=== modified file 'network-hooks.d/bridge'
--- network-hooks.d/bridge	2011-11-28 23:40:46 +0000
+++ network-hooks.d/bridge	2011-12-31 14:05:57 +0000
@@ -15,13 +15,18 @@
 
 CONFIG="$MANDOSNETHOOKDIR/bridge.conf"
 
-# Read config file, which must set "BRIDGE", "PORTS", and optionally
-# "IPADDRS" and "ROUTES".
+addrtoif(){
+    grep -liFe "$1" /sys/class/net/*/address \
+	| sed -e 's,.*/\([^/]*\)/[^/]*,\1,'
+}
+
+# Read config file, which must set "BRIDGE", "PORT_ADDRESSES", and
+# optionally "IPADDRS" and "ROUTES".
 if [ -e "$CONFIG" ]; then
     . "$CONFIG"
 fi
 
-if [ -z "$BRIDGE" -o -z "$PORTS" ]; then
+if [ -z "$BRIDGE" -o -z "$PORT_ADDRESSES" ]; then
     exit
 fi
 
@@ -39,11 +44,12 @@
 case "$1" in
     start)
 	"$brctl" addbr "$BRIDGE"
-	for port in $PORTS; do
-	    "$brctl" addif "$BRIDGE" "$port"
-	    ip link set up "$port"
+	for address in $PORT_ADDRESSES; do
+	    interface=`addrtoif "$address"`
+	    "$brctl" addif "$BRIDGE" "$interface"
+	    ip link set dev "$interface" up
 	done
-	ip link set up "$BRIDGE"
+	ip link set dev "$BRIDGE" up
 	sleep "$DELAY"
 	if [ -n "$IPADDRS" ]; then
             for ipaddr in $IPADDRS; do
@@ -57,10 +63,11 @@
 	fi
 	;;
     stop)
-	ip link set down "$BRIDGE"
-	for port in $PORTS; do
-	    ip link set down "$port"
-	    "$brctl" delif "$BRIDGE" "$port"
+	ip link set dev "$BRIDGE" down
+	for address in $PORT_ADDRESSES; do
+	    interface=`addrtoif "$address"`
+	    ip link set dev "$interface" down
+	    "$brctl" delif "$BRIDGE" "$interface"
 	done
 	"$brctl" delbr "$BRIDGE"
 	;;

=== modified file 'network-hooks.d/bridge.conf'
--- network-hooks.d/bridge.conf	2011-11-24 20:15:24 +0000
+++ network-hooks.d/bridge.conf	2011-12-31 13:25:58 +0000
@@ -2,7 +2,7 @@
 
 #BRIDGE=br0
 
-#PORTS="eth0 eth1"
+#PORT_ADDRESSES="00:11:22:33:44:55 11:22:33:44:55:66"
 
 ## Optional
 

=== modified file 'network-hooks.d/openvpn'
--- network-hooks.d/openvpn	2011-12-02 16:52:50 +0000
+++ network-hooks.d/openvpn	2011-12-31 14:05:57 +0000
@@ -16,7 +16,9 @@
 CONFIG="openvpn.conf"
 
 # Extract the "dev" setting from the config file
-VPNDEVICE="`sed -n -e 's/#.*//' -e 's/^[[:space:]]*dev[[:space:]]\+//p' \"$MANDOSNETHOOKDIR/$CONFIG\"`"
+VPNDEVICE=`sed -n -e 's/[[:space:]]#.*//' \
+    -e 's/^[[:space:]]*dev[[:space:]]\+//p' \
+    "$MANDOSNETHOOKDIR/$CONFIG"`
 
 PIDFILE=/run/openvpn-mandos.pid
 
@@ -34,7 +36,9 @@
 
 case "$1" in
     start)
-	"$openvpn" --cd "$MANDOSNETHOOKDIR" --daemon 'openvpn(Mandos)' --writepid "$PIDFILE" --config "$CONFIG"
+	"$openvpn" --cd "$MANDOSNETHOOKDIR" \
+	    --daemon 'openvpn(Mandos)' --writepid "$PIDFILE" \
+	    --config "$CONFIG"
 	sleep "$DELAY"
 	;;
     stop)

