X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_setup.c;h=207ce42543b4c9da1c542aa4f7484b580953a425;hb=3fba80174dbe29bcfe0d121a2a1d2e61be5ee57b;hp=43adbc8434fa59703bd3fab75958a6d9fdf00207;hpb=08aabbf9317806bc50a9a6693ca866c8936ce26b;p=tinc

diff --git a/src/net_setup.c b/src/net_setup.c
index 43adbc84..207ce425 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -1,7 +1,9 @@
 /*
     net_setup.c -- Setup.
     Copyright (C) 1998-2005 Ivo Timmermans,
-                  2000-2009 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2006      Scott Lamb <slamb@slamb.org>
+                  2010      Brandon Black <blblack@gmail.com>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -13,11 +15,9 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-    $Id$
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
 #include "system.h"
@@ -29,6 +29,7 @@
 #include "control.h"
 #include "device.h"
 #include "digest.h"
+#include "ecdsa.h"
 #include "graph.h"
 #include "logger.h"
 #include "net.h"
@@ -43,6 +44,91 @@
 
 char *myport;
 static struct event device_ev;
+devops_t devops;
+
+bool node_read_ecdsa_public_key(node_t *n) {
+	if(ecdsa_active(&n->ecdsa))
+		return true;
+
+	splay_tree_t *config_tree;
+	FILE *fp;
+	char *fname;
+	char *p;
+	bool result = false;
+
+	xasprintf(&fname, "%s/hosts/%s", confbase, n->name);
+
+	init_configuration(&config_tree);
+	if(!read_config_file(config_tree, fname))
+		goto exit;
+
+	/* First, check for simple ECDSAPublicKey statement */
+
+	if(get_config_string(lookup_config(config_tree, "ECDSAPublicKey"), &p)) {
+		result = ecdsa_set_base64_public_key(&n->ecdsa, p);
+		free(p);
+		goto exit;
+	}
+
+	/* Else, check for ECDSAPublicKeyFile statement and read it */
+
+	free(fname);
+
+	if(!get_config_string(lookup_config(config_tree, "ECDSAPublicKeyFile"), &fname))
+		xasprintf(&fname, "%s/hosts/%s", confbase, n->name);
+
+	fp = fopen(fname, "r");
+
+	if(!fp) {
+		logger(LOG_ERR, "Error reading ECDSA public key file `%s': %s", fname, strerror(errno));
+		goto exit;
+	}
+
+	result = ecdsa_read_pem_public_key(&n->ecdsa, fp);
+	fclose(fp);
+
+exit:
+	exit_configuration(&config_tree);
+	free(fname);
+	return result;
+}
+
+bool read_ecdsa_public_key(connection_t *c) {
+	FILE *fp;
+	char *fname;
+	char *p;
+	bool result;
+
+	/* First, check for simple ECDSAPublicKey statement */
+
+	if(get_config_string(lookup_config(c->config_tree, "ECDSAPublicKey"), &p)) {
+		result = ecdsa_set_base64_public_key(&c->ecdsa, p);
+		free(p);
+		return result;
+	}
+
+	/* Else, check for ECDSAPublicKeyFile statement and read it */
+
+	if(!get_config_string(lookup_config(c->config_tree, "ECDSAPublicKeyFile"), &fname))
+		xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
+
+	fp = fopen(fname, "r");
+
+	if(!fp) {
+		logger(LOG_ERR, "Error reading ECDSA public key file `%s': %s",
+			   fname, strerror(errno));
+		free(fname);
+		return false;
+	}
+
+	result = ecdsa_read_pem_public_key(&c->ecdsa, fp);
+	fclose(fp);
+
+	if(!result) 
+		logger(LOG_ERR, "Reading ECDSA public key file `%s' failed: %s", fname, strerror(errno));
+	free(fname);
+	return result;
+}
 
 bool read_rsa_public_key(connection_t *c) {
 	FILE *fp;
@@ -50,8 +136,6 @@ bool read_rsa_public_key(connection_t *c) {
 	char *n;
 	bool result;
 
