From ee498ba193ade7a64b94337aba2cc8d91920c27d Mon Sep 17 00:00:00 2001 From: ian Date: Mon, 11 Dec 2000 01:53:01 +0000 Subject: [PATCH] @@ -2,7 +2,8 @@ * service.c (userv ipif) /32 prefixes work properly now. - * udptunnelconf directory, embryonic + * New udptunnel-reconf program for generating invoke scripts, inittab + entries, and the like. -- --- changelog | 3 +- ipif/.cvsignore | 1 + ipif/INSTALL | 179 +++++++++++++++++++++++++++++-------------- ipif/Makefile | 32 +++++++- ipif/udptunnel-reconf.pl | 59 ++++++++++---- ipif/udptunnel-vpn-config.m4 | 18 +++++ ipif/udptunnel-vpn-defaults | 31 ++++++-- 7 files changed, 240 insertions(+), 83 deletions(-) diff --git a/changelog b/changelog index a7f5c32..3baf0ef 100644 --- a/changelog +++ b/changelog @@ -2,7 +2,8 @@ userv-utils (0.2.1) unstable; urgency=low * service.c (userv ipif) /32 prefixes work properly now. - * udptunnelconf directory, embryonic + * New udptunnel-reconf program for generating invoke scripts, inittab + entries, and the like. -- diff --git a/ipif/.cvsignore b/ipif/.cvsignore index 8272b90..d9a8d7c 100644 --- a/ipif/.cvsignore +++ b/ipif/.cvsignore @@ -1,4 +1,5 @@ service automech.[ch] udptunnel-forwarder +udptunnel-reconf blowfishtest diff --git a/ipif/INSTALL b/ipif/INSTALL index d33221a..778f3a0 100644 --- a/ipif/INSTALL +++ b/ipif/INSTALL @@ -1,6 +1,9 @@ -This file, INSTALL, is a tutorial on how to - * install userv ipif and udptunnel, and - * configure them to create a VPN tunnel between two hosts or networks. +This file, INSTALL, is a -*- text -*- file tutorial on how to + * install userv ipif and udptunnel, + * configure them to create a VPN tunnel between two hosts or + networks, or + * use udptunnel-reconf to create a multi-site VPN. + See README for details of other available documentation. @@ -13,7 +16,12 @@ BUILD AND INSTALLATION INSTRUCTIONS 2. Make sure your Linux kernel has SLIP and CSLIP compiled in. You will need to be using Linux 2.2 (with Unix98-style ptys). -3. Obtain a fresh copy of userv-utils, if you haven't already. +3. udptunnel works best if your ssh can do ssh-protocol-level + keepalives. Currently these are only supported by using a special + patch, which can be found (for OpenSSH 1.2.x) at + ftp.chiark.greenend.org.uk:/users/ian/openssh+protocolkeepalives. + +4. Obtain a fresh copy of userv-utils, if you haven't already. cd to ipif, and run `make' and (as root) `make install'. After you have done this the software will still not do anything, and @@ -119,10 +127,11 @@ UDPTUNNEL SETUP TUTORIAL host or network number - - - Encrypted Data Flow || -2. SETUP INSTRUCTIONS +2. INFORMATION COLLECTION AND PRELIMINARY SETUP - All of these steps can be done using the appropriate normal user - accounts, unless otherwise indicated. + You will need to collect and/or decide upon various information, and + make sure that your two endpoint systems can talk to each other over + the public network. 2.1. Find out, or choose, private network numbers @@ -164,8 +173,9 @@ UDPTUNNEL SETUP TUTORIAL In some situations you may find yourself using a `public network' which is not actually the public Internet - for example, you may want to run one tunnel `through' another, or your `public network' is - actually a private radio LAN. In this case you'll have to choose the - addresses to use from RFC1918-space, as above. + actually a `private', but not sufficiently secure, radio LAN. In + this case you'll have to choose the addresses to use from + RFC1918-space, as above. 