=== modified file 'Makefile'
--- Makefile	2011-11-24 21:12:35 +0000
+++ Makefile	2011-11-28 22:15:04 +0000
@@ -324,6 +324,8 @@
 		install --mode=u=rwx \
 			--directory "$(CONFDIR)/plugins.d"; \
 	fi
+	install --mode=u=rwx,go=rx --directory \
+		"$(CONFDIR)/network-hooks.d"
 	install --mode=u=rwx,go=rx \
 		--target-directory=$(PREFIX)/lib/mandos plugin-runner
 	install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

=== modified file 'debian/mandos-client.README.Debian'
--- debian/mandos-client.README.Debian	2011-11-27 14:44:28 +0000
+++ debian/mandos-client.README.Debian	2011-11-28 22:15:04 +0000
@@ -89,4 +89,4 @@
   work, "--options-for=mandos-client:--connect=<ADDRESS>:<PORT>" needs
   to be manually added to the file "/etc/mandos/plugin-runner.conf".
 
- -- Teddy Hogeborn <teddy@fukt.bsnet.se>, Sun, 27 Nov 2011 15:06:34 +0100
+ -- Teddy Hogeborn <teddy@recompile.se>, Mon, 28 Nov 2011 23:07:22 +0100

=== modified file 'initramfs-tools-hook'
--- initramfs-tools-hook	2011-11-27 14:44:28 +0000
+++ initramfs-tools-hook	2011-11-29 18:19:31 +0000
@@ -107,6 +107,16 @@
     esac
 done
 
+# Get DEVICE from initramfs.conf and other files
+. /etc/initramfs-tools/initramfs.conf
+for conf in /etc/initramfs-tools/conf.d/*; do
+    if [ -n `basename \"$conf\" | grep '^[[:alnum:]][[:alnum:]\._-]*$' \
+	| grep -v '\.dpkg-.*$'` ]; then
+	[ -f ${conf} ] && . ${conf}
+    fi
+done
+export DEVICE
+
 # Copy network hooks
 for hook in /etc/mandos/network-hooks.d/*; do
     case "`basename \"$hook\"`" in
@@ -118,6 +128,9 @@
         # Copy any files needed by the network hook
 	MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \
 	    VERBOSITY=0 "$hook" files | while read file target; do
+	    if [ ! -e "${file}" ]; then
+		echo "WARNING: file ${file} not found, requested by Mandos network hook '${hook##*/}'" >&2
+	    fi
 	    if [ -z "${target}" ]; then
 		copy_exec "$file"
 	    else

=== modified file 'network-hooks.d/bridge'
--- network-hooks.d/bridge	2011-11-28 00:27:49 +0000
+++ network-hooks.d/bridge	2011-11-28 23:40:46 +0000
@@ -29,13 +29,22 @@
     exit
 fi
 
+for b in /sbin/brctl /usr/sbin/brctl; do
+    if [ -e "$b" ]; then
+	brctl="$b"
+	break
+    fi
+done
+
 case "$1" in
     start)
-	/usr/sbin/brctl addbr "$BRIDGE"
+	"$brctl" addbr "$BRIDGE"
 	for port in $PORTS; do
-	    /usr/sbin/brctl addif "$BRIDGE" "$port"
+	    "$brctl" addif "$BRIDGE" "$port"
+	    ip link set up "$port"
 	done
 	ip link set up "$BRIDGE"
+	sleep "$DELAY"
 	if [ -n "$IPADDRS" ]; then
             for ipaddr in $IPADDRS; do
 		ip addr add "$ipaddr" dev "$BRIDGE"
@@ -50,13 +59,14 @@
     stop)
 	ip link set down "$BRIDGE"
 	for port in $PORTS; do
-	    /usr/sbin/brctl delif "$BRIDGE" "$port"
+	    ip link set down "$port"
+	    "$brctl" delif "$BRIDGE" "$port"
 	done
-	/usr/sbin/brctl delbr "$BRIDGE"
+	"$brctl" delbr "$BRIDGE"
 	;;
     files)
 	echo /bin/ip
-	echo /usr/sbin/brctl
+	echo "$brctl"
 	;;
     modules)
 	echo bridge

=== added file 'network-hooks.d/openvpn'
--- network-hooks.d/openvpn	1970-01-01 00:00:00 +0000
+++ network-hooks.d/openvpn	2011-12-02 16:52:50 +0000
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# This is an example of a Mandos client network hook.  This hook
+# brings up an OpenVPN interface as specified in a separate
+# configuration file.  To be used, this file and any needed
+# configuration file(s) should be copied into the
+# /etc/mandos/network-hooks.d directory.
+# 
+# Copying and distribution of this file, with or without modification,
+# are permitted in any medium without royalty provided the copyright
+# notice and this notice are preserved.  This file is offered as-is,
+# without any warranty.
+
+set -e
+
+CONFIG="openvpn.conf"
+
+# Extract the "dev" setting from the config file
+VPNDEVICE="`sed -n -e 's/#.*//' -e 's/^[[:space:]]*dev[[:space:]]\+//p' \"$MANDOSNETHOOKDIR/$CONFIG\"`"
+
+PIDFILE=/run/openvpn-mandos.pid
+
+# Exit if no device set in config
+if [ -z "$VPNDEVICE" ]; then
+    exit
+fi
+
+# Exit if DEVICE is set and it doesn't match the VPN interface
+if [ -n "$DEVICE" -a "$DEVICE" = "${DEVICE#$VPNDEVICE}" ]; then
+    exit
+fi
+
+openvpn=/usr/sbin/openvpn
+
+case "$1" in
+    start)
+	"$openvpn" --cd "$MANDOSNETHOOKDIR" --daemon 'openvpn(Mandos)' --writepid "$PIDFILE" --config "$CONFIG"
+	sleep "$DELAY"
+	;;
+    stop)
+	PID="`cat \"$PIDFILE\"`"
+	if [ "$PID" -gt 0 ]; then
+	    kill "$PID"
+	fi
+	;;
+    files)
+	echo "$openvpn"
+	;;
+    modules)
+	echo tun
+	;;
+esac

=== added file 'network-hooks.d/openvpn.conf'
--- network-hooks.d/openvpn.conf	1970-01-01 00:00:00 +0000
+++ network-hooks.d/openvpn.conf	2011-12-02 16:52:50 +0000
@@ -0,0 +1,19 @@
+# Sample OpenVPN configuration file
+# Uncomment and change - see openvpn(8)
+
+# Network device.
+#dev tun
+
+# Our remote peer
+#remote 192.0.2.3
+#float 192.0.2.3
+#port 1194
+
+# VPN endpoints
+#ifconfig 10.1.0.1 10.1.0.2
+
+# A pre-shared static key
+#secret openvpn.key
+
+# Cipher
+#cipher AES-128-CBC

=== modified file 'plugins.d/mandos-client.c'
--- plugins.d/mandos-client.c	2011-11-28 00:27:49 +0000
+++ plugins.d/mandos-client.c	2011-11-28 22:18:37 +0000
@@ -1431,8 +1431,6 @@
 	if(ret == -1){
 	  perror_plus("setgroups");
 	}
-	fprintf_plus(stderr, "Child: getuid() = %d\n", getuid());
-	fprintf_plus(stderr, "Child: geteuid() = %d\n", geteuid());
 	dup2(devnull, STDIN_FILENO);
 	close(devnull);
 	dup2(STDERR_FILENO, STDOUT_FILENO);