-	cp();
-
 	/* First, check for simple PublicKey statement */
 
 	if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &n)) {
@@ -63,13 +147,12 @@ bool read_rsa_public_key(connection_t *c) {
 	/* Else, check for PublicKeyFile statement and read it */
 
 	if(!get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname))
-		asprintf(&fname, "%s/hosts/%s", confbase, c->name);
+		xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
 
 	fp = fopen(fname, "r");
 
 	if(!fp) {
-		logger(LOG_ERR, _("Error reading RSA public key file `%s': %s"),
-			   fname, strerror(errno));
+		logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
 		free(fname);
 		return false;
 	}
@@ -78,24 +161,62 @@ bool read_rsa_public_key(connection_t *c) {
 	fclose(fp);
 
 	if(!result) 
-		logger(LOG_ERR, _("Reading RSA public key file `%s' failed: %s"), fname, strerror(errno));
+		logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", fname, strerror(errno));
 	free(fname);
 	return result;
 }
 
-bool read_rsa_private_key() {
+static bool read_ecdsa_private_key(void) {
 	FILE *fp;
 	char *fname;
-	char *n, *d;
 	bool result;
 
-	cp();
+	/* Check for PrivateKeyFile statement and read it */
+
+	if(!get_config_string(lookup_config(config_tree, "ECDSAPrivateKeyFile"), &fname))
+		xasprintf(&fname, "%s/ecdsa_key.priv", confbase);
+
+	fp = fopen(fname, "r");
+
+	if(!fp) {
+		logger(LOG_ERR, "Error reading ECDSA private key file `%s': %s", fname, strerror(errno));
+		free(fname);
+		return false;
+	}
+
+#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
+	struct stat s;
+
+	if(fstat(fileno(fp), &s)) {
+		logger(LOG_ERR, "Could not stat ECDSA private key file `%s': %s'", fname, strerror(errno));
+		free(fname);
+		return false;
+	}
+
+	if(s.st_mode & ~0100700)
+		logger(LOG_WARNING, "Warning: insecure file permissions for ECDSA private key file `%s'!", fname);
+#endif
+
+	result = ecdsa_read_pem_private_key(&myself->connection->ecdsa, fp);
+	fclose(fp);
+
+	if(!result) 
+		logger(LOG_ERR, "Reading ECDSA private key file `%s' failed: %s", fname, strerror(errno));
+	free(fname);
+	return result;
+}
+
+static bool read_rsa_private_key(void) {
+	FILE *fp;
+	char *fname;
+	char *n, *d;
+	bool result;
 
 	/* First, check for simple PrivateKey statement */
 
 	if(get_config_string(lookup_config(config_tree, "PrivateKey"), &d)) {
-		if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &n)) {
-			logger(LOG_ERR, _("PrivateKey used but no PublicKey found!"));
+		if(!get_config_string(lookup_config(config_tree, "PublicKey"), &n)) {
+			logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
 			free(d);
 			return false;
 		}
@@ -108,12 +229,12 @@ bool read_rsa_private_key() {
 	/* Else, check for PrivateKeyFile statement and read it */
 
 	if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
-		asprintf(&fname, "%s/rsa_key.priv", confbase);
+		xasprintf(&fname, "%s/rsa_key.priv", confbase);
 
 	fp = fopen(fname, "r");
 
 	if(!fp) {
-		logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
+		logger(LOG_ERR, "Error reading RSA private key file `%s': %s",
 			   fname, strerror(errno));
 		free(fname);
 		return false;
@@ -123,20 +244,20 @@ bool read_rsa_private_key() {
 	struct stat s;
 
 	if(fstat(fileno(fp), &s)) {
-		logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"), fname, strerror(errno));
+		logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
 		free(fname);
 		return false;
 	}
 
 	if(s.st_mode & ~0100700)
-		logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
+		logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
 #endif
 
 	result = rsa_read_pem_private_key(&myself->connection->rsa, fp);
 	fclose(fp);
 
 	if(!result) 
-		logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"), fname, strerror(errno));
+		logger(LOG_ERR, "Reading RSA private key file `%s' failed: %s", fname, strerror(errno));
 	free(fname);
 	return result;
 }
@@ -147,17 +268,11 @@ static void keyexpire_handler(int fd, short events, void *data) {
 	regenerate_key();
 }
 
