chiark / gitweb /
Fix uninitialized variable in p_create.
[tripe] / doc / tripe-admin.5
CommitLineData
d6623498 1.\" -*-nroff-*-
2.TH tripe-admin 5 "18 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
3.SH NAME
4tripe-admin \- administrator commands for TrIPE
5.SH DESCRIPTION
6This manual page describes the administration interface provided by the
7.BR tripe (8)
8daemon.
9.PP
10The
11.BR tripectl (8)
12program can be used either interactively or in scripts to communicate
13with the server using this interface. Alternatively, simple custom
14clients can be written in scripting languages such as Perl, Python or
15Tcl, or more advanced clients such as GUI monitors can be written in C
16with little difficulty.
17.PP
18By default, the server listens for admin connections on the Unix-domain
19socket
20.BR /var/lib/tripe/tripesock .
21Administration commands use a simple textual protocol. Each client
22command or server response consists of a line of ASCII text terminated
8bc63560 23by a single linefeed character. No command may be longer than 255
24characters.
d6623498 25.SS "General structure"
26Each command or response line consists of a sequence of
27whitespace-separated words. The number and nature of whitespace
28characters separating two words in a client command is not significant;
29the server always uses a single space character. The first word in a
30line is a
31.I keyword
32identifying the type of command or response contained. Keywords in
33client commands are not case-sensitive; the server always uses uppercase
34for its keywords.
35.SS "Server responses"
36For client command, the server responds with zero or more
37.B INFO
38lines, followed by either an
39.B OK
40line or a
41.B FAIL
42line. Each
43.B INFO
44provides information requested in the command. An
45.B OK
46response contains no further data. A
47.B FAIL
3cdc3f3a 48code is followed by a machine-readable explanation of why the command
d6623498 49failed.
50.PP
3cdc3f3a 51In addition, there are three types of asynchronous messages which
d6623498 52aren't associated with any particular command. The
53.B WARN
3cdc3f3a 54message contains a machine-readable message warning of an error
d6623498 55encountered while processing a command, unexpected or unusual behaviour
56by a peer, or a possible attack by an adversary. Under normal
57conditions, the server shouldn't emit any warnings. The
58.B TRACE
3cdc3f3a 59message contains a human-readable tracing message containing diagnostic
d6623498 60information. Trace messages are controlled using the
61.B \-T
62command-line option to the server, or the
63.B TRACE
64administration command (see below). Support for tracing can be disabled
65when the package is being configured, and may not be available in your
3cdc3f3a 66version. Finally, the
67.B NOTE
68message is a machine-readable notification about some routine but
69interesting event such as creation or destruction of peers.
70.PP
71The presence of asynchronous messages can be controlled using the
72.B WATCH
73command.
74.SS "Network addresses"
75A network address is a sequence of words. The first is a token
76identifying the network address family. The length of an address and
77the meanings of the subsequent words depend on the address family.
78Address family tokens are not case-sensitive on input; on output, they
79are always in upper-case.
80.PP
81At present, only one address family is understood.
82.TP
83.BI "INET " address " " port
84An Internet socket, naming an IPv4 address and UDP port. On output, the
85address is always in numeric dotted-quad form, and the port is given as
86a plain number. On input, DNS hostnames and symbolic port names are
87permitted. Name resolution does not block the main server, but will
88block the requesting client. This hopefully makes life simpler for
89stupid clients. Complex clients which don't wish to be held up can open
90extra connections or do the resolution themselves.)
91.PP
92If, on input, no recognised address family token is found, the following
93words are assumed to represent an
94.B INET
95address.
96.SH "COMMAND REFERENCE"
d6623498 97The commands provided are:
98.TP
42da2a58 99.BI "ADD " peer " \fR[" options "\fR] " address "\fR..."
3cdc3f3a 100Adds a new peer. The peer is given the name
101.IR peer ;
102the peer's public key is assumed to be in the file
103.B keyring.pub
104(or whatever alternative file was specified in the
105.B \-K
106option on the command line). The
107.I address
108is the network address (see above for the format) at which the peer can
42da2a58 109be contacted. The following options are recognised.
