/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2012-06-13 22:06:57 UTC
  • mto: (237.7.144 trunk)
  • mto: This revision was merged to the branch mainline in revision 302.
  • Revision ID: teddy@recompile.se-20120613220657-qvq7c7nrndl3t413
* plugins.d/mandos-client.c (get_flags): Don't clobber errno.
  (up_interface): Removed; replaced with "interface_is_up".
  (interface_is_up, interface_is_running,
   lower_privileges_permanently, take_down_interface): New.
  (bring_up_interface): Return "error_t".  Use new functions
                        "interface_is_up", "get_flags", and
                        "interface_is_running".
  (main): Save all interfaces either autodetected or specified with
          --interface in argz vector "interfaces".  Save interfaces to
          take down on exit in argz vector "interfaces_to_take_down".
          Save interface names for DEVICE variable to network hooks as
          argz_vector "interfaces_hooks".  Bug fix: Be privileged
          while stopping network hooks.
* plugins.d/mandos-client.xml (SYNOPSIS): Changed --interface synopsis.
  (DESCRIPTION): Updated to document use of all interfaces.
  (OPTIONS): Updated description of "--interface".
* network-hooks.d/bridge: Parse comma-separated DEVICE environment
                          variable.
* network-hooks.d/openvpn: - '' -
* network-hooks.d/wireless: - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2014-06-22">
 
5
<!ENTITY TIMESTAMP "2012-06-13">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
36
      <year>2012</year>
37
 
      <year>2013</year>
38
 
      <year>2014</year>
39
37
      <holder>Teddy Hogeborn</holder>
40
38
      <holder>Björn Påhlsson</holder>
41
39
    </copyright>
220
218
            assumed to separate the address from the port number.
221
219
          </para>
222
220
          <para>
223
 
            Normally, Zeroconf would be used to locate Mandos servers,
224
 
            in which case this option would only be used when testing
225
 
            and debugging.
 
221
            This option is normally only useful for testing and
 
222
            debugging.
226
223
          </para>
227
224
        </listitem>
228
225
      </varlistentry>
229
226
      
230
227
      <varlistentry>
231
228
        <term><option>--interface=<replaceable
232
 
        >NAME</replaceable><arg rep='repeat'>,<replaceable
233
 
        >NAME</replaceable></arg></option></term>
 
229
        >NAME</replaceable></option></term>
234
230
        <term><option>-i
235
 
        <replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable
236
 
        >NAME</replaceable></arg></option></term>
 
231
        <replaceable>NAME</replaceable></option></term>
237
232
        <listitem>
238
233
          <para>
239
234
            Comma separated list of network interfaces that will be
242
237
            use all appropriate interfaces.
243
238
          </para>
244
239
          <para>
245
 
            If the <option>--connect</option> option is used, and
246
 
            exactly one interface name is specified (except
247
 
            <quote><literal>none</literal></quote>), this specifies
248
 
            the interface to use to connect to the address given.
 
240
            If the <option>--connect</option> option is used, this
 
241
            specifies the interface to use to connect to the address
 
242
            given.
249
243
          </para>
250
244
          <para>
251
245
            Note that since this program will normally run in the
260
254
          </para>
261
255
          <para>
262
256
            <replaceable>NAME</replaceable> can be the string
263
 
            <quote><literal>none</literal></quote>; this will make
264
 
            <command>&COMMANDNAME;</command> only bring up interfaces
265
 
            specified <emphasis>before</emphasis> this string.  This
266
 
            is not recommended, and only meant for advanced users.
 
257
            <quote><literal>none</literal></quote>; this will not use
 
258
            any specific interface, and will not bring up an interface
 
259
            on startup.  This is not recommended, and only meant for
 
260
            advanced users.
267
261
          </para>
268
262
        </listitem>
269
263
      </varlistentry>
514
508
              It is not necessary to print any non-executable files
515
509
              already in the network hook directory, these will be
516
510
              copied implicitly if they otherwise satisfy the name
517
 
              requirements.
 
511
              requirement.
518
512
            </para>
519
513
          </listitem>
520
514
        </varlistentry>
668
662
    </para>
669
663
    <informalexample>
670
664
      <para>
671
 
        Normal invocation needs no options, if the network interfaces
 
665
        Normal invocation needs no options, if the network interface
672
666
        can be automatically determined:
673
667
      </para>
674
668
      <para>
677
671
    </informalexample>
678
672
    <informalexample>
679
673
      <para>
680
 
        Search for Mandos servers (and connect to them) using one
681
 
        specific interface:
 
674
        Search for Mandos servers (and connect to them) using another
 
675
        interface:
682
676
      </para>
683
677
      <para>
684
678
        <!-- do not wrap this line -->
748
742
    <para>
749
743
      It will also help if the checker program on the server is
750
744
      configured to request something from the client which can not be
751
 
      spoofed by someone else on the network, like SSH server key
752
 
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
753
 
      echo (<quote>ping</quote>) replies.
 
745
      spoofed by someone else on the network, unlike unencrypted
 
746
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
754
747
    </para>
755
748
    <para>
756
749
      <emphasis>Note</emphasis>: This makes it completely insecure to
849
842
              <para>
850
843
                This client uses IPv6 link-local addresses, which are
851
844
                immediately usable since a link-local addresses is
852
 
                automatically assigned to a network interface when it
 
845
                automatically assigned to a network interfaces when it
853
846
                is brought up.
854
847
              </para>
855
848
            </listitem>