-void regenerate_key() {
-	ifdebug(STATUS) logger(LOG_INFO, _("Regenerating symmetric key"));
-
-	if(!cipher_regenerate_key(&myself->cipher, true)) {
-		logger(LOG_ERR, _("Error regenerating key!"));
-		abort();
-	}
-
+void regenerate_key(void) {
 	if(timeout_initialized(&keyexpire_event)) {
+		ifdebug(STATUS) logger(LOG_INFO, "Expiring symmetric keys");
 		event_del(&keyexpire_event);
-		send_key_changed(broadcast, myself);
+		send_key_changed();
 	} else {
 		timeout_set(&keyexpire_event, keyexpire_handler, NULL);
 	}
@@ -165,59 +280,135 @@ void regenerate_key() {
 	event_add(&keyexpire_event, &(struct timeval){keylifetime, 0});
 }
 
+/*
+  Read Subnets from all host config files
+*/
+void load_all_subnets(void) {
+	DIR *dir;
+	struct dirent *ent;
+	char *dname;
+	char *fname;
+	splay_tree_t *config_tree;
+	config_t *cfg;
+	subnet_t *s, *s2;
+	node_t *n;
+	bool result;
+
+	xasprintf(&dname, "%s/hosts", confbase);
+	dir = opendir(dname);
+	if(!dir) {
+		logger(LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
+		free(dname);
+		return;
+	}
+
+	while((ent = readdir(dir))) {
+		if(!check_id(ent->d_name))
+			continue;
+
+		n = lookup_node(ent->d_name);
+		#ifdef _DIRENT_HAVE_D_TYPE
+		//if(ent->d_type != DT_REG)
+		//	continue;
+		#endif
+
+		xasprintf(&fname, "%s/hosts/%s", confbase, ent->d_name);
+		init_configuration(&config_tree);
+		result = read_config_file(config_tree, fname);
+		free(fname);
+		if(!result)
+			continue;
+
+		if(!n) {
+			n = new_node();
+			n->name = xstrdup(ent->d_name);
+			node_add(n);
+		}
+
+		for(cfg = lookup_config(config_tree, "Subnet"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
+			if(!get_config_subnet(cfg, &s))
+				continue;
+
+			if((s2 = lookup_subnet(n, s))) {
+				s2->expires = -1;
+			} else {
+				subnet_add(n, s);
+			}
+		}
+
+		exit_configuration(&config_tree);
+	}
+
+	closedir(dir);
+}
+
 /*
   Configure node_t myself and set up the local sockets (listen only)
 */
-bool setup_myself(void) {
+static bool setup_myself(void) {
 	config_t *cfg;
 	subnet_t *subnet;
-	char *name, *hostname, *mode, *afname, *cipher, *digest;
+	char *name, *hostname, *mode, *afname, *cipher, *digest, *type;
+	char *fname = NULL;
 	char *address = NULL;
 	char *envp[5];
 	struct addrinfo *ai, *aip, hint = {0};
 	bool choice;
 	int i, err;
-
-	cp();
+	int replaywin_int;
 
 	myself = new_node();
 	myself->connection = new_connection();
-	init_configuration(&myself->connection->config_tree);
 
-	asprintf(&myself->hostname, _("MYSELF"));
-	asprintf(&myself->connection->hostname, _("MYSELF"));
+	myself->hostname = xstrdup("MYSELF");
+	myself->connection->hostname = xstrdup("MYSELF");
 
 	myself->connection->options = 0;
-	myself->connection->protocol_version = PROT_CURRENT;
+	myself->connection->protocol_major = PROT_MAJOR;
+	myself->connection->protocol_minor = PROT_MINOR;
 
 	if(!get_config_string(lookup_config(config_tree, "Name"), &name)) {	/* Not acceptable */
-		logger(LOG_ERR, _("Name for tinc daemon required!"));
+		logger(LOG_ERR, "Name for tinc daemon required!");
 		return false;
 	}
 
 	if(!check_id(name)) {
-		logger(LOG_ERR, _("Invalid name for myself!"));
+		logger(LOG_ERR, "Invalid name for myself!");
 		free(name);
 		return false;
 	}
 
 	myself->name = name;
 	myself->connection->name = xstrdup(name);
+	xasprintf(&fname, "%s/hosts/%s", confbase, name);
+	read_config_options(config_tree, name);
+	read_config_file(config_tree, fname);
+	free(fname);
 