110.RS
111.TP
0ba8de86 112.BI "\-keepalive " time
113Send a no-op packet if we've not sent a packet to the peer in the last
114.I time
115interval. This is useful for persuading port-translating firewalls to
116believe that the `connection' is still active. The
117.I time
118is expressed as a nonnegative integer followed optionally by
119.BR d ,
120.BR h ,
121.BR m ,
122or
123.BR s
124for days, hours, minutes, or seconds respectively; if no suffix is
125given, seconds are assumed.
126.TP
127.BI "\-tunnel " tunnel
42da2a58 128Use the named tunnel driver, rather than the default.
129.RE
3cdc3f3a 130.TP
131.BI "ADDR " peer
132Emits an
133.B INFO
134line reporting the IP address and port number stored for
135.IR peer .
136.TP
137.B "DAEMON"
138Causes the server to disassociate itself from its terminal and become a
139background task. This only works once. A warning is issued.
140.TP
0ba8de86 141.BI "EPING \fR[" options "\fR] " peer
142Sends an encrypted ping to the peer, and expects an encrypted response.
143This checks that the peer is running (and not being impersonated), and
144that it can encrypt and decrypt packets correctly. Options and
145responses are the same as for the
146.B PING
147command.
148.TP
d6623498 149.B "HELP"
150Causes the server to emit an
151.B INFO
152line for each command it supports. Each line lists the command name,
153followed by the names of the arguments. This may be helpful as a memory
154aid for interactive use, or for program clients probing for features.
3cdc3f3a 155.TP
156.BI "IFNAME " peer
157Emits an
158.B INFO
159line containing the name of the network interface used to collect IP
160packets which are to be encrypted and sent to
161.IR peer .
162Used by configuration scripts so that they can set up routing tables
163appropriately after adding new peers.
164.TP
165.BI "KILL " peer
166Causes the server to forget all about
167.IR peer .
168All keys are destroyed, and no more packets are sent. No notification
169is sent to the peer: if it's important that the peer be notified, you
170must think of a way to do that yourself.
171.TP
172.B "LIST"
173For each currently-known peer, an
174.B INFO
175line is written containing the peer's name, as given to
176.BR ADD .
177.TP
bd58d532 178.BI "NOTIFY " tokens\fR...
179Issues a
180.B USER
181notification to all interested administration clients.
182.TP
0ba8de86 183.BI "PING \fR[" options "\fR] " peer
184Send a transport-level ping to the peer. The ping and its response are
185not encrypted or authenticated. This command, possibly in conjunction
186with tracing, is useful for ensuring that UDP packets are actually
187flowing in both directions. See also the
188.B EPING
189command.
190.IP
191An
192.B INFO
193line is printed describing the outcome:
194.RS
195.TP
196.BI "ping-ok " millis
197A response was received
198.I millis
199after the ping was sent.
200.TP
201.BI "ping-timeout"
202No response was received within the time allowed.
203.TP
204.BI "ping-peer-died"
205The peer was killed (probably by another admin connection) before a
206response was received.
207.RE
208.IP
209Options recognized for this command are:
210.RS
211.TP
212.BI "\-timeout " time
213Wait for
214.I time
215seconds before giving up on a response. The default is 5 seconds. (The
216time format is the same as for the
217.B "ADD \-keepalive"
218option.)
219.RE
220.TP
3cdc3f3a 221.B "PORT"
222Emits an
223.B INFO
224line containing just the number of the UDP port used by the
225.B tripe
226server. If you've allowed your server to allocate a port dynamically,
227this is how to find out which one it chose.
228.TP
229.B "QUIT"
230Instructs the server to exit immediately. A warning is sent.
231.TP
232.BI "STATS " peer
233Emits a number of
234.B INFO
235lines, each containing one or more statistics in the form
236.IB name = value \fR.
