"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "edge.8" between
n2n-3.0.tar.gz and n2n-3.1.1.tar.gz

About: n2n is a layer-two peer-to-peer virtual private network (VPN) which allows bypassing intermediate firewalls.
Pre-release.

edge.8  (n2n-3.0):edge.8  (n2n-3.1.1)
skipping to change at line 92 skipping to change at line 92
-H use header encryption, supernode needs fixed community -H use header encryption, supernode needs fixed community
-z1 ... -z2 -z1 ... -z2
compress outgoing data packets, -z1 = lzo1x, disabled by default compress outgoing data packets, -z1 = lzo1x, disabled by default
--select-rtt --select-rtt
select supernode by round trip time if several to choose from (fed eration), defaults to load-based select supernode by round trip time if several to choose from (fed eration), defaults to load-based
selection strategy if not provided. selection strategy if not provided.
--select-mac
select supernode by MAC address if several to choose from (federat
ion), lowest MAC address first.
--no-port-forwarding
disables the default behavior of trying to have the edge's port fo
rwarded through a router eventu-
ally supporting it (only if compiled with miniupnp and/or natpmp l
ibrary support).
TAP DEVICE AND OVERLAY NETWORK CONFIGURATION TAP DEVICE AND OVERLAY NETWORK CONFIGURATION
-a [mode]<ip>[/n] -a [mode]<ip>[/n]
interface address and optional CIDR subnet, default '/24', mode = [static|dhcp]:, for DHCP use '-r interface address and optional CIDR subnet, default '/24', mode = [static|dhcp]:, for DHCP use '-r
-a dhcp:0.0.0.0', edge draws IP address from supernode if no '-a . ..' given -a dhcp:0.0.0.0', edge draws IP address from supernode if no '-a . ..' given
-m <mac> -m <mac>
start the TAP interface with the given MAC address. This is hi start the TAP interface with the given MAC address. This is highly
ghly recommended as it means the recommended as it means the
same address will be used if edge stops and restarts. If this is n same address will be used if edge stops and restarts. If this is
ot done, the ARP caches of all not done, the ARP caches of all
peers will be wrong and packets will not flow to this edge until peers will be wrong and packets will not flow to this edge until t
the next ARP refresh. e.g. '-m he next ARP refresh. e.g. '-m
10:20:30:40:50:60', by default a random MAC address is used. 10:20:30:40:50:60', by default a random MAC address is used.
-d <device>, --device=<device> -d <device>, --device=<device>
TAP device name TAP device name
-M <mtu> -M <mtu>
specify n2n MTU of TAP interface, default 1290 specify n2n MTU of TAP interface, default 1290
-r enable IP packet forwarding/routing through the n2n virtual LAN. W -r enable IP packet forwarding/routing through the n2n virtual LAN.
ithout this option, IP packets Without this option, IP packets
arriving over n2n are dropped if not for the -a <addr> (or DHCP arriving over n2n are dropped if not for the -a <addr> (or DHCP as
assigned) IP address of the edge signed) IP address of the edge
interface. interface.
-E accept packets destined for multicast ethernet MAC addresses. Thes -E accept packets destined for multicast ethernet MAC addresses. Th
e addresses are used in multi- ese addresses are used in multi-
cast ethernet and IPv6 neighbour discovery. If this option is not cast ethernet and IPv6 neighbour discovery. If this option is not
present these multicast packets present these multicast packets
are discarded as most users do not need or understand them. are discarded as most users do not need or understand them.
-I <description> -I <description>
annotate the edge's description used for easier identification in management port output or user- annotate the edge's description used for easier identification in management port output or user-
name name
-J <password> -J <password>
password for user-password edge authentication (see also N2N_PASSW ORD in ENVIRONMENT) password for user-password edge authentication (see also N2N_PASSW ORD in ENVIRONMENT)
-P <public key> -P <public key>
federation public key for user-password authentication federation public key for user-password authentication
-R <rule_str> -R <rule_str>
Add rule to drop or accept specific packet transmit over edge net work interface. -R rule_str can Add rule to drop or accept specific packet transmit over edge netw ork interface. -R rule_str can
be used multiple times to add multiple rules. Each -R rule_str add one rule. be used multiple times to add multiple rules. Each -R rule_str add one rule.
rule_str format:"src_ip/len:[b_port,e_port],dst_ip/len:[s_port,e_p ort],TCP+/-,UDP+/-,ICMP+/-". rule_str format:"src_ip/len:[b_port,e_port],dst_ip/len:[s_port,e_p ort],TCP+/-,UDP+/-,ICMP+/-".
ip/len indicate a cidr block, len can be ignore, means single ip(n ot cidr block) will be use in ip/len indicate a cidr block, len can be ignore, means single i p(not cidr block) will be use in
filter rule. filter rule.