-	if(!read_connection_config(myself->connection)) {
-		logger(LOG_ERR, _("Cannot open host configuration file for myself!"));
+	get_config_bool(lookup_config(config_tree, "ExperimentalProtocol"), &experimental);
+
+	if(experimental && !read_ecdsa_private_key())
 		return false;
-	}
 
 	if(!read_rsa_private_key())
 		return false;
 
-	if(!get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
-		asprintf(&myport, "655");
+	if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
+		myport = xstrdup("655");
+
+	if(!atoi(myport)) {
+		struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
+		sockaddr_t sa;
+		if(!ai || !ai->ai_addr)
+			return false;
+		free(myport);
+		memcpy(&sa, ai->ai_addr, ai->ai_addrlen);
+		sockaddr2str(&sa, NULL, &myport);
+	}
 
 	/* Read in all the subnets specified in the host configuration file */
 
-	cfg = lookup_config(myself->connection->config_tree, "Subnet");
+	cfg = lookup_config(config_tree, "Subnet");
 
 	while(cfg) {
 		if(!get_config_subnet(cfg, &subnet))
@@ -225,7 +416,7 @@ bool setup_myself(void) {
 
 		subnet_add(myself, subnet);
 
-		cfg = lookup_config_next(myself->connection->config_tree, cfg);
+		cfg = lookup_config_next(config_tree, cfg);
 	}
 
 	/* Check some options */
@@ -236,16 +427,13 @@ bool setup_myself(void) {
 	if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
 		myself->options |= OPTION_TCPONLY;
 
-	if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
-		myself->options |= OPTION_INDIRECT;
-
-	if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
-		myself->options |= OPTION_TCPONLY;
-
 	if(myself->options & OPTION_TCPONLY)
 		myself->options |= OPTION_INDIRECT;
 
+	get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly);
+	get_config_bool(lookup_config(config_tree, "StrictSubnets"), &strictsubnets);
 	get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
+	strictsubnets |= tunnelserver;
 
 	if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
 		if(!strcasecmp(mode, "router"))
@@ -255,22 +443,43 @@ bool setup_myself(void) {
 		else if(!strcasecmp(mode, "hub"))
 			routing_mode = RMODE_HUB;
 		else {
-			logger(LOG_ERR, _("Invalid routing mode!"));
+			logger(LOG_ERR, "Invalid routing mode!");
 			return false;
 		}
 		free(mode);
-	} else
-		routing_mode = RMODE_ROUTER;
+	}
 
-	if(routing_mode == RMODE_ROUTER)
-		if(!get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice) || choice)
-			myself->options |= OPTION_PMTU_DISCOVERY;
+	if(get_config_string(lookup_config(config_tree, "Forwarding"), &mode)) {
+		if(!strcasecmp(mode, "off"))
+			forwarding_mode = FMODE_OFF;
+		else if(!strcasecmp(mode, "internal"))
+			forwarding_mode = FMODE_INTERNAL;
+		else if(!strcasecmp(mode, "kernel"))
+			forwarding_mode = FMODE_KERNEL;
+		else {
+			logger(LOG_ERR, "Invalid forwarding mode!");
+			return false;
+		}
+		free(mode);
+	}
+
+	choice = true;
+	get_config_bool(lookup_config(config_tree, "PMTUDiscovery"), &choice);
+	if(choice)
+		myself->options |= OPTION_PMTU_DISCOVERY;
+
+	choice = true;
+	get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice);
+	if(choice)
+		myself->options |= OPTION_CLAMP_MSS;
 
 	get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance);
+	get_config_bool(lookup_config(config_tree, "DecrementTTL"), &decrement_ttl);
+	get_config_bool(lookup_config(config_tree, "Broadcast"), &broadcast);
 
 #if !defined(SOL_IP) || !defined(IP_TOS)
 	if(priorityinheritance)
-		logger(LOG_WARNING, _("PriorityInheritance not supported on this platform"));
+		logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
 #endif
 
 	if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
@@ -278,12 +487,34 @@ bool setup_myself(void) {
 
 	if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
 		if(maxtimeout <= 0) {
-			logger(LOG_ERR, _("Bogus maximum timeout!"));
+			logger(LOG_ERR, "Bogus maximum timeout!");
 			return false;
 		}
 	} else
 		maxtimeout = 900;
 