237The statistics-gathering is experimental and subject to change.
d6623498 238.TP
239.BR "TRACE " [\fIoptions\fP]
240A trace argument consists of a string of letters (listed below)
241selecting trace outputs, optionally interspersed with
242.RB ` + '
243to enable, or
244.RB ` \- '
245to disable, the subsequently listed outputs; the initial behaviour is to
246enable listed outputs. For example, the string
247.B ra\-st+x
248enables tracing of peer management, admin-connection handling and
249key-exchange processing, and disables tracing of symmetric keyset
250management and the system-specific tunnel driver. If no argument is
251given, a table is returned showing the available tracing option letters
252and their meanings. Programs should not attempt to parse this table:
253its format is not guaranteed to remain the same.
254.RS
2d752320 255.PP
d6623498 256Currently, the following tracing options are supported:
257.TP
258.B t
259Tunnel events: reception of packets to be encrypted, and injection of
260successfully-decrypted packets.
261.TP
262.B r
263Peer management events: creation and destruction of peer attachments,
264and arrival of messages.
265.TP
266.B a
267Administration interface: acceptance of new connections, and handling of
268the backgroud name-resolution required by the
269.B ADD
270command.
271.TP
272.B p
273Display contents of packets sent and received by the tunnel and/or peer
274modules.
275.TP
276.B c
277Display inputs, outputs and intermediate results of cryptographic
278operations. This includes plaintext and key material. Use with
279caution.
280.TP
281.B s
282Handling of symmetric keysets: creation and expiry of keysets, and
283encryption and decryption of messages.
284.TP
285.B x
286Key exchange: reception, parsing and emission of key exchange messages.
287.TP
288.B m
289Key management: loading keys and checking for file modifications.
290.PP
291Note that the
292.B p
293(packet contents)
294and
295.B c
296(crypto details)
297outputs provide extra detail for other outputs. Specifying
298.B p
299without
300.B r
301or
302.B t
303isn't useful; neither is specifying
304.B c
305without one of
306.BR s ,
307.B x
308or
309.BR m .
3cdc3f3a 310.TP
311.B A
312All of the above.
d6623498 313.RE
314.TP
3cdc3f3a 315.BR "WATCH " [\fIoptions\fP]
316Enables or disables asynchronous messages
317.IR "for the current connection only" .
318This command has no effect on other connections. A watch argument
319consists of a string of letters (listed below) selecting message types,
320optionally interspersed with
321.RB ` + '
322to enable, or
323.RB ` \- '
324to disable, the subsequently listed types, similar to
325.B trace
326above. The default watch state for the connection the server opens
327automatically on stdin/stdout is to show warnings and trace messages;
328other connections show no asynchronous messages. (This is done in order
329to guarantee that a program reading the server's stdout does not miss
330any warnings.)
331.RS
332.PP
333Currently, the following watch options are supported:
334.TP
335.B t
336.B TRACE
337messages.
338.TP
339.B n
340.B NOTE
341messages.
342.TP
343.B w
344.B WARN
345messages.
346.TP
347.B a
348All of the above.
349.RE
350.TP
351.B "VERSION"
352Causes the server to emit an
d6623498 353.B INFO
3cdc3f3a 354line stating its software version, as two words: the server name, and
355its version string. The server name
d6623498 356.B tripe
3cdc3f3a 357is reserved to the Straylight/Edgeware implementation.
bd58d532 358.TP
359.BI "WARN " tokens\fR...
360Issues a
361.B USER
362warning to all interested administration clients.
3cdc3f3a 363.SH "ERROR MESSAGES"
364The following
365.B FAIL
366messages are sent to clients as a result of errors during command
367processing.
d6623498 368.TP
3cdc3f3a 369.BI "already-daemon"
370(For
371.BR DAEMON .)
372The
373.B tripe
374server is already running as a daemon.
d6623498 375.TP
3cdc3f3a 376.BI "bad-syntax \-\- " message
377(For any command.) The command couldn't be understood: e.g., the number
378of arguments was wrong.
d6623498 379.TP
0ba8de86 380.BI "bad-time-spec " word
381The
382.I word
383is not a valid time interval specification. Acceptable time
384specifications are nonnegative integers followed optionally by
385.BR d ,
386.BR h ,
387.BR m ,
388or
389.BR s ,
390for days, hours, minutes, or seconds, respectively.
