |
346 | ** util |
347 | ||
348 | Defines: | |
349 | sysbuffer (closure => buffer closure) | |
350 | ||
b2a56f7c SE |
351 | sysbuffer: integer[,dict] |
352 | arg1: buffer length | |
353 | arg2: options: | |
354 | lockdown (boolean): if True, mlock() the buffer | |
355 | ||
558fa3fb SE |
356 | ** site |
357 | ||
358 | Defines: | |
359 | site (closure => site closure) | |
360 | ||
3454dce4 SE |
361 | site: dict argument |
362 | local-name (string): this site's name for itself | |
363 | name (string): the name of the site's peer | |
469fd1d9 | 364 | link (netlink closure) |
59533c16 IJ |
365 | comm (one or more comm closures): if there is more than one, the |
366 | first one will be used for any key setups initiated by us using the | |
367 | configured address. Others are only used if our peer talks to | |
368 | them. | |
3454dce4 SE |
369 | resolver (resolver closure) |
370 | random (randomsrc closure) | |
371 | local-key (rsaprivkey closure) | |
83dbdd3f IJ |
372 | address (string list): optional, DNS name(s) used to find our peer; |
373 | address literals are supported too if enclosed in `[' `]'. | |
3454dce4 SE |
374 | port (integer): mandatory if 'address' is specified: the port used |
375 | to contact our peer | |
3454dce4 SE |
376 | key (rsapubkey closure): our peer's public key |
377 | transform (transform closure): how to mangle packets sent between sites | |
378 | dh (dh closure) | |
379 | hash (hash closure) | |
e57264d6 IJ |
380 | key-lifetime (integer): max lifetime of a session key, in ms |
381 | [one hour; mobile: 2 days] | |
3454dce4 | 382 | setup-retries (integer): max number of times to transmit a key negotiation |
e57264d6 | 383 | packet [5; mobile: 30] |
3454dce4 | 384 | setup-timeout (integer): time between retransmissions of key negotiation |
e57264d6 | 385 | packets, in ms [2000; mobile: 1000] |
3454dce4 | 386 | wait-time (integer): after failed key setup, wait this long (in ms) before |
e57264d6 | 387 | allowing another attempt [20000; mobile: 10000] |
3454dce4 | 388 | renegotiate-time (integer): if we see traffic on the link after this time |
e7f8ec2a | 389 | then renegotiate another session key immediately (in ms) |
e57264d6 IJ |
390 | [half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours), |
391 | whichever is longer]. | |
b98e450d IJ |
392 | keepalive (bool): if True then attempt always to keep a valid session key. |
393 | Not actually currently implemented. [false] | |
3454dce4 SE |
394 | log-events (string list): types of events to log for this site |
395 | unexpected: unexpected key setup packets (may be late retransmissions) | |
396 | setup-init: start of attempt to setup a session key | |
397 | setup-timeout: failure of attempt to setup a session key, through timeout | |
398 | activate-key: activation of a new session key | |
399 | timeout-key: deletion of current session key through age | |
400 | security: anything potentially suspicious | |
401 | state-change: steps in the key setup protocol | |
402 | packet-drop: whenever we throw away an outgoing packet | |
403 | dump-packets: every key setup packet we see | |
404 | errors: failure of name resolution, internal errors | |
446353cd | 405 | peer-addrs: changes to sets of peer addresses (interesting for mobile peers) |
3454dce4 | 406 | all: everything (too much!) |
446353cd IJ |
407 | mobile (bool): if True then peer is "mobile" ie we assume it may |
408 | change its apparent IP address and port number without either it | |
409 | or us being aware of the change; so, we remember the last several | |
410 | port/addr pairs we've seen and send packets to all of them | |
411 | (subject to a timeout). We maintain one set of addresses for key | |
412 | setup exchanges, and another for data traffic. Two communicating | |
413 | peers must not each regard the other as mobile, or all the traffic | |
414 | in each direction will be triplicated (strictly, transmitted | |
415 | mobile-peers-max times) and anyway two peers whose public contact | |
416 | address may suddenly change couldn't communicate reliably because | |
