=== modified file 'debian/mandos-client.README.Debian'
--- debian/mandos-client.README.Debian	2011-10-05 16:00:56 +0000
+++ debian/mandos-client.README.Debian	2011-11-27 14:44:28 +0000
@@ -51,6 +51,11 @@
   disk environment, the network interface *must* exist at that stage.
   Thus, the interface can *not* be a pseudo-interface such as "br0" or
   "tun0"; instead, only real interface (such as "eth0") can be used.
+  This can be overcome by writing a "network hook" program to create
+  the interface (see mandos-client(8mandos)) and placing it in
+  "/etc/mandos/network-hooks.d", from where it will be copied into the
+  initial RAM disk.  Example network hook scripts can be found in
+  "/usr/share/doc/mandos-client/network-hooks.d".
 
 * User-Supplied Plugins
   
@@ -84,4 +89,4 @@
   work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs
   to be manually added to the file "/etc/mandos/plugin-runner.conf".
 
- -- Teddy Hogeborn <teddy@recompile.se>, Wed,  5 Oct 2011 17:50:22 +0200
+ -- Teddy Hogeborn <teddy@fukt.bsnet.se>, Sun, 27 Nov 2011 15:06:34 +0100

=== modified file 'debian/mandos-client.docs'
--- debian/mandos-client.docs	2008-10-18 11:17:22 +0000
+++ debian/mandos-client.docs	2011-11-27 02:32:20 +0000
@@ -1,3 +1,4 @@
 NEWS
 README
 TODO
+network-hooks.d

=== modified file 'debian/rules'
--- debian/rules	2010-09-09 18:16:14 +0000
+++ debian/rules	2011-11-27 14:44:28 +0000
@@ -85,7 +85,8 @@
 	dh_fixperms --exclude etc/keys/mandos \
 		--exclude etc/mandos/clients.conf \
 		--exclude etc/mandos/plugins.d \
-		--exclude usr/lib/mandos/plugins.d
+		--exclude usr/lib/mandos/plugins.d \
+		--exclude /usr/share/doc/mandos-client/network-hooks.d
 	dh_installdeb
 	dh_shlibdeps
 	dh_gencontrol

=== modified file 'initramfs-tools-hook'
--- initramfs-tools-hook	2011-11-13 20:49:21 +0000
+++ initramfs-tools-hook	2011-11-27 14:44:28 +0000
@@ -72,7 +72,7 @@
 
 # Make directories
 install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \
-	"${DESTDIR}${MANDOSDIR}"
+	"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}"
 install --owner=${mandos_user} --group=${mandos_group} --directory \
     --mode=u=rwx "${DESTDIR}${PLUGINDIR}"
 
@@ -111,18 +111,27 @@
 for hook in /etc/mandos/network-hooks.d/*; do
     case "`basename \"$hook\"`" in
 	"*") continue ;;
-	*[!A-Za-z0-9_-]*) continue ;;
+	*[!A-Za-z0-9_.-]*) continue ;;
 	*) test -d "$hook" || copy_exec "$hook" "${HOOKDIR}" ;;
     esac
-    # Copy any files needed by the network hook
-    MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \
-	"$hook" files | while read file target; do
-	if [ -z "${target}" ]; then
-	    copy_exec "$file"
-	else
-	    copy_exec "$file" "$target"
-	fi
-    done
+    if [ -x "$hook" ]; then
+        # Copy any files needed by the network hook
+	MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \
+	    VERBOSITY=0 "$hook" files | while read file target; do
+	    if [ -z "${target}" ]; then
+		copy_exec "$file"
+	    else
+		copy_exec "$file" "$target"
+	    fi
+	done
+        # Copy and load any modules needed by the network hook
+	MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=modules \
+	    VERBOSITY=0 "$hook" modules | while read module; do
+	    if [ -z "${target}" ]; then
+		force_load "$module"
+	    fi
+	done
+    fi
 done
 
 # GPGME needs /usr/bin/gpg

=== modified file 'network-hooks.d/bridge'
--- network-hooks.d/bridge	2011-11-24 20:15:24 +0000
+++ network-hooks.d/bridge	2011-11-27 14:44:28 +0000
@@ -56,6 +56,9 @@
 	;;
     files)
 	echo /bin/ip
-	echo /usr/bin/brctl
+	echo /usr/sbin/brctl
+	;;
+    modules)
+	echo bridge
 	;;
 esac