391.TP
3cdc3f3a 392.BI "bad-trace-option " char
393(For
394.BR TRACE .)
395An unknown trace option was requested.
396.TP
397.BI "bad-watch-option " char
398(For
399.BR WATCH .)
400An unknown watch option was requested.
401.TP
402.BI "daemon-error \-\- " message
403(For
404.BR DAEMON .)
405An error occurred during the attempt to become a daemon, as reported by
406.IR message .
407.TP
408.BI "invalid-port " number
409(For
410.BR ADD .)
411The given port number is out of range.
412.TP
413.BI "peer-create-fail " peer
414(For
415.BR ADD .)
416Adding
417.I peer
418failed for some reason. A warning should have been emitted explaining
419why.
420.TP
421.BI "peer-exists " peer
422(For
423.BR ADD .)
424There is already a peer named
d6623498 425.IR peer .
426.TP
0ba8de86 427.B "ping-send-failed"
428The attempt to send a ping packet failed, probably due to lack of
429encryption keys.
430.TP
3cdc3f3a 431.BI "resolve-error " hostname
432(For
433.BR ADD .)
434The DNS name
435.I hostname
436could not be resolved.
437.TP
438.BI "resolver-timeout " hostname
439(For
440.BR ADD .)
441The DNS name
442.I hostname
443took too long to resolve.
444.TP
445.BI "unknown-command " token
446The command
447.B token
448was not recognised.
449.TP
450.BI "unknown-peer " name
451(For
452.BR ADDR ,
453.BR IFNAME ,
454.BR KILL ,
455and
456.BR STATS .)
457There is no peer called
458.IR name .
459.TP
460.BI "unknown-service " service
461(For
462.BR ADD .)
463The service name
464.I service
465couldn't be found in
466.BR /etc/services .
467.SH "NOTIFICATIONS"
468The following notifications are sent to clients who request them.
469.TP
42da2a58 470.BI "ADD " peer " " ifname " " address \fR...
3cdc3f3a 471A new peer has been added. The peer's name is
42da2a58 472.IR peer ,
473its tunnel is network interface
474.IR ifname ,
3cdc3f3a 475and its network address is
476.IR address .
477.TP
478.BI "DAEMON"
479The server has forked off into the sunset and become a daemon.
d6623498 480.TP
481.BI "KILL " peer
3cdc3f3a 482The peer
483.I peer
484has been killed.
d6623498 485.TP
3cdc3f3a 486.BI "KXDONE " peer
487Key exchange with
488.I peer
489finished successfully.
490.TP
491.BI "KXSTART " peer
492Key exchange with
493.I peer
494has begun or restarted. If key exchange keeps failing, this message
495will be repeated periodically.
bd58d532 496.TP
497.BI "USER " tokens\fR...
498An administration client issued a notification using the
499.B NOTIFY
500command.
3cdc3f3a 501.SH "WARNINGS"
502There are many possible warnings. They are categorized according to
503their first tokens.
504.SS "ABORT warnings"
505These all indicate that the
d6623498 506.B tripe
3cdc3f3a 507server has become unable to continue. If enabled, the server will dump
508core in its configuration directory.
d6623498 509.TP
3cdc3f3a 510.BI "ABORT repeated-select-errors"
511The main event loop is repeatedly failing. If the server doesn't quit,
512it will probably waste all available CPU doing nothing.
513.SS "ADMIN warnings"
514These indicate a problem with the administration socket interface.
515.TP
516.BI "ADMIN accept-error \-\- " message
517There was an error while attempting to accept a connection from a new
518client.
519.TP
520.BI "ADMIN client-read-error \-\- " message
521There was an error sending data to a client. The connection to the
522client has been closed.
523.SS "KEYMGMT warnings"
524These indicate a problem with the keyring files, or the keys stored in
525them.
526.TP
527.BI "KEYMGMT bad-private-key \-\- " message
528The private key could not be read, or failed a consistency check. If
529there was a problem with the file, usually there will have been
530.B key-file-error
531warnings before this.