+	if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
+		if(udp_rcvbuf <= 0) {
+			logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
+			return false;
+		}
+	}
+
+	if(get_config_int(lookup_config(config_tree, "UDPSndBuf"), &udp_sndbuf)) {
+		if(udp_sndbuf <= 0) {
+			logger(LOG_ERR, "UDPSndBuf cannot be negative!");
+			return false;
+		}
+	}
+
+	if(get_config_int(lookup_config(config_tree, "ReplayWindow"), &replaywin_int)) {
+		if(replaywin_int < 0) {
+			logger(LOG_ERR, "ReplayWindow cannot be negative!");
+			return false;
+		}
+		replaywin = (unsigned)replaywin_int;
+	}
+
 	if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) {
 		if(!strcasecmp(afname, "IPv4"))
 			addressfamily = AF_INET;
@@ -292,7 +523,7 @@ bool setup_myself(void) {
 		else if(!strcasecmp(afname, "any"))
 			addressfamily = AF_UNSPEC;
 		else {
-			logger(LOG_ERR, _("Invalid address family!"));
+			logger(LOG_ERR, "Invalid address family!");
 			return false;
 		}
 		free(afname);
@@ -302,11 +533,11 @@ bool setup_myself(void) {
 
 	/* Generate packet encryption key */
 
-	if(!get_config_string(lookup_config(myself->connection->config_tree, "Cipher"), &cipher))
+	if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
 		cipher = xstrdup("blowfish");
 
-	if(!cipher_open_by_name(&myself->cipher, cipher)) {
-		logger(LOG_ERR, _("Unrecognized cipher type!"));
+	if(!cipher_open_by_name(&myself->incipher, cipher)) {
+		logger(LOG_ERR, "Unrecognized cipher type!");
 		return false;
 	}
 
@@ -317,35 +548,31 @@ bool setup_myself(void) {
 
 	/* Check if we want to use message authentication codes... */
 
-	if(!get_config_string(lookup_config(myself->connection->config_tree, "Digest"), &digest))
-		digest = xstrdup("sha1");
+	int maclength = 4;
+	get_config_int(lookup_config(config_tree, "MACLength"), &maclength);
 
-	if(!digest_open_by_name(&myself->digest, digest)) {
-		logger(LOG_ERR, _("Unrecognized digest type!"));
+	if(maclength < 0) {
+		logger(LOG_ERR, "Bogus MAC length!");
 		return false;
 	}
 
-	if(!get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &myself->maclength))
+	if(!get_config_string(lookup_config(config_tree, "Digest"), &digest))
+		digest = xstrdup("sha1");
 
-	if(digest_active(&myself->digest)) {
-		if(myself->maclength > digest_length(&myself->digest)) {
-			logger(LOG_ERR, _("MAC length exceeds size of digest!"));
-			return false;
-		} else if(myself->maclength < 0) {
-			logger(LOG_ERR, _("Bogus MAC length!"));
-			return false;
-		}
+	if(!digest_open_by_name(&myself->indigest, digest, maclength)) {
+		logger(LOG_ERR, "Unrecognized digest type!");
+		return false;
 	}
 
 	/* Compression */
 
-	if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"), &myself->compression)) {
-		if(myself->compression < 0 || myself->compression > 11) {
-			logger(LOG_ERR, _("Bogus compression level!"));
+	if(get_config_int(lookup_config(config_tree, "Compression"), &myself->incompression)) {
+		if(myself->incompression < 0 || myself->incompression > 11) {
+			logger(LOG_ERR, "Bogus compression level!");
 			return false;
 		}
 	} else
-		myself->compression = 0;
+		myself->incompression = 0;
 
 	myself->connection->outcompression = 0;
 
@@ -358,29 +585,51 @@ bool setup_myself(void) {
 
 	graph();
 
+	if(strictsubnets)
+		load_all_subnets();
+
 	/* Open device */
 
-	if(!setup_device())
-		return false;
+	devops = os_devops;
 
-	event_set(&device_ev, device_fd, EV_READ|EV_PERSIST, handle_device_data, NULL);
+	if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
+		if(!strcasecmp(type, "dummy"))
+			devops = dummy_devops;
+		else if(!strcasecmp(type, "raw_socket"))
+			devops = raw_socket_devops;
+#ifdef ENABLE_UML
+		else if(!strcasecmp(type, "uml"))
+			devops = uml_devops;
+#endif
+#ifdef ENABLE_VDE
+		else if(!strcasecmp(type, "vde"))
+			devops = vde_devops;
+#endif
+	}
 
