diff options
| author | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2017-04-17 18:11:18 +0100 |
|---|---|---|
| committer | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2017-04-17 18:11:18 +0100 |
| commit | 08e5c1c8752d0dbf3cf404639e78a7e4276c1e1b (patch) | |
| tree | 5a428985fe3c970b620fa5daaa779d3d783ab808 | |
| parent | f2add8c1b19c46ff78655278643c3c2851db7566 (diff) | |
| download | userv-utils-08e5c1c8752d0dbf3cf404639e78a7e4276c1e1b.tar.gz | |
ipif: wip new service-wrap: docs
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
| -rw-r--r-- | ipif/service-wrap | 57 | ||||
| -rw-r--r-- | ipif/service.c | 8 |
2 files changed, 57 insertions, 8 deletions
diff --git a/ipif/service-wrap b/ipif/service-wrap new file mode 100644 index 0000000..ad9de06 --- /dev/null +++ b/ipif/service-wrap @@ -0,0 +1,57 @@ +#!/usr/bin/perl -w +# +# When invoked appropriately, it creates a point-to-point network +# interface with specified parameters. It arranges for packets sent out +# via that interface by the kernel to appear on its own stdout in SLIP or +# CSLIP encoding, and packets injected into its own stdin to be given to +# the kernel as if received on that interface. Optionally, additional +# routes can be set up to arrange for traffic for other address ranges to +# be routed through the new interface. +# +# This is the access control wrapper for the service program. +# Arrangments should be made to invoke this as root from userv. +# +# Usage: +# +# .../ipif1 <v1config> -- <service-args>... +# +# Config file is a series of lines. +# +# permit <keyword>.... +# +# if caller, local addr, all remote addrs and networks, and +# ifname, all match, permits the request (and stops reading +# the config) +# +# group <groupname>|<gid> +# matches caller if they are in that group +# user <username>|<uid> +# matches caller if they are that user +# everyone +# always matches caller +# +# hostnet <ipaddr>/<prefixlen> +# equivalent to local <ipv4addr> remote <ipv4addr&prefix> +# local <ipaddr> +# matches local address when it is <ipv4addr> +# remote <ipnetnet>/<prefixlen> +# matches aplicable remote addrs (including p-t-p) +# addrs <ipaddr>|<ipnetnet>/<prefixlen> +# matches applicable local ore remote addrs +# +# ifname <ifname> +# matches interface name if it is exactly <ifname> +# (<ifname> may contain %d, which is interpreted by +# the kernel) +# wildcards are not supported +# if a permit has no ifname at all, it is as if +# `ifname userv%d' was specified +# +# v0config <v0configfile> +# +# If none of the `permit' lines match, will read <v0configfile> +# in old format. Must be the last line in the file. +# +# <config> -- + +use strict; diff --git a/ipif/service.c b/ipif/service.c index eacfc63..ca02330 100644 --- a/ipif/service.c +++ b/ipif/service.c @@ -1,14 +1,6 @@ /* * userv service (or standalone program) for per-user IP subranges. * - * When invoked appropriately, it creates a point-to-point network - * interface with specified parameters. It arranges for packets sent out - * via that interface by the kernel to appear on its own stdout in SLIP or - * CSLIP encoding, and packets injected into its own stdin to be given to - * the kernel as if received on that interface. Optionally, additional - * routes can be set up to arrange for traffic for other address ranges to - * be routed through the new interface. - * * This is the service program, which is invoked as root from userv (or may * be invoked firectly). * |