532.TP
533.BI "KEYMGMT bad-public-keyring \-\- " message
534The public keyring couldn't be read. Usually, there will have been
535.B key-file-error
536warnings before this.
537.TP
538.BI "KEYMGMT key-file-error " file ":" line " \-\- " message
539Reports a specific error with the named keyring file. This probably
540indicates a bug in
541.BR key (1).
542.TP
543.BI "KEYMGMT public-key " tag " " tokens\fR...
544These messages all indicate a problem with the public key named
545.IR tag .
546.TP
547.BI "KEYMGMT public-key " tag " algorithm-mismatch"
548The algorithms specified on the public key don't match the ones for our
549private key. All the peers in a network have to use the same
550algorithms.
551.TP
552.BI "KEYMGMT public-key " tag " bad \-\- " message
553The public key couldn't be read, or is invalid.
554.TP
555.BI "KEYMGMT public-key " tag " bad-public-group-element"
556The public key is invalid. This may indicate a malicious attempt to
557introduce a bogus key.
558.TP
559.BI "KEYMGMT public-key " tag " bad-algorithm-selection"
560The algorithms listed on the public key couldn't be understood. The
561algorithm selection attributes are probably malformed and need fixing.
562.TP
563.BI "KEYMGMT public-key " tag " incorrect-group"
564The public key doesn't use the same group as our private key. All the
565peers in a network have to use the same group.
566.TP
567.BI "KEYMGMT public-key " tag " not-found"
568The public key for peer
569.I tag
570wasn't in the public keyring.
571.TP
572.BI "KEYMGMT public-key " tag " unknown-type"
573The type of the public key isn't understood. Maybe you need to upgrade
574your copy of
575.BR tripe .
576(Even if you do, you'll have to regenerate your keys.)
577.SS "KX warnings"
578These indicate problems during key-exchange. Many indicate either a bug
579in the server (either yours or the remote one), or some kind of attack
580in progress. All name a
581.I peer
582as the second token: this is the peer the packet is apparently from,
583though it may have been sent by an attacker instead.
584.PP
585In the descriptions below,
586.I msgtoken
587is one of the tokens
588.BR pre-challenge ,
589.BR cookie ,
590.BR challenge ,
591.BR reply ,
592.BR switch-rq ,
593or
594.BR switch-ok .
595.TP
596.BI "KX " peer " bad-expected-reply-log"
597The challenges
598.B tripe
599uses in its protocol contain a check value which proves that the
600challenge is honest. This message indicates that the check value
601supplied is wrong: someone is attempting to use bogus challenges to
602persuade your
603.B tripe
604server to leak private key information. No chance!
605.TP
bd58d532 606.BI "KX " peer " decrypt-failed reply\fR|\fBswitch-ok"
3cdc3f3a 607A symmetrically-encrypted portion of a key-exchange message failed to
608decrypt.
609.TP
610.BI "KX " peer " invalid " msgtoken
611A key-exchange message was malformed. This almost certainly indicates a
612bug somewhere.
613.TP
bd58d532 614.BI "KX " peer " incorrect cookie\fR|\fBswitch-rq\fR|\fBswitch-ok"
3cdc3f3a 615A message didn't contain the right magic data. This may be a replay of
616some old exchange, or random packets being sent in an attempt to waste
617CPU.
618.TP
619.BI "KX " peer " public-key-expired"
620The peer's public key has expired. It's maintainer should have given
621you a replacement before now.
622.TP
623.BI "KX " peer " sending-cookie"
624We've received too many bogus pre-challenge messages. Someone is trying
625to flood us with key-exchange messages and make us waste CPU on doing
626hard asymmetric crypto sums.
627.TP
628.BI "KX " peer " unexpected " msgtoken
629The message received wasn't appropriate for this stage of the key
630exchange process. This may mean that one of our previous packets got
631lost. For
632.BR pre-challenge ,
633it may simply mean that the peer has recently restarted.
634.TP
635.BI "KX " peer " unknown-challenge"
636The peer is asking for an answer to a challenge which we don't know
637about. This may mean that we've been inundated with challenges from
638some malicious source
639.I who can read our messages
640and discarded the valid one.
