secnet - flexible VPN software
+* Copying
+
+secnet is Copyright (C) 1995--2001 Stephen Early <steve@greenend.org.uk>
+It is distributed under the terms of the GNU General Public License,
+version 2 or later. See the file COPYING for more information.
+
+The portable snprintf implementation in snprintf.c is Copyright (C)
+1999 Mark Martinec <mark.martinec@ijs.si> and is distributed under the
+terms of the Frontier Artistic License. You can find the standard
+version of snprintf.c at http://www.ijs.si/software/snprintf/
+
+The IP address handling library in ipaddr.py is Copyright (C)
+1996--2000 Cendio Systems AB, and is distributed under the terms of
+the GPL.
+
* Introduction
secnet allows large virtual private networks to be constructed
laptop-to-host link), read the section in this file on 'Creating a
VPN'.
+* Mailing lists and bug reporting
+
+There are two mailing lists associated with secnet: an 'announce' list
+and a 'discuss' list. Their addresses are:
+http://www.chiark.greenend.org.uk/mailman/listinfo/secnet-announce
+http://www.chiark.greenend.org.uk/mailman/listinfo/secnet-discuss
+
+The -announce list receives one message per secnet release. The
+-discuss list is for general discussion, including help with
+configuration, bug reports, feature requests, etc.
+
+Bug reports should be sent to <steve@greenend.org.uk>; they will be
+forwarded to the -discuss list by me.
+
* Creating a VPN
XXX TODO
* secnet command line options
-XXX TODO
+Usage: secnet [OPTION]...
+
+ -f, --silent, --quiet suppress error messages
+ -w, --nowarnings suppress warnings
+ -v, --verbose output extra diagnostics
+ -c, --config=filename specify a configuration file
+ -j, --just-check-config stop after reading configfile
+ -n, --nodetach do not run in background
+ -d, --debug=item,... set debug options
+ --help display this help and exit
+ --version output version information and exit
* secnet builtin modules
buffer (buffer closure): buffer for incoming packets
authbind (string): optional, path to authbind-helper program
-** util
+** log
Defines:
logfile (closure => log closure)
syslog (closure => log closure)
- sysbuffer (closure => buffer closure)
logfile: dict argument
filename (string): where to log to
{ "verbose", M_INFO|M_NOTICE|M_WARNING|M_ERROR|M_SECURITY|M_FATAL },
{ "quiet", M_FATAL }
+logfile will close and reopen its file upon receipt of SIGHUP.
+
syslog: dict argument
ident (string): include this string in every log message
facility (string): facility to log as
{ "user", LOG_USER },
{ "uucp", LOG_UUCP }
+** util
+
+Defines:
+ sysbuffer (closure => buffer closure)
+
sysbuffer: integer[,dict]
arg1: buffer length
arg2: options:
site: dict argument
local-name (string): this site's name for itself
name (string): the name of the site's peer
- netlink (netlink closure)
+ link (netlink closure)
comm (comm closure)
resolver (resolver closure)
random (randomsrc closure)
address (string): optional, DNS name used to find our peer
port (integer): mandatory if 'address' is specified: the port used
to contact our peer
- networks (string list): networks that our peer may claim traffic for
key (rsapubkey closure): our peer's public key
transform (transform closure): how to mangle packets sent between sites
dh (dh closure)
dump-packets: every key setup packet we see
errors: failure of name resolution, internal errors
all: everything (too much!)
- netlink-options (string list): options to pass to netlink device when
- registering remote networks
- soft: create 'soft' routes that go away when there's no key established
- with the peer
- allow-route: allow packets from our peer to be sent down other tunnels,
- as well as to the host
** transform
** netlink
Defines:
- null-netlink (closure => netlink closure)
+ null-netlink (closure => closure or netlink closure)
null-netlink: dict argument
name (string): name for netlink device, used in log messages
by any remote site using this netlink device
local-address (string): IP address of host's tunnel interface
secnet-address (string): IP address of this netlink device
+ ptp-address (string): IP address of the other end of a point-to-point link
mtu (integer): MTU of host's tunnel interface
+Only one of secnet-address or ptp-address may be specified. If
+point-to-point mode is in use then the "routes" option must also be
+specified, and netlink returns a netlink closure that should be used
+directly with the "link" option to the site closure. If
+point-to-point mode is not in use then netlink returns a closure that
+may be invoked using a dict argument with the following keys to yield
+a netlink closure:
+ routes (string list): networks reachable down the tunnel attached to
+ this instance of netlink
+ options (string list):
+ allow-route: allow packets coming from this tunnel to be routed to
+ other tunnels as well as the host (used for mobile devices like laptops)
+ soft-route: remove these routes from the host's routing table when
+ the tunnel link quality is zero
+
+Netlink will dump its current routing table to the system/log on
+receipt of SIGUSR1.
+
** slip
Defines:
route-path (string): optional, path to route command
plus generic netlink options, as for 'null-netlink'
+ I recommend you don't specify the 'interface' option unless you're
+ doing something that requires the interface name to be constant.
+
** rsa
Defines:
Defines:
sha1 (hash closure)
+
+** conffile
+
+Defines:
+ makelist (dictionary => list of definitions)
+ readfile (string => string)
+ map (closure,list => list)
+
+makelist: dictionary
+ returns a list consisting of the definitions in the dictionary. The keys
+ are discarded.
+
+readfile: string
+ reads the named file and returns its contents as a string
+
+map:
+ applies the closure specified as arg1 to each of the elements in the list.
+ Returns a list made up of the outputs of the closure.