-	if (event_add(&device_ev, NULL) < 0) {
-		logger(LOG_ERR, _("event_add failed: %s"), strerror(errno));
-		close_device();
+	if(!devops.setup())
 		return false;
+
+	if(device_fd >= 0) {
+		event_set(&device_ev, device_fd, EV_READ|EV_PERSIST, handle_device_data, NULL);
+
+		if (event_add(&device_ev, NULL) < 0) {
+			logger(LOG_ERR, "event_add failed: %s", strerror(errno));
+			devops.close();
+			return false;
+		}
 	}
 
 	/* Run tinc-up script to further initialize the tap interface */
-	asprintf(&envp[0], "NETNAME=%s", netname ? : "");
-	asprintf(&envp[1], "DEVICE=%s", device ? : "");
-	asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
-	asprintf(&envp[3], "NAME=%s", myself->name);
+	xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
+	xasprintf(&envp[1], "DEVICE=%s", device ? : "");
+	xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
+	xasprintf(&envp[3], "NAME=%s", myself->name);
 	envp[4] = NULL;
 
 	execute_script("tinc-up", envp);
 
-	for(i = 0; i < 5; i++)
+	for(i = 0; i < 4; i++)
 		free(envp[i]);
 
 	/* Run subnet-up scripts for our own subnets */
@@ -389,77 +638,83 @@ bool setup_myself(void) {
 
 	/* Open sockets */
 
-	get_config_string(lookup_config(config_tree, "BindToAddress"), &address);
-
-	hint.ai_family = addressfamily;
-	hint.ai_socktype = SOCK_STREAM;
-	hint.ai_protocol = IPPROTO_TCP;
-	hint.ai_flags = AI_PASSIVE;
-
-	err = getaddrinfo(address, myport, &hint, &ai);
-
-	if(err || !ai) {
-		logger(LOG_ERR, _("System call `%s' failed: %s"), "getaddrinfo",
-			   gai_strerror(err));
-		return false;
-	}
-
 	listen_sockets = 0;
+	cfg = lookup_config(config_tree, "BindToAddress");
 
-	for(aip = ai; aip; aip = aip->ai_next) {
-		listen_socket[listen_sockets].tcp =
-			setup_listen_socket((sockaddr_t *) aip->ai_addr);
-
-		if(listen_socket[listen_sockets].tcp < 0)
-			continue;
-
-		listen_socket[listen_sockets].udp =
-			setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
+	do {
+		get_config_string(cfg, &address);
+		if(cfg)
+			cfg = lookup_config_next(config_tree, cfg);
 
-		if(listen_socket[listen_sockets].udp < 0) {
-			close(listen_socket[listen_sockets].tcp);
-			continue;
-		}
+		hint.ai_family = addressfamily;
+		hint.ai_socktype = SOCK_STREAM;
+		hint.ai_protocol = IPPROTO_TCP;
+		hint.ai_flags = AI_PASSIVE;
 
-		event_set(&listen_socket[listen_sockets].ev_tcp,
-				  listen_socket[listen_sockets].tcp,
-				  EV_READ|EV_PERSIST,
-				  handle_new_meta_connection, NULL);
-		if(event_add(&listen_socket[listen_sockets].ev_tcp, NULL) < 0) {
-			logger(LOG_EMERG, _("event_add failed: %s"), strerror(errno));
-			abort();
-		}
+		err = getaddrinfo(address, myport, &hint, &ai);
+		free(address);
 
-		event_set(&listen_socket[listen_sockets].ev_udp,
-				  listen_socket[listen_sockets].udp,
-				  EV_READ|EV_PERSIST,
-				  handle_incoming_vpn_data, NULL);
-		if(event_add(&listen_socket[listen_sockets].ev_udp, NULL) < 0) {
-			logger(LOG_EMERG, _("event_add failed: %s"), strerror(errno));
-			abort();
+		if(err || !ai) {
+			logger(LOG_ERR, "System call `%s' failed: %s", "getaddrinfo",
+				   gai_strerror(err));
+			return false;
 		}
 