=== added file 'network-hooks.d/wireless'
--- network-hooks.d/wireless	1970-01-01 00:00:00 +0000
+++ network-hooks.d/wireless	2011-12-31 14:05:57 +0000
@@ -0,0 +1,157 @@
+#!/bin/sh
+#
+# This is an example of a Mandos client network hook.  This hook
+# brings up a wireless interface as specified in a separate
+# configuration file.  To be used, this file and any needed
+# configuration file(s) should be copied into the
+# /etc/mandos/network-hooks.d directory.
+# 
+# Copying and distribution of this file, with or without modification,
+# are permitted in any medium without royalty provided the copyright
+# notice and this notice are preserved.  This file is offered as-is,
+# without any warranty.
+
+set -e
+
+RUNDIR="/run"
+CTRL="$RUNDIR/wpa_supplicant-global"
+CTRLDIR="$RUNDIR/wpa_supplicant"
+PIDFILE="$RUNDIR/wpa_supplicant-mandos.pid"
+
+CONFIG="$MANDOSNETHOOKDIR/wireless.conf"
+
+addrtoif(){
+    grep -liFe "$1" /sys/class/net/*/address \
+	| sed -e 's,.*/\([^/]*\)/[^/]*,\1,'
+}
+
+# Read config file
+if [ -e "$CONFIG" ]; then
+    . "$CONFIG"
+else
+    exit
+fi
+
+ifkeys=`env | sed -n -e 's/^ADDRESS_\([^=]*\)=.*/\1/p' "$CONFIG" \
+    | sort -u`
+
+# Exit if DEVICE is set and is not any of the wireless interfaces
+if [ -n "$DEVICE" ]; then
+    while :; do
+	for KEY in $ifkeys; do
+	    ADDRESS=`eval 'echo "$ADDRESS_'"$KEY"\"`
+	    INTERFACE=`addrtoif "$ADDRESS"`
+	    if [ "$INTERFACE" = "$DEVICE" ]; then
+		break 2
+	    fi
+	done
+	exit
+    done
+fi
+
+wpa_supplicant=/sbin/wpa_supplicant
+wpa_cli=/sbin/wpa_cli
+ip=/bin/ip
+
+# Used by the wpa_interface_* functions in the wireless.conf file
+wpa_cli_set(){
+    case "$1" in
+        ssid|psk) arg="\"$2\"" ;;
+        *) arg="$2" ;;
+    esac
+    "$wpa_cli" -p "$CTRLDIR" -i "$INTERFACE" set_network "$NETWORK" \
+	"$1" "$arg" 2>&1 | sed -e '/^OK$/d'
+}
+
+if [ $VERBOSITY -gt 0 ]; then
+    WPAS_OPTIONS="-d $WPAS_OPTIONS"
+fi
+if [ -n "$PIDFILE" ]; then
+    WPAS_OPTIONS="-P$PIDFILE $WPAS_OPTIONS"
+fi
+
+case "${MODE:-$1}" in
+    start)
+	mkdir -m u=rwx,go= -p "$CTRLDIR"
+	"$wpa_supplicant" -B -g "$CTRL" -p "$CTRLDIR" $WPAS_OPTIONS
+        for KEY in $ifkeys; do
+	    ADDRESS=`eval 'echo "$ADDRESS_'"$KEY"\"`
+	    INTERFACE=`addrtoif "$ADDRESS"`
+	    DRIVER=`eval 'echo "$WPA_DRIVER_'"$KEY"\"`
+	    IFDELAY=`eval 'echo "$DELAY_'"$KEY"\"`
+	    "$wpa_cli" -g "$CTRL" interface_add "$INTERFACE" "" \
+		"${DRIVER:-wext}" "$CTRLDIR" > /dev/null \
+		| sed -e '/^OK$/d'
+	    NETWORK=`"$wpa_cli" -p "$CTRLDIR" -i "$INTERFACE" \
+		add_network`
+	    eval wpa_interface_"$KEY"
+	    "$wpa_cli" -p "$CTRLDIR" -i "$INTERFACE" enable_network \
+		"$NETWORK" | sed -e '/^OK$/d'
+	    sleep "${IFDELAY:-$DELAY}" &
+	    sleep=$!
+	    while :; do
+		kill -0 $sleep 2>/dev/null || break
+		STATE=`"$wpa_cli" -p "$CTRLDIR" -i "$INTERFACE" \
+		    status | sed -n -e 's/^wpa_state=//p'`
+		if [ "$STATE" = COMPLETED ]; then
+		    while :; do
+			kill -0 $sleep 2>/dev/null || break 2
+			UP=`cat /sys/class/net/"$INTERFACE"/operstate`
+			if [ "$UP" = up ]; then
+			    kill $sleep 2>/dev/null
+			    break 2
+			fi
+			sleep 1
+		    done
+		fi
+		sleep 1
+	    done &
+	    wait $sleep || :
+	    IPADDRS=`eval 'echo "$IPADDRS_'"$KEY"\"`
+	    if [ -n "$IPADDRS" ]; then
+		if [ "$IPADDRS" = dhcp ]; then
+		    ipconfig -c dhcp -d "$INTERFACE" || :
+		    #dhclient "$INTERFACE"
+		else
+		    for ipaddr in $IPADDRS; do
+			"$ip" addr add "$ipaddr" dev "$INTERFACE"
+		    done
+		fi
+	    fi
+	    ROUTES=`eval 'echo "$ROUTES_'"$KEY"\"`
+	    if [ -n "$ROUTES" ]; then
+		for route in $ROUTES; do
+		    "$ip" route add "$route" dev "$BRIDGE"
+		done
+	    fi
+        done
+	;;
+    stop)
+	"$wpa_cli" -g "$CTRL" terminate 2>&1 | sed -e '/^OK$/d'
+        for KEY in $ifkeys; do
+	    ADDRESS=`eval 'echo "$ADDRESS_'"$KEY"\"`
+	    INTERFACE=`addrtoif "$ADDRESS"`
+	    "$ip" addr show scope global permanent dev "$INTERFACE" \
+		| while read type addr rest; do
+		case "$type" in
+		    inet|inet6)
+			"$ip" addr del "$addr" dev "$INTERFACE"
+			;;
+		esac
+	    done
+	    "$ip" link set dev "$INTERFACE" down
+	done
+	;;
+    files)
+	echo "$wpa_supplicant"
+	echo "$wpa_cli"
+	echo "$ip"
+	;;
+    modules)
+	if [ "$IPADDRS" = dhcp ]; then
+	    echo af_packet
+	fi
+	sed -n -e 's/#.*$//' -e 's/[ 	]*$//' \
+	    -e 's/^MODULE_[^=]\+=//p' "$CONFIG"
+	;;
+esac