641.TP
642.BI "KX " peer " unknown-message 0x" nn
643An unknown key-exchange message arrived.
644.SS "PEER warnings"
645These are largely concerned with management of peers and the low-level
646details of the network protocol. The second word is usually the name of
647a peer, or
648.RB ` \- '
649if none is relevant.
650.TP
3cdc3f3a 651.BI "PEER " peer " bad-packet no-type"
652An empty packet arrived. This is very strange.
653.TP
654.BI "PEER " peer " bad-packet unknown-category 0x" nn
655The message category
656.I nn
657(in hex) isn't understood. Probably a strange random packet from
658somewhere; could be an unlikely bug.
659.TP
660.BI "PEER " peer " bad-packet unknown-type 0x" nn
661The message type
662.I nn
663(in hex) isn't understood. Probably a strange random packet from
664somewhere; could be an unlikely bug.
665.TP
0ba8de86 666.BI "PEER " peer " corrupt-encrypted-ping"
667The peer sent a ping response which matches an outstanding ping, but its
668payload is wrong. There's definitely a bug somewhere.
669.TP
670.BI "PEER " peer " corrupt-transport-ping"
671The peer (apparently) sent a ping response which matches an outstanding
672ping, but its payload is wrong. Either there's a bug, or the bad guys
673are playing tricks on you.
674.TP
3cdc3f3a 675.BI "PEER " peer " decrypt-failed"
676An encrypted IP packet failed to decrypt. It may have been mangled in
677transit, or may be a very old packet from an expired previous session
678key. There is usually a considerable overlap in the validity periods of
679successive session keys, so this shouldn't occur unless the key exchange
680takes ages or fails.
681.TP
0ba8de86 682.BI "PEER " peer " malformed-encrypted-ping"
683The peer sent a ping response which is hopelessly invalid. There's
684definitely a bug somewhere.
685.TP
686.BI "PEER " peer " malformed-transport-ping"
687The peer (apparently) sent a ping response which is hopelessly invalid.
688Either there's a bug, or the bad guys are playing tricks on you.
689.TP
3cdc3f3a 690.BI "PEER " peer " packet-build-failed"
691There wasn't enough space in our buffer to put the packet we wanted to
692send. Shouldn't happen.
693.TP
694.BI "PEER \- socket-read-error \-\- " message
695An error occurred trying to read an incoming packet.
696.TP
697.BI "PEER " peer " socket-write-error \-\- " message
698An error occurred attempting to send a network packet. We lost that
699one.
0ba8de86 700.TP
701.BI "PEER " peer " unexpected-encrypted-ping 0x" id
702The peer sent an encrypted ping response whose id doesn't match any
703outstanding ping. Maybe it was delayed for longer than the server was
704willing to wait, or maybe the peer has gone mad.
705.TP
706.BI "PEER \- unexpected-source " address\fR...
707A packet arrived from
708.I address
709(a network address \(en see above), but no peer is known at that
710address. This may indicate a misconfiguration, or simply be a result of
711one end of a connection being set up before the other.
712.TP
713.BI "PEER " peer " unexpected-transport-ping 0x" id
714The peer (apparently) sent a transport ping response whose id doesn't
715match any outstanding ping. Maybe it was delayed for longer than the
716server was willing to wait, or maybe the peer has gone mad; or maybe
717there are bad people trying to confuse you.
3cdc3f3a 718.SS "SERVER warnings"
719These indicate problems concerning the server process as a whole.
720.TP
721.BI "SERVER ignore signal " name
722A signal arrived, but the server ignored it. Currently this happens for
723.B SIGHUP
724because that's a popular way of telling daemons to re-read their
725configuration files. Since
726.B tripe
727re-reads its keyrings automatically and has no other configuration
728files, it's not relevant, but it seemed better to ignore the signal than
729let the server die.
730.TP
731.BI "SERVER quit signal " \fR[\fInn\fR|\fIname\fR]
732A signal arrived and
733.B tripe
734is going to quit.