2.3. Decide which user account(s) on alice and bob you will use @@ -186,7 +196,55 @@ UDPTUNNEL SETUP TUTORIAL (Obviously, if you need to create accounts, edit groups, or change the sshd configuratioon, you may need to be root.) -2.3. Configure the private network numbers in /etc/userv/ipif-networks +2.4. Decide whether to use `udptunnel-reconf' + + There are two ways to set up a tunnel with udptunnel. Either you can + simply give udptunnel the right command, by putting it in an + appropriate script and arranging it to be called, or you can have a + program `udptunnel-reconf' read some configuration files and do it + for you. + + udptunnel-reconf is not as well documented, but its behaviour is + somewhat more `cooked'. It is especially useful if you need to + maintain many tunnels as part of an organised, multi-site, VPN. + + Using udptunnel directly is somewhat more flexible, and may be easier + if you only want one tunnel. + + +3. SETUP INSTRUCTIONS - USING UDPTUNNEL-RECONF + + Edit or create the following files, as root: + /etc/userv/vpn/sites + /etc/userv/vpn/tunnels + /etc/userv/vpn/global + + Run udptunnel-reconf, as root. This will create: + /var/lib/userv/vpn/passive-sites + /var/lib/userv/vpn/active-sites + /var/lib/userv/vpn/command. + + It will also spit out to stdout two things: firstly, a list of + suggested commands to put in your inittab, and secondly a suggested + line to put in your /etc/userv/ipif-networks. + + Test that your setup is working, by running (one of) the + /var/lib/userv/vpn/command. file(s) by hand - see section 5. + If it works, you can put the relevant things in your inittab and say + `init q'. + + To find out what all the configuration settings do, look at + /usr/local/share/userv/udptunnel-vpn-defaults, which contains the + default settings and shows where all the hooks are. Consult section + 4 of this file to understand what the options to udptunnel do. + + +4. SETUP INSTRUCTIONS - INVOKING UDPTUNNEL DIRECTLY + + All of these steps can be done using the appropriate normal user + accounts, unless otherwise indicated. + +4.1. Configure the private network numbers in /etc/userv/ipif-networks (This step needs to be done as root.) @@ -215,7 +273,7 @@ UDPTUNNEL SETUP TUTORIAL interface with that address, but the address may not be assigned to a remote host or route. -2.4. Construct the udptunnel invocation (on alice) +4.2. Construct the udptunnel invocation (on alice) udptunnel has a long and complicated command line, rather than a configuration file. The best way to deal with this is to create a @@ -244,7 +302,7 @@ UDPTUNNEL SETUP TUTORIAL You have to fill in the right values for things in angle brackets. (See also section 6. for a moderately complex example, below.) -2.4.1. Syntax of and +4.4.1. Syntax of and These arguments to udptunnel are the network address ranges at each end which are to be connected via the tunnel. Let us consider just @@ -259,7 +317,7 @@ UDPTUNNEL SETUP TUTORIAL just to connect alice to bob and things at bob's end, then specify `-' for . -2.4.2. IP masquerading (NAT) at alice's end +4.4.2. IP masquerading (NAT) at alice's end If alice is behind a masquerading (NAT) firewall, you can still get it to work. You need to add an option `-m' before the other @@ -269,7 +327,7 @@ UDPTUNNEL SETUP TUTORIAL way alice doesn't need to know what port number the NAT proxy will use. -2.4.3. Using fixed UDP port numbers (eg to make firewally happy) +4.4.3. Using fixed UDP port numbers (eg to make firewally happy) If alice is behind a firewall which will not allow incoming UDP to arbitrary ports, even when sent in reply to packets of alice's, you @@ -290,7 +348,7 @@ UDPTUNNEL SETUP TUTORIAL with , \ -2.4.4. Clock skew and excessive delay +4.4.4. Clock skew and