417 | their contact addresses might both change at once. [false] | |
418 | mobile-peers-max (integer): Maximum number of peer port/addr pairs we | |
d18903cf | 419 | remember and send to. Must be at least 1 and no more than 5. |
83dbdd3f | 420 | [4 if any address is configured, otherwise 3] |
0f27325c IJ |
421 | static-peers-max (integer): Maximum number of peer port/addr pairs |
422 | we can try for a static site. Must be at least 1 and no more | |
d18903cf | 423 | than 5. [4 or 3, as above] |
446353cd IJ |
424 | mobile-peer-expiry (integer): For "mobile" peers only, the length |
425 | of time (in seconds) for which we will keep sending to multiple | |
426 | address/ports from which we have not seen incoming traffic. [120] | |
dba19f84 IJ |
427 | local-mobile (bool): if True then other peers have been told we are |
428 | "mobile". This should be True iff the peers' site configurations | |
429 | for us have "mobile True" (and if we find a site configuration for | |
430 | ourselves in the config, we insist on this). The effect is to | |
431 | check that there are no links both ends of which are allegedly | |
e57264d6 IJ |
432 | mobile (which is not supported, so those links are ignored) and |
433 | to change some of the tuning parameter defaults. [false] | |
3ed1846a IJ |
434 | mtu-target (integer): Desired value of the inter-site MTU for this |
435 | peering. This value will be advertised to the peer (which ought | |
436 | to affect incoming packets), and if the peer advertises an MTU its | |
437 | value will be combined with this setting to compute the inter-site | |
438 | MTU. (secnet will still accept packets which exceed the | |
439 | (negotiated or assumed) inter-site MTU.) Setting a lower | |
440 | inter-site MTU can be used to try to restrict the sizes of the | |
441 | packets sent over the underlying public network (e.g. to work | |
442 | around network braindamage). It is not normally useful to set a | |
443 | larger value for mtu-target than the VPN's general MTU (which | |
444 | should be reflected in the local private interface MTU, ie the mtu | |
445 | parameter to netlink). If this parameter is not set, or is set | |
446 | to 0, the default is to use the local private link mtu. | |
e57264d6 IJ |
447 | |
448 | Links involving mobile peers have some different tuning parameter | |
449 | default values, which are generally more aggressive about retrying key | |
450 | setup but more relaxed about using old keys. These are noted with | |
451 | "mobile:", above, and apply whether the mobile peer is local or | |
452 | remote. | |
3454dce4 | 453 | |
b02b720a IJ |
454 | ** transform-eax |
455 | ||
456 | Defines: | |
457 | eax-serpent (closure => transform closure) | |
458 | ||
92a7d254 | 459 | ** transform-cbcmac |
558fa3fb SE |
460 | |
461 | Defines: | |
462 | serpent256-cbc (closure => transform closure) | |
463 | ||
464 | ** netlink | |
465 | ||
466 | Defines: | |
469fd1d9 | 467 | null-netlink (closure => closure or netlink closure) |
3454dce4 SE |
468 | |
469 | null-netlink: dict argument | |
470 | name (string): name for netlink device, used in log messages | |
471 | networks (string list): networks on the host side of the netlink device | |
0e212483 RK |
472 | remote-networks (string list): networks that may be claimed |
473 | by the remote site using this netlink device | |
3454dce4 SE |
474 | local-address (string): IP address of host's tunnel interface |
475 | secnet-address (string): IP address of this netlink device | |
c6f79b17 | 476 | ptp-address (string): IP address of the other end of a point-to-point link |
3454dce4 SE |
477 | mtu (integer): MTU of host's tunnel interface |
478 | ||
469fd1d9 SE |
479 | Only one of secnet-address or ptp-address may be specified. If |
480 | point-to-point mode is in use then the "routes" option must also be | |
481 | specified, and netlink returns a netlink closure that should be used | |
482 | directly with the "link" option to the site closure. If | |
483 | point-to-point mode is not in use then netlink returns a closure that | |
484 | may be invoked using a dict argument with the following keys to yield | |