+,- after TCP,UDP,ICMP proto type indicate allow or drop packet of that proto. if any of above +,- after TCP,UDP,ICMP proto type indicate allow or drop packet of that proto. if any of above
three proto missed, the rule will not take effect for that proto. three proto missed, the rule will not take effect for that proto.
Ports range [s_port,e_port] can be instead by single port number. Ports range [s_port,e_port] can be instead by single port number
If not specify, [0,65535] will . If not specify, [0,65535] will
be used. Ports range include start_port and end_port. If multiple be used. Ports range include start_port and end_port. If multiple
rules matching packet's ips and rules matching packet's ips and
ports, the rule with smaller cidr block(smaller address space) wil ports, the rule with smaller cidr block(smaller address space) wi
l be selected. That means rules ll be selected. That means rules
with larger len value has higher priority. with larger len value has higher priority.
Packets that cannot match any rule will be accepted by default. Us ers can add rules to block traf- Packets that cannot match any rule will be accepted by default. Us ers can add rules to block traf-
fics. This behavior can be change by add the rule : fics. This behavior can be change by add the rule :
`0.0.0.0/0:[0,65535],0.0.0.0/0: `0.0.0.0/0:[0,65535],0.0.0.0/0:
[0,65535],TCP-,UDP-,ICMP-`. Then all traffic will be dropped, use [0,65535],TCP-,UDP-,ICMP-`. Then all traffic will be dropped, user
rs need add rules to allow traf- s need add rules to allow traf-
fics. fics.
for example : `-R 0.0.0.0/0,0.0.0.0/0,TCP-,UDP-,ICMP- -R 192.168.1 00.0/24,192.168.100.0/24,ICMP+`, for example : `-R 0.0.0.0/0,0.0.0.0/0,TCP-,UDP-,ICMP- -R 192.168.1 00.0/24,192.168.100.0/24,ICMP+`,
-x <metric> -x <metric>
set TAP interface metric, defaults to 0 (auto), e.g. set to 1 for better multiplayer game detec- set TAP interface metric, defaults to 0 (auto), e.g. set to 1 fo r better multiplayer game detec-
tion. tion.
(Windows only) (Windows only)
LOCAL OPTIONS LOCAL OPTIONS
-f do not fork and run as a daemon, rather run in foreground -f do not fork and run as a daemon, rather run in foreground
-t <port> -t <port>
binds the edge management system to the given UDP port. Default 5 644. Use this if you need to run binds the edge management system to the given UDP port. Default 56 44. Use this if you need to run
multiple instance of edge; or something is bound to that port. multiple instance of edge; or something is bound to that port.
--management-password <password> --management-password <password>
sets the password for access to JSON API at the management port, d sets the password for access to JSON API at the management port,
efaults to 'n2n'. The password defaults to 'n2n'. The password
has to be provided when using 'scripts/n2n-ctl', 'scripts/n2n- has to be provided when using 'scripts/n2n-ctl', 'scripts/n2n-http
httpd' or for any other relevant d' or for any other relevant
access to JSON API at the management port. access to JSON API at the management port.