735.TP
736.BI "SERVER quit admin-request"
737A client of the administration interface issued a
738.B QUIT
739command.
740.TP
741.BI "SERVER select-error \-\- " message
742An error occurred in the server's main event loop. This is bad: if it
743happens too many times, the server will abort.
744.SS "SYMM warnings"
745These are concerned with the symmetric encryption and decryption
746process.
747.TP
748.BI "SYMM replay old-sequence"
749A packet was received with an old sequence number. It may just have
750been delayed or duplicated, or it may have been an attempt at a replay
751attack.
752.TP
753.BI "SYMM replay duplicated-sequence"
754A packet was received with a sequence number we've definitely seen
755before. It may be an accidental duplication because the 'net is like
756that, or a deliberate attempt at a replay.
757.SS "TUN warnings"
758These concern the workings of the system-specific tunnel driver. The
759second word is the name of the tunnel interface in question, or
760.RB ` \- '
761if none.
762.TP
763.BI "TUN \- bsd no-tunnel-devices"
764The driver couldn't find an available tunnel device. Maybe if you
765create some more
766.BI /dev/tun nn
767files, it will work.
768.TP
769.BI "TUN - open-error " device " \-\- " message
770An attempt to open the tunnel device file
771.I device
772failed.
773.TP
3cdc3f3a 774.BI "TUN \- linux config-error \-\- " message
775Configuring the Linux TUN/TAP interface failed.
776.TP
42da2a58 777.BI "TUN " ifname " read-error \-\- " message
778Reading from the tunnel device failed.
3cdc3f3a 779.TP
42da2a58 780.BI "TUN " ifname " slip bad-escape"
781The SLIP driver encountered a escaped byte it wasn't expecting to see.
782The erroneous packet will be ignored.
b9066fbb 783.TP
784.BI "TUN " ifname " slip eof"
785The SLIP driver encountered end-of-file on its input descriptor.
786Pending data is discarded, and no attempt is made to read any more data
787from that interface ever.
788.TP
789.BI "TUN " ifname " slip escape-end"
790The SLIP driver encountered an escaped `end' marker. This probably
791means that someone's been sending it junk. The erroneous packet is
792discarded, and we hope that we've rediscovered synchronization.
793.TP
42da2a58 794.BI "TUN \- slip fork-error \-\- " message
795The SLIP driver encountered an error forking a child process while
796allocating a new dynamic interface.
797.TP
798.BI "TUN \- slip no-slip-interfaces"
799The driver ran out of static SLIP interfaces. Either preallocate more,
800or use dynamic SLIP interface allocation.
b9066fbb 801.TP
802.BI "TUN " ifname " slip overflow"
803The SLIP driver gave up reading a packet because it got too large.
42da2a58 804.TP
805.BI "TUN \- slip pipe-error \-\- " message
806The SLIP driver encountered an error creating pipes while allocating a
807new dynamic interface.
808.TP
809.BI "TUN \- slip read-ifname-failed \-\- " message
810The SLIP driver encountered an error reading the name of a dynamically
811allocated interface. Maybe the allocation script is broken.
812.TP
813.BI "TUN \- unet config-error \-\- " message
814Configuring the Linux Unet interface failed. Unet is obsolete and
815shouldn't be used any more.
816.TP
817.BI "TUN \- unet getinfo-error \-\- " message
818Reading information about the Unet interface failed. Unet is obsolete
819and shouldn't be used any more.
820.TP
821.BI "TUN \- unet ifname-too-long \-\- " message
822The Unet interface's name overflowed, so we couldn't read it properly.
823Unet is obsolete and shouldn't be used any more.
bd58d532 824.SS "USER warnings"
825These are issued by administration clients using the
826.B WARN
827command.
828.TP
829.BI "USER " tokens\fR...
830An administration client issued a warning.
d6623498 831.SH "SEE ALSO"
832.BR tripectl (1),
833.BR tripe (8).
834.PP
3cdc3f3a 835.IR "The Trivial IP Encryption Protocol" .
d6623498 836.SH "AUTHOR"
d36eda2a 837Mark Wooding, <mdw@distorted.org.uk>