=== modified file 'plugins.d/mandos-client.c'
--- plugins.d/mandos-client.c	2011-11-24 21:29:56 +0000
+++ plugins.d/mandos-client.c	2011-11-27 15:32:06 +0000
@@ -73,7 +73,7 @@
 				*/
 #include <unistd.h>		/* close(), SEEK_SET, off_t, write(),
 				   getuid(), getgid(), seteuid(),
-				   setgid(), pause() */
+				   setgid(), pause(), _exit() */
 #include <arpa/inet.h>		/* inet_pton(), htons, inet_ntop() */
 #include <iso646.h>		/* not, or, and */
 #include <argp.h>		/* struct argp_option, error_t, struct
@@ -1412,34 +1412,34 @@
 	ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
 	if(ret == -1){
 	  perror_plus("setenv");
-	  return false;
+	  _exit(EX_OSERR);
 	}
 	ret = setenv("DEVICE", interface, 1);
 	if(ret == -1){
 	  perror_plus("setenv");
-	  return false;
+	  _exit(EX_OSERR);
 	}
 	ret = setenv("VERBOSE", debug ? "1" : "0", 1);
 	if(ret == -1){
 	  perror_plus("setenv");
-	  return false;
+	  _exit(EX_OSERR);
 	}
 	ret = setenv("MODE", mode, 1);
 	if(ret == -1){
 	  perror_plus("setenv");
-	  return false;
+	  _exit(EX_OSERR);
 	}
 	char *delaystring;
 	ret = asprintf(&delaystring, "%f", delay);
 	if(ret == -1){
 	  perror_plus("asprintf");
-	  return false;
+	  _exit(EX_OSERR);
 	}
 	ret = setenv("DELAY", delaystring, 1);
 	if(ret == -1){
 	  free(delaystring);
 	  perror_plus("setenv");
-	  return false;
+	  _exit(EX_OSERR);
 	}
 	free(delaystring);
 	ret = execl(fullname, direntry->d_name, mode, NULL);

=== modified file 'plugins.d/mandos-client.xml'
--- plugins.d/mandos-client.xml	2011-11-13 20:49:21 +0000
+++ plugins.d/mandos-client.xml	2011-11-27 14:44:28 +0000
@@ -2,7 +2,7 @@
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
 	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY COMMANDNAME "mandos-client">
-<!ENTITY TIMESTAMP "2011-10-03">
+<!ENTITY TIMESTAMP "2011-11-27">
 <!ENTITY % common SYSTEM "../common.ent">
 %common;
 ]>
@@ -102,7 +102,8 @@
       </arg>
       <sbr/>
       <arg>
-	<option>--network-hook-dir<replaceable>DIR</replaceable></option>
+	<option>--network-hook-dir
+	<replaceable>DIR</replaceable></option>
       </arg>
       <sbr/>
       <arg>
@@ -147,6 +148,26 @@
       will wait indefinitely for new servers to appear.
     </para>
     <para>
+      The network interface is selected like this: If an interface is
+      specified using the <option>--interface</option> option, that
+      interface is used.  Otherwise, <command>&COMMANDNAME;</command>
+      will choose any interface that is up and running and is not a
+      loopback interface, is not a point-to-point interface, is
+      capable of broadcasting and does not have the NOARP flag (see
+      <citerefentry><refentrytitle>netdevice</refentrytitle>
+      <manvolnum>7</manvolnum></citerefentry>).  (If the
+      <option>--connect</option> option is used, point-to-point
+      interfaces and non-broadcast interfaces are accepted.)  If no
+      acceptable interfaces are found, re-run the check but without
+      the <quote>up and running</quote> requirement, and manually take
+      the selected interface up (and later take it down on program
+      exit).
+    </para>
+    <para>
+      Before a network interface is selected, all <quote>network
+      hooks</quote> are run; see <xref linkend="network-hooks"/>.
+    </para>
+    <para>
       This program is not meant to be run directly; it is really meant
       to run as a plugin of the <application>Mandos</application>
       <citerefentry><refentrytitle>plugin-runner</refentrytitle>
@@ -227,7 +248,8 @@
 	    can not be a pseudo-interface such as <quote>br0</quote>
 	    or <quote>tun0</quote>; such interfaces will not exist
 	    until much later in the boot process, and can not be used
-	    by this program.
+	    by this program, unless created by a <quote>network
+	    hook</quote> — see <xref linkend="network-hooks"/>.
 	  </para>
 	  <para>
 	    <replaceable>NAME</replaceable> can be the string
@@ -393,8 +415,10 @@
       <refentrytitle>plugin-runner</refentrytitle>
       <manvolnum>8mandos</manvolnum></citerefentry>) is used to run
       both this program and others in in parallel,
-      <emphasis>one</emphasis> of which will prompt for passwords on
-      the system console.
+      <emphasis>one</emphasis> of which (<citerefentry>
+      <refentrytitle>password-prompt</refentrytitle>
+      <manvolnum>8mandos</manvolnum></citerefentry>) will prompt for
+      passwords on the system console.
     </para>
   </refsect1>
   