-		ifdebug(CONNECTIONS) {
-			hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
-			logger(LOG_NOTICE, _("Listening on %s"), hostname);
-			free(hostname);
+		for(aip = ai; aip; aip = aip->ai_next) {
+			if(listen_sockets >= MAXSOCKETS) {
+				logger(LOG_ERR, "Too many listening sockets");
+				return false;
+			}
+
+			listen_socket[listen_sockets].tcp =
+				setup_listen_socket((sockaddr_t *) aip->ai_addr);
+
+			if(listen_socket[listen_sockets].tcp < 0)
+				continue;
+
+			listen_socket[listen_sockets].udp =
+				setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
+
+			if(listen_socket[listen_sockets].udp < 0) {
+				close(listen_socket[listen_sockets].tcp);
+				continue;
+			}
+
+			event_set(&listen_socket[listen_sockets].ev_tcp,
+					  listen_socket[listen_sockets].tcp,
+					  EV_READ|EV_PERSIST,
+					  handle_new_meta_connection, NULL);
+			if(event_add(&listen_socket[listen_sockets].ev_tcp, NULL) < 0) {
+				logger(LOG_ERR, "event_add failed: %s", strerror(errno));
+				abort();
+			}
+
+			event_set(&listen_socket[listen_sockets].ev_udp,
+					  listen_socket[listen_sockets].udp,
+					  EV_READ|EV_PERSIST,
+					  handle_incoming_vpn_data, (void *)(intptr_t)listen_sockets);
+			if(event_add(&listen_socket[listen_sockets].ev_udp, NULL) < 0) {
+				logger(LOG_ERR, "event_add failed: %s", strerror(errno));
+				abort();
+			}
+
+			ifdebug(CONNECTIONS) {
+				hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
+				logger(LOG_NOTICE, "Listening on %s", hostname);
+				free(hostname);
+			}
+
+			memcpy(&listen_socket[listen_sockets].sa, aip->ai_addr, aip->ai_addrlen);
+			listen_sockets++;
 		}
 
-		memcpy(&listen_socket[listen_sockets].sa, aip->ai_addr, aip->ai_addrlen);
-		listen_sockets++;
-
-		if(listen_sockets >= MAXSOCKETS) {
-			logger(LOG_WARNING, _("Maximum of %d listening sockets reached"), MAXSOCKETS);
-			break;
-		}
-	}
-
-	freeaddrinfo(ai);
+		freeaddrinfo(ai);
+	} while(cfg);
 
 	if(listen_sockets)
-		logger(LOG_NOTICE, _("Ready"));
+		logger(LOG_NOTICE, "Ready");
 	else {
-		logger(LOG_ERR, _("Unable to create any listening socket!"));
+		logger(LOG_ERR, "Unable to create any listening socket!");
 		return false;
 	}
 
@@ -467,11 +722,9 @@ bool setup_myself(void) {
 }
 
 /*
-  setup all initial network connections
+  initialize network
 */
-bool setup_network_connections(void) {
-	cp();
-
+bool setup_network(void) {
 	init_connections();
 	init_subnets();
 	init_nodes();
@@ -496,8 +749,6 @@ bool setup_network_connections(void) {
 	if(!setup_myself())
 		return false;
 
-	try_outgoing_connections();
-
 	return true;
 }
 
@@ -510,12 +761,10 @@ void close_network_connections(void) {
 	char *envp[5];
 	int i;
 
-	cp();
-
 	for(node = connection_tree->head; node; node = next) {
 		next = node->next;
 		c = node->data;
-		c->outgoing = false;
+		c->outgoing = NULL;
 		terminate_connection(c, false);
 	}
 
@@ -534,10 +783,10 @@ void close_network_connections(void) {
 		close(listen_socket[i].udp);
 	}
 
-	asprintf(&envp[0], "NETNAME=%s", netname ? : "");
-	asprintf(&envp[1], "DEVICE=%s", device ? : "");
-	asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
-	asprintf(&envp[3], "NAME=%s", myself->name);
+	xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
+	xasprintf(&envp[1], "DEVICE=%s", device ? : "");
+	xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
+	xasprintf(&envp[3], "NAME=%s", myself->name);
 	envp[4] = NULL;
 
 	exit_requests();
@@ -553,7 +802,7 @@ void close_network_connections(void) {
 	for(i = 0; i < 4; i++)
 		free(envp[i]);
 
-	close_device();
+	devops.close();
 
 	return;
 }