excessive delay The default configuration given above, which includes this -e nonce -e timestamp/10/30 \ @@ -318,7 +376,7 @@ UDPTUNNEL SETUP TUTORIAL with -e sequence \ -2.4.5. Other things to tweak (it's usually safe to ignore this part) +4.4.5. Other things to tweak (it's usually safe to ignore this part) Do not mess with the `-e' parameters and arguments except as explained above, unless you are a cryptographer. @@ -342,10 +400,46 @@ UDPTUNNEL SETUP TUTORIAL will be increased in size by 24 bytes + the size of a UDP and IP header + the effects of SLIP duplication of certain bytes.) +4.5. Testing your script + + After you've written your script, you should run it to see if it + works. See section 5 for details. + +4.6. Configure the tunnel to run automatically + + Now that the tunnel works if you invoke it by hand, it is time to + arrange to run it automatically. + + If you want the tunnel to run over a dialup link only when the dialup + link is up, then I'm afraid you'll have to arrange to start and kill + it yourself, probably. I haven't set up such a configuration. More + information about this for this document, if you manage to do it, + would be good. + + So, I shall assume that you want the tunnel to be up all of the time + (or at least, as much as possible). The best way to do this is to + run it from `init', by setting it up in inittab. + + For example, you could put something like this in your inittab: + t0:23:respawn:su Tbob -c ./udptunnel-invoke-bob 2>&1 | logger -p local2.info -t tunnel-bob + (Note that if you have more than one tunnel the `id' field, at the + start of the inittab line, must be different for each one.) + + This would use `su' to become bob and run the actual tunnelling + software, and arrange for the diagnostic output to be sent to syslog + with facility `local2' and priority `info', tagged with `tunnel-bob'. + With an appropriate line in /etc/syslog.conf, such as + local2.* /var/log/local2-all.log + (remember that you have to use tabs in syslog.conf) this will + produce, in /var/log/local2-all.log, all the diagnostics, including + reassuring messages like this: + Sep 18 00:27:48 alice tunnel-bob: udptunnel-forwarder: alice: tunnel still open: received 5262 packets, 5262 bytes + Sep 18 00:28:44 alice tunnel-bob: udptunnel-forwarder: bob: tunnel still open: received 5280 packets, 5280 bytes + -3. Test your udptunnel invocation script +5. TESTING YOUR UDPTUNNEL INVOCATION SCRIPT -3.1. Invocation +5.1. Invocation Log into alice as Tbob, and run ./udptunnel-invoke-bob. A great deal of diagnostic output will ensue. @@ -353,7 +447,8 @@ UDPTUNNEL SETUP TUTORIAL If all is well you will see two messages looking something like this udptunnel-forwarder: bob: tunnel open with peer 127.0.0.3:76543 udptunnel-forwarder: alice: tunnel open - and the session will just sit there. Go to 3.2. + and the session will just sit there. This means it thinks it's + working; go on to section 5.2. If it didn't say that, here are some debugging tips: @@ -412,7 +507,7 @@ UDPTUNNEL SETUP TUTORIAL because their checksums don't match. In this case they should go away in a minute or two. -3.2. Testing, once the tunnel claims to be working +5.2. Testing, once the tunnel claims to be working In another session on alice, you should be able to ping bob's virtual interface. If this works, test pinging between hosts on the private @@ -444,42 +539,10 @@ UDPTUNNEL SETUP TUTORIAL that, they can be a complete pain to debug. -4. Configure the tunnel to run automatically - - Now that the tunnel works if you invoke it by hand, it is time to - arrange to run it automatically. - - If