@@ -421,6 +445,158 @@
     </para>
   </refsect1>
   
+  <refsect1 id="network-hooks">
+    <title>NETWORK HOOKS</title>
+    <para>
+      If a network interface like a bridge or tunnel is required to
+      find a Mandos server, this requires the interface to be up and
+      running before <command>&COMMANDNAME;</command> starts looking
+      for Mandos servers.  This can be accomplished by creating a
+      <quote>network hook</quote> program, and placing it in a special
+      directory.
+    </para>
+    <para>
+      Before the network is used (and again before program exit), any
+      runnable programs found in the network hook directory are run
+      with the argument <quote><literal>start</literal></quote> or
+      <quote><literal>stop</literal></quote>.  This should bring up or
+      down, respectively, any network interface which
+      <command>&COMMANDNAME;</command> should use.
+    </para>
+    <refsect2 id="hook-requirements">
+      <title>REQUIREMENTS</title>
+      <para>
+	A network hook must be an executable file, and its name must
+	consist entirely of upper and lower case letters, digits,
+	underscores, periods, and hyphens.
+      </para>
+      <para>
+	A network hook will receive one argument, which can be one of
+	the following:
+      </para>
+      <variablelist>
+	<varlistentry>
+	  <term><literal>start</literal></term>
+	  <listitem>
+	    <para>
+	      This should make the network hook create (if necessary)
+	      and bring up a network interface.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><literal>stop</literal></term>
+	  <listitem>
+	    <para>
+	      This should make the network hook take down a network
+	      interface, and delete it if it did not exist previously.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><literal>files</literal></term>
+	  <listitem>
+	    <para>
+	      This should make the network hook print, <emphasis>one
+	      file per line</emphasis>, all the files needed for it to
+	      run.  (These files will be copied into the initial RAM
+	      filesystem.)  Typical use is for a network hook which is
+	      a shell script to print its needed binaries.
+	    </para>
+	    <para>
+	      It is not necessary to print any non-executable files
+	      already in the network hook directory, these will be
+	      copied implicitly if they otherwise satisfy the name
+	      requirement.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><literal>modules</literal></term>
+	  <listitem>
+	    <para>
+	      This should make the network hook print, <emphasis>on
+	      separate lines</emphasis>, all the kernel modules needed
+	      for it to run.  (These modules will be copied into the
+	      initial RAM filesystem.)  For instance, a tunnel
+	      interface needs the
+	      <quote><literal>tun</literal></quote> module.
+	    </para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+      <para>
+	The network hook will be provided with a number of environment
+	variables:
+      </para>
+      <variablelist>
+	<varlistentry>
+	  <term><envar>MANDOSNETHOOKDIR</envar></term>
+	  <listitem>
+	    <para>
+	      The network hook directory, specified to
+	      <command>&COMMANDNAME;</command> by the
+	      <option>--network-hook-dir</option> option.  Note: this
+	      should <emphasis>always</emphasis> be used by the
+	      network hook to refer to itself or any files in the hook
+	      directory it may require.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><envar>DEVICE</envar></term>
+	  <listitem>
+	    <para>
+	      The network interface, as specified to
+	      <command>&COMMANDNAME;</command> by the
+	      <option>--interface</option> option.  If this is not the
+	      interface a hook will bring up, there is no reason for a
+	      hook to continue.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><envar>MODE</envar></term>
+	  <listitem>
+	    <para>
+	      This will be the same as the first argument;
+	      i.e. <quote><literal>start</literal></quote>,
+	      <quote><literal>stop</literal></quote>,
+	      <quote><literal>files</literal></quote>, or
+	      <quote><literal>modules</literal></quote>.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><envar>VERBOSITY</envar></term>
+	  <listitem>
+	    <para>
+	      This will be the <quote><literal>1</literal></quote> if
+	      the <option>--debug</option> option is passed to
+	      <command>&COMMANDNAME;</command>, otherwise
+	      <quote><literal>0</literal></quote>.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><envar>DELAY</envar></term>
+	  <listitem>
+	    <para>
+	      This will be the same as the <option>--delay</option>
+	      option passed to <command>&COMMANDNAME;</command>.
+	    </para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+      <para>
+	A hook may not read from standard input, and should be
+	restrictive in printing to standard output or standard error
+	unless <varname>VERBOSITY</varname> is
+	<quote><literal>1</literal></quote>.
+      </para>
+    </refsect2>
+  </refsect1>
+  
   <refsect1 id="files">
     <title>FILES</title>
     <variablelist>
@@ -438,6 +614,17 @@
 	  </para>
 	</listitem>
       </varlistentry>
+      <varlistentry>
+	<term><filename
+	class="directory">/lib/mandos/network-hooks.d</filename></term>
+	<listitem>
+	  <para>
+	    Directory where network hooks are located.  Change this
+	    with the <option>--network-hook-dir</option> option.  See
+	    <xref linkend="network-hooks"/>.
+	  </para>
+	</listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>