485 | a netlink closure: | |
486 | routes (string list): networks reachable down the tunnel attached to | |
487 | this instance of netlink | |
488 | options (string list): | |
489 | allow-route: allow packets coming from this tunnel to be routed to | |
490 | other tunnels as well as the host (used for mobile devices like laptops) | |
0e212483 | 491 | soft: remove these routes from the host's routing table when |
469fd1d9 | 492 | the tunnel link quality is zero |
3ed1846a | 493 | mtu (integer): MTU of host's tunnel interface |
c6f79b17 | 494 | |
042a8da9 SE |
495 | Netlink will dump its current routing table to the system/log on |
496 | receipt of SIGUSR1. | |
497 | ||
3454dce4 SE |
498 | ** slip |
499 | ||
500 | Defines: | |
558fa3fb | 501 | userv-ipif (closure => netlink closure) |
3454dce4 SE |
502 | |
503 | userv-ipif: dict argument | |
504 | userv-path (string): optional, where to find userv ["userv"] | |
505 | service-user (string): optional, username for userv-ipif service ["root"] | |
506 | service-name (string): optional, name of userv-ipif service ["ipif"] | |
507 | buffer (buffer closure): buffer for assembly of host->secnet packets | |
508 | plus generic netlink options, as for 'null-netlink' | |
509 | ||
510 | ** tun | |
511 | ||
512 | Defines: | |
558fa3fb SE |
513 | tun (closure => netlink closure) [only on linux-2.4] |
514 | tun-old (closure => netlink closure) | |
3454dce4 SE |
515 | |
516 | tun: dict argument | |
ff05a229 SE |
517 | flavour (string): optional, type of TUN interface to use |
518 | ("guess","linux","bsd","streams") | |
3454dce4 SE |
519 | device (string): optional, path of TUN/TAP device file ["/dev/net/tun"] |
520 | interface (string): optional, name of tunnel network interface | |
521 | ifconfig-path (string): optional, path to ifconfig command | |
522 | route-path (string): optional, path to route command | |
ff05a229 SE |
523 | ifconfig-type (string): optional, how to perform ifconfig |
524 | route-type (string): optional, how to add and remove routes | |
525 | types are: "guess", "ioctl", "bsd", "linux", "solaris-2.5" | |
3454dce4 SE |
526 | buffer (buffer closure): buffer for host->secnet packets |
527 | plus generic netlink options, as for 'null-netlink' | |
528 | ||
ff05a229 SE |
529 | I recommend you don't specify the 'interface' option unless you're |
530 | doing something that requires the interface name to be constant. | |
c6f79b17 | 531 | |
558fa3fb SE |
532 | ** rsa |
533 | ||
534 | Defines: | |
535 | rsa-private (closure => rsaprivkey closure) | |
536 | rsa-public (closure => rsapubkey closure) | |
537 | ||
3454dce4 SE |
538 | rsa-private: string[,bool] |
539 | arg1: filename of SSH private key file (version 1, no password) | |
540 | arg2: whether to check that the key is usable [default True] | |
541 | ||
542 | rsa-public: string,string | |
543 | arg1: encryption key (decimal) | |
544 | arg2: modulus (decimal) | |
545 | ||
558fa3fb SE |
546 | ** dh |
547 | ||
548 | Defines: | |
549 | diffie-hellman (closure => dh closure) | |
550 | ||
3454dce4 SE |
551 | diffie-hellman: string,string[,bool] |
552 | arg1: modulus (hex) | |
553 | arg2: generator (hex) | |
554 | arg3: whether to check that the modulus is prime [default True] | |
555 | ||
558fa3fb SE |
556 | ** md5 |
557 | ||
558 | Defines: | |
559 | md5 (hash closure) | |
3454dce4 SE |
560 | |
561 | ** sha1 | |
562 | ||
563 | Defines: | |
564 | sha1 (hash closure) | |
c6f79b17 SE |
565 | |
566 | ** conffile | |
567 | ||
568 | Defines: | |
569 | makelist (dictionary => list of definitions) | |
570 | readfile (string => string) | |
571 | map (closure,list => list) | |
572 | ||
573 | makelist: dictionary | |
574 | returns a list consisting of the definitions in the dictionary. The keys | |
575 | are discarded. | |
576 | ||
577 | readfile: string | |
578 | reads the named file and returns its contents as a string | |
579 | ||
580 | map: | |
581 | applies the closure specified as arg1 to each of the elements in the list. | |
582 | Returns a list made up of the outputs of the closure. |