=== added file 'network-hooks.d/wireless.conf'
--- network-hooks.d/wireless.conf	1970-01-01 00:00:00 +0000
+++ network-hooks.d/wireless.conf	2011-12-31 13:25:58 +0000
@@ -0,0 +1,23 @@
+# Extra options for wpa_supplicant, if any
+#WPAS_OPTIONS=""
+
+# wlan0
+ADDRESS_0=00:11:22:33:44:55
+MODULE_0=ath9k
+#WPA_DRIVER_0=wext
+wpa_interface_0(){
+    # Use this format to set simple things:
+    wpa_cli_set ssid home
+    wpa_cli_set psk "secret passphrase"
+    # Use this format to do more complex things with wpa_cli:
+    #"$wpa_cli" -p "$CTRLDIR" -i "$INTERFACE" bssid "$NETWORK" 00:11:22:33:44:55
+    #"$wpa_cli" -g "$CTRL" ping
+}
+#DELAY_0=10
+IPADDRS_0=dhcp
+#IPADDRS_0="192.0.2.3/24 2001:DB8::aede:48ff:fe71:f6f2/32"
+#ROUTES_0="192.0.2.0/24 2001:DB8::/32"
+
+#ADDRESS_1=11:22:33:44:55:66
+#MODULE_1=...
+#...

=== modified file 'plugins.d/mandos-client.c'
--- plugins.d/mandos-client.c	2011-12-25 00:40:09 +0000
+++ plugins.d/mandos-client.c	2011-12-30 18:48:49 +0000
@@ -1450,7 +1450,7 @@
 	  perror_plus("setenv");
 	  _exit(EX_OSERR);
 	}
-	ret = setenv("VERBOSE", debug ? "1" : "0", 1);
+	ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
 	if(ret == -1){
 	  perror_plus("setenv");
 	  _exit(EX_OSERR);
@@ -1473,6 +1473,13 @@
 	  _exit(EX_OSERR);
 	}
 	free(delaystring);
+	if(connect_to != NULL){
+	  ret = setenv("CONNECT", connect_to, 1);
+	  if(ret == -1){
+	    perror_plus("setenv");
+	    _exit(EX_OSERR);
+	  }
+	}
 	if(execl(fullname, direntry->d_name, mode, NULL) == -1){
 	  perror_plus("execl");
 	  _exit(EXIT_FAILURE);
@@ -1601,7 +1608,7 @@
 	.group = 2 },
       { .name = "retry", .key = 132,
 	.arg = "SECONDS",
-	.doc = "Retry interval used when denied by the mandos server",
+	.doc = "Retry interval used when denied by the Mandos server",
 	.group = 2 },
       { .name = "network-hook-dir", .key = 133,
 	.arg = "DIR",

=== modified file 'plugins.d/mandos-client.xml'
--- plugins.d/mandos-client.xml	2011-11-27 14:44:28 +0000
+++ plugins.d/mandos-client.xml	2011-12-27 03:56:39 +0000
@@ -583,7 +583,23 @@
 	  <listitem>
 	    <para>
 	      This will be the same as the <option>--delay</option>
-	      option passed to <command>&COMMANDNAME;</command>.
+	      option passed to <command>&COMMANDNAME;</command>.  Is
+	      only set if <envar>MODE</envar> is
+	      <quote><literal>start</literal></quote> or
+	      <quote><literal>stop</literal></quote>.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><envar>CONNECT</envar></term>
+	  <listitem>
+	    <para>
+	      This will be the same as the <option>--connect</option>
+	      option passed to <command>&COMMANDNAME;</command>.  Is
+	      only set if <option>--connect</option> is passed and
+	      <envar>MODE</envar> is
+	      <quote><literal>start</literal></quote> or
+	      <quote><literal>stop</literal></quote>.
 	    </para>
 	  </listitem>
 	</varlistentry>