you want the tunnel to run over a dialup link only when the dialup - link is up, then I'm afraid you'll have to arrange to start and kill - it yourself, probably. I haven't set up such a configuration. More - information about this for this document, if you manage to do it, - would be good. - - So, I shall assume that you want the tunnel to be up all of the time - (or at least, as much as possible). The best way to do this is to - run it from `init', by setting it up in inittab. - - For example, you could put something like this in your inittab: - t0:23:respawn:su Tbob -c ./udptunnel-invoke-bob 2>&1 | logger -p local2.info -t tunnel-bob - (Note that if you have more than one tunnel the `id' field, at the - start of the inittab line, must be different for each one.) - - This would use `su' to become bob and run the actual tunnelling - software, and arrange for the diagnostic output to be sent to syslog - with facility `local2' and priority `info', tagged with `tunnel-bob'. - With an appropriate line in /etc/syslog.conf, such as - local2.* /var/log/local2-all.log - (remember that you have to use tabs in syslog.conf) this will - produce, in /var/log/local2-all.log, all the diagnostics, including - reassuring messages like this: - Sep 18 00:27:48 alice tunnel-bob: udptunnel-forwarder: alice: tunnel still open: received 5262 packets, 5262 bytes - Sep 18 00:28:44 alice tunnel-bob: udptunnel-forwarder: bob: tunnel still open: received 5280 packets, 5280 bytes - - -5. DNS, firewall, mail, etc. +6. DNS, firewall, mail, etc. - Now you have IP level connectivity between your two networks. You - must now arrange for: + When you have IP level connectivity between your two networks, you + must also arrange for: * An appropriate firewall on each tunnel endpoint (to stop attacks from one network to another) and also at all the borders of each @@ -497,7 +560,7 @@ UDPTUNNEL SETUP TUTORIAL How to do these things is beyond the scope of this document. -6. Example +7. Example This example is the tunnel between chiark and Relativity. I'll quote it and explain the details, below. See also the comment at the top of @@ -599,7 +662,7 @@ UDPTUNNEL SETUP TUTORIAL t0:235:respawn:/usr/local/sbin/really -u ian /usr/local/sbin/udptunnel-invoke 2>&1 | logger -p local2.info -t tunnel-chiark -7. Copyright notice +8. Copyright notice Copyright (C) 1999-2000 Ian Jackson @@ -618,4 +681,4 @@ UDPTUNNEL SETUP TUTORIAL Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -$Id: INSTALL,v 1.4 2000/09/18 00:31:11 ian Exp $ +$Id: INSTALL,v 1.4.2.1 2000/12/11 01:53:01 ian Exp $ diff --git a/ipif/Makefile b/ipif/Makefile index 820ad9a..d202ffe 100644 --- a/ipif/Makefile +++ b/ipif/Makefile @@ -16,7 +16,7 @@ # along with userv-utils; if not, write to the Free Software # Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # -# $Id: Makefile,v 1.14 2000/06/07 00:59:31 ian Exp $ +# $Id: Makefile,v 1.14.2.1 2000/12/11 01:53:01 ian Exp $ OPTIMISE= -O2 CFLAGS= -Wall -Wmissing-prototypes -Wstrict-prototypes -Wpointer-arith \ @@ -26,14 +26,21 @@ CFLAGS= -Wall -Wmissing-prototypes -Wstrict-prototypes -Wpointer-arith \ etcdir= /etc prefix= /usr/local bindir= $(prefix)/bin +vardir= /var libdir= $(prefix)/lib +sharedir= $(prefix)/share libuserv= $(libdir)/userv +shareuserv= $(sharedir)/userv +varlib= $(vardir)/lib +varlibuserv= $(varlib)/userv +varlibvpn= $(varlibuserv)/vpn etcuserv= $(etcdir)/userv +etcvpn= $(etcdir)/userv/vpn services= $(etcuserv)/services.d -PROGRAM_TARGETS= udptunnel-forwarder +PROGRAM_TARGETS= udptunnel-forwarder udptunnel-reconf TARGETS= service blowfishtest $(PROGRAM_TARGETS) PROGRAMS= udptunnel $(PROGRAM_TARGETS) @@ -46,11 +53,28 @@ OBJS_BFTEST= blowfishtest.o blowfish.o hex.o all: $(TARGETS) install: all - mkdir -p $(libuserv) $(services) + mkdir -p $(libuserv) $(services) $(etcvpn) \ + $(varlibvpn) $(shareuserv) cp -b service $(libuserv)/ipif - cp ipif $(services)/ipif:new cp -b $(PROGRAMS) $(bindir)/. + cp ipif $(services)/ipif:new set -e; cd $(services); test -f ipif || mv ipif:new ipif + cp *.example $(etcvpn)/. + cp udptunnel-vpn-config.m4 udptunnel-vpn-defaults \ + $(shareuserv)/. + +udptunnel-reconf: udptunnel-reconf.pl Makefile + perl -pe ' \ + print "\ +\$$shareuserv= \"$(shareuserv)\";\n\ +\$$etcvpn= \"$(etcvpn)\";\n\ +\$$varlibvpn= \"$(varlibvpn)\";\n" if m#^\# \@\@\@\-#; \ + $$_="" if m/^\# \@\@\@\-/ .. m/^\# \-\@\@\@/; \ + ' \ + <$< >$@.new + chmod +x $@.new + mv -f $@.new $@ + udptunnel-forwarder: $(OBJS_FORWARD) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS_FORWARD) diff --git a/ipif/udptunnel-reconf.pl b/ipif/udptunnel-reconf.pl index e57b4b4..0bb4646 100755 --- a/ipif/udptunnel-reconf.pl +++ b/ipif/udptunnel-reconf.pl @@ -1,10 +1,31 @@ #!/usr/bin/perl +# udptunnel-reconf +# Set up the relevant stuff in /etc/userv/vpn, and then run +# this. It should tell you what to do to inittab and ipif-networks. + +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with userv-utils; if not, write to the Free Software +# Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# $Id: udptunnel-reconf.pl,v 1.1.2.3 2000/12/11 01:53:01 ian Exp $ use Socket; -#$sharedir= '/usr/local/share/userv/udptunnelconf'; -$sharedir= '/home/ian/things/userv-utils/udptunnelconf'; -$confdir= '/etc/udptunnel'; +# @@@- +$shareuserv= "`pwd`"; +$etcvpn= "`pwd`"; +$varlibvpn= "`pwd`"; +# -@@@ sub badusage () { die "usage: udptunnel-reconf []\n"; } $debug=0; @@ -18,16 +39,17 @@ while ($ARGV[0] =~ m/^-/) { badusage(); } -if (@ARGV) { $confdir= shift @ARGV; } +if (@ARGV) { $etcvpn= shift @ARGV; } badusage() if @ARGV; -chdir $confdir or fault("$confdir: $!"); +chdir $etcvpn or fault("$etcvpn: $!"); sub run_m4 ($$$) { my ($wanted, $site, $variable) = @_; $x= "m4 -P -DWANTED=$wanted -DWHVARIABLE=V_$variable -DV_global=global ". - "-DV_site=$site ". - "-DV_defaults=$sharedir/defaults $sharedir/config.m4"; + "-DV_site=$site -DV_varlibvpn=$varlibvpn ". + "-DV_defaults=$shareuserv/udptunnel-vpn-defaults ". + "$shareuserv/udptunnel-vpn-config.m4"; print STDERR $x,"\n" if $debug>=2; open X, "$x |" or die $!; undef $/; @@ -130,7 +152,8 @@ sub write_file ($$$$) { rename "$fn.new",$fn or die $!; } -write_file(var_global(ipifnetsfile),'ipifnetsfile','', $ipif_file); +$ipifnetsfile= var_global(ipifnetsfile); +write_file($ipifnetsfile,'ipifnetsfile','', $ipif_file); $active_file= ''; $inittab= ''; @@ -138,14 +161,22 @@ $ix= 0; foreach $site (@actives) { $active_file.= "$site\t".var_site('activesxinfo')."\n"; $inittab.= sprintf("t%d", $ix++).':'.var_site('inittab_line')."\n"; - write_file(var_site('invoke_file'), 'invoke_file', - var_site('invoke_head'), - var_site('invoke_body')); + $invoke_file= var_site('invoke_file'); + write_file($invoke_file, 'invoke_file', + var_site('invoke_head'), var_site('invoke_body')); + chmod 0777&~umask, $invoke_file or die $!; } write_file(var_global('activesfile'),'activesfile', '',$active_file); -write_file(var_global('inittab_fragfile'),'inittab_fragfile', -"# You can cut and paste all or part of this into your inittab if you like.", - $inittab); + +print +"# You can cut and paste all or part of this into your inittab if you like:\n", + $inittab; + +print +"# And consider adding this line, or some of this file's contents,\n". +"# to your /etc/userv/ipif-networks:\n", + "$ipifnetsfile\n" + if $ipifnetsfile =~ m,^/,; $passive_file= ''; foreach $site (@passives) { diff --git a/ipif/udptunnel-vpn-config.m4 b/ipif/udptunnel-vpn-config.m4 index 7092265..e32e8bb 100644 --- a/ipif/udptunnel-vpn-config.m4 +++ b/ipif/udptunnel-vpn-config.m4 @@ -1,3 +1,21 @@ +m4_dnl udptunnel-vpn-config.m4: macros for udptunnel-reconf et al + +m4_dnl This is free software; you can redistribute it and/or modify it +m4_dnl under the terms of the GNU General Public License as published by +m4_dnl the Free Software Foundation; either version 2 of the License, or +m4_dnl (at your option) any later version. +m4_dnl +m4_dnl This program is distributed in the hope that it will be useful, but +m4_dnl WITHOUT ANY WARRANTY; without even the implied warranty of +m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +m4_dnl General Public License for more details. +m4_dnl +m4_dnl You should have received a copy of the GNU General Public License +m4_dnl along with userv-utils; if not, write to the Free Software +m4_dnl Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +m4_dnl +m4_dnl $Id: udptunnel-vpn-config.m4,v 1.1.2.2 2000/12/11 01:53:01 ian Exp $ + m4_define(V_JUNK,1)m4_divert(V_JUNK) m4_define(V_VARIABLE,2) m4_define(V_ACTIVES,3) diff --git a/ipif/udptunnel-vpn-defaults b/ipif/udptunnel-vpn-defaults index b0104c6..efb6f45 100644 --- a/ipif/udptunnel-vpn-defaults +++ b/ipif/udptunnel-vpn-defaults @@ -1,3 +1,21 @@ +m4_dnl udptunnel-vpn-defaults: default settings for udptunnel-reconf + +m4_dnl This is free software; you can redistribute it and/or modify it +m4_dnl under the terms of the GNU General Public License as published by +m4_dnl the Free Software Foundation; either version 2 of the License, or +m4_dnl (at your option) any later version. +m4_dnl +m4_dnl This program is distributed in the hope that it will be useful, but +m4_dnl WITHOUT ANY WARRANTY; without even the implied warranty of +m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +m4_dnl General Public License for more details. +m4_dnl +m4_dnl You should have received a copy of the GNU General Public License +m4_dnl along with userv-utils; if not, write to the Free Software +m4_dnl Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +m4_dnl +m4_dnl $Id: udptunnel-vpn-defaults,v 1.1.2.4 2000/12/11 01:53:01 ian Exp $ + SET( lcommand, [udptunnel]) SET( crypto, [-e nonce -e timestamp/10/30 -e pkcs5/8 \ @@ -25,9 +43,11 @@ SET( rcommand, [V_rcommandprefix udptunnel]) SET( sshprotoka, [-o 'ProtocolKeepAlives 300']) SET( sshstdopts, [-o 'ForwardAgent no' -o 'ForwardX11 no' -o 'BatchMode yes']) SET( sshverbose, [-v]) +SET( sshopts, []) SET( ssh, [ssh V_sshstdopts \ - V_sshprotoka V_sshverbose]) + V_sshprotoka V_sshverbose \ + V_ssopts]) SET( sshdest, [V_rpublic]) @@ -36,15 +56,15 @@ SET( tunnels, [tunnels]) m4_dnl varlibvpn -- global can override -SET( ipifnetsfile, [V_varlib/ipif-networks]) -SET( activesfile, [V_varlib/active-sites]) +SET( ipifnetsfile, [V_varlibvpn/ipif-networks]) +SET( activesfile, [V_varlibvpn/active-sites]) SET( activesxinfo, []) -SET( passivesfile, [passive-sites]) +SET( passivesfile, [V_varlibvpn/passive-sites]) SET( passivesxinfo, []) SET( postconfigure, []) -SET( invoke_file, [V_varlib/V_site.command]) +SET( invoke_file, [V_varlibvpn/command.V_site]) SET( invoke_head, [#!/bin/sh]) SET( invoke_hook, []) @@ -52,7 +72,6 @@ SET( syslog_facility, local2) SET( syslog_priority, info) SET( inittab_runlevels, 2345) -SET( inittab_fragfile, [inittab-fragment]) SET( inittab_pfx, []) SET( inittab_sfx, [2>&1 | logger -p V_syslog_facility.V_syslog_priority -t tunnel-V_site]) -- 2.11.0