-v, --verbose -v, --verbose
make more verbose, repeat as required make more verbose, repeat as required
-n <cidr:gateway> -n <cidr:gateway>
route an IPv4 network via the gateway, use 0.0.0.0/0 for the defau lt gateway, can be set multiple route an IPv4 network via the gateway, use 0.0.0.0/0 for the defa ult gateway, can be set multiple
times times
-u <UID>, --euid=<UID> -u <UID>, --euid=<UID>
numeric user ID to use when privileges are dropped numeric user ID to use when privileges are dropped
-g <GID>, --egid=<GID> -g <GID>, --egid=<GID>
numeric group ID to use when privileges are dropped numeric group ID to use when privileges are dropped
-h write usage then exit. -h write usage then exit.
skipping to change at line 196 skipping to change at line 203
N2N_KEY N2N_KEY
set the encryption key so it is not visible at the command line set the encryption key so it is not visible at the command line
N2N_COMMUNITY N2N_COMMUNITY
set the community name so it is not visible at the command line set the community name so it is not visible at the command line
N2N_PASSWORD N2N_PASSWORD
set the password for user-password authentication so it is not vis ible at the command line set the password for user-password authentication so it is not vis ible at the command line
EXAMPLES EXAMPLES
edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01 :23 -a 192.168.254.7 -p 50001 -l edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01:23 -a 192.168.254.7 -p 50001 -l
123.121.120.119:7654 123.121.120.119:7654
Start edge with TAP device n2n0 on community "mynetwork" Start edge with TAP device n2n0 on community "mynetwork"
with community supernode at with community supernode at
123.121.120.119 UDP port 7654 and bind the locally used UDP port 123.121.120.119 UDP port 7654 and bind the locally used UDP port t
to 50001. Use "encryptme" as the o 50001. Use "encryptme" as the
single permanent shared encryption key. Assign MAC address DE:AD:B single permanent shared encryption key. Assign MAC address DE:AD:
E:EF:01:23 to the n2n interface BE:EF:01:23 to the n2n interface
and drop to user=99 and group=99 after the TAP device is successfu lly configured. and drop to user=99 and group=99 after the TAP device is successfu lly configured.
Add the -f option to stop edge running as a daemon. Add the -f option to stop edge running as a daemon.
Somewhere else setup another edge with similar parameters, eg. Somewhere else setup another edge with similar parameters, eg.
edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01 :21 -a 192.168.254.5 -p 50001 -l edge -d n2n0 -c mynetwork -k encryptme -u 99 -g 99 -m DE:AD:BE:EF:01:21 -a 192.168.254.5 -p 50001 -l
123.121.120.119:7654 123.121.120.119:7654
Now you can ping from 192.168.254.5 to 192.168.254.7. Now you can ping from 192.168.254.5 to 192.168.254.7.
The MAC address (-m <MAC>) and virtual IP address (-a <addr>) must be dif ferent on all edges in the same The MAC address (-m <MAC>) and virtual IP address (-a <addr>) must be di fferent on all edges in the same
community. community.
CLEARTEXT MODE CLEARTEXT MODE
If -k is not specified then edge uses cleartext mode. In cleartext m If -k is not specified then edge uses cleartext mode. In cleartext mode t
ode there is no transform of the here is no transform of the
packet data it is simply encrypted. This is useful for debugging n2n as packet data it is simply encrypted. This is useful for debugging n2
packet contents can be seen n as packet contents can be seen
clearly. clearly.
To prevent accidental exposure of data, edge only enters cleartext mo To prevent accidental exposure of data, edge only enters cleartext mode w
de when no keying parameters are hen no keying parameters are
specified. In the case where keying parameters are specified but no valid specified. In the case where keying parameters are specified but no va
keys can be determined, edge lid keys can be determined, edge
exits with an error at startup. If all keys become invalid while running exits with an error at startup. If all keys become invalid while running,
, edge continues to encode using edge continues to encode using
the last key that was valid. the last key that was valid.
MANAGEMENT INTERFACE MANAGEMENT INTERFACE
Edge provides a very simple management system on UDP port 5644. Send a ne wline to receive a status out- Edge provides a very simple management system on UDP port 5644. Send a newline to receive a status out-
put. Send 'stop' to cause edge to exit cleanly. put. Send 'stop' to cause edge to exit cleanly.
echo | nc -w1 -u 127.0.0.1 5644 echo | nc -w1 -u 127.0.0.1 5644
Shows the current statistics of a running edge. Shows the current statistics of a running edge.
EXIT STATUS EXIT STATUS
edge is a daemon and any exit is an error. edge is a daemon and any exit is an error.
AUTHORS AUTHORS
Richard Andrews Richard Andrews
 End of changes. 21 change blocks. 
55 lines changed or deleted 65 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)