Merge branch 'master' into cygwin

debian/control

@@ -7,7 +7,7 @@ Standards-Version: 3.9.1
 
 Package: re6stnet
 Architecture: all
-Depends: ${misc:Depends}, python (>= 2.6.6-3), python (<< 2.8), python-argparse, python-openssl, openvpn (>= 2.1.3), babeld (>= 1.3.1), iproute, openssl
+Depends: ${misc:Depends}, python (>= 2.6.6-3), python (<< 2.8), python-argparse, python-openssl (>= 0.13), openvpn (>= 2.1.3), babeld (>= 1.3.1), iproute, openssl
 Recommends: ${python:Recommends}
 Suggests: ndisc6
 Description: resilient, scalable, IPv6 network application

docs/re6stnet.rst

@@ -137,6 +137,27 @@ Its IP is the first unicast address::
   re6st-registry --private 2001:db8:42::1 ...
   re6stnet --registry http://localhost/ --ip re6st.example.com ...
 
+TROUBLESHOOTING
+===============
+
+On networks with very few working nodes compared to the total number of
+registered nodes, it may take some time to bootstrap. However, if you really
+think something goes wrong, you should first enable OpenVPN logs and increase
+verbosity: see commented directives in configuration generated by `re6st-conf`.
+
+A common failure is caused by a misconfigured firewall:
+
+- re6st launches several OpenVPN processes. Those in client mode may connect to
+  any TCP/UDP port in IPv4. Server processes only listen to ports specified
+  by ``--pp`` option.
+
+- OpenVPN always aborts due to inactivity timeout when Babel paquets are
+  filtered. UDP port 6696 must be open on link-local IPv6 of all interfaces
+  managed by Babel.
+
+Other security components may also break re6st. For example, default SELinux
+configuration on Fedora prevents execution of OpenVPN server processes.
+
 SEE ALSO
 ========
 

re6st-conf

@@ -93,15 +93,18 @@ def main():
 
     cert_fd = token_advice = None
     try:
+        token = config.token
         if config.anonymous:
-            if not (config.token is config.email is None):
+            if not (token is config.email is None):
                 parser.error("--anonymous conflicts with --email/--token")
-        elif not config.token:
+            token = ''
+        elif not token:
             if not config.email:
                 config.email = raw_input('Please enter your email address: ')
             s.requestToken(config.email)
             token_advice = "Use --token to retry without asking a new token\n"
-            config.token = raw_input('Please enter your token: ')
+            while not token:
+                token = raw_input('Please enter your token: ')
 
         try:
             with open(key_path) as f:
@@ -125,7 +128,7 @@ def main():
         # to avoid using our token for nothing.
         cert_fd = os.open(cert_path, os.O_CREAT | os.O_WRONLY, 0666)
         print "Requesting certificate ..."
-        cert = s.requestCertificate(config.token, req)
+        cert = s.requestCertificate(token, req)
         if not cert:
             token_advice = None
             sys.exit("Error: invalid or expired token")

re6st/ovpn-client

@@ -2,6 +2,9 @@
 import os, sys
 
 if os.environ['script_type'] == 'up':
+    # OpenVPN unsets PATH before calling hooks
+    # which is equivalent to set /bin:/usr/bin
+    os.environ['PATH'] = '/bin:/sbin:/usr/bin:/usr/sbin'
     os.execlp('ip', 'ip', 'link', 'set', os.environ['dev'], 'up')
 
 # Write into pipe external ip address received

re6st/registry.py

@@ -179,12 +179,7 @@ class RegistryServer(object):
         req = crypto.load_certificate_request(crypto.FILETYPE_PEM, req)
         with self.lock:
             with self.db:
-                if token is None:
-                    prefix_len = self.config.anonymous_prefix_length
-                    if not prefix_len:
-                        return
-                    email = None
-                else:
+                if token:
                     try:
                         token, email, prefix_len, _ = self.db.execute(
                             "SELECT * FROM token WHERE token = ?",
@@ -193,6 +188,11 @@ class RegistryServer(object):
                         return
                     self.db.execute("DELETE FROM token WHERE token = ?",
                                     (token,))
+                else:
+                    prefix_len = self.config.anonymous_prefix_length
+                    if not prefix_len:
+                        return
+                    email = None
                 prefix = self._getPrefix(prefix_len)
                 self.db.execute("UPDATE cert SET email = ? WHERE prefix = ?",
                                 (email, prefix))

re6st/tunnel.py

@@ -246,6 +246,8 @@ class TunnelManager(object):
             self._countRoutes()
         disconnected = self._disconnected
         if disconnected is not None:
+            logging.info("No route to registry (%u neighbours, %u distant"
+                         " peers)", len(disconnected), len(distant_peers))
             # We aren't the registry node and we have no tunnel to or from it,
             # so it looks like we are not connected to the network, and our
             # neighbours are in the same situation.
@@ -290,6 +292,8 @@ class TunnelManager(object):
             bootstrap = True
             for peer, address in self._peer_db.getPeerList():
                 if peer not in disconnected:
+                    logging.info("Try to bootstrap using peer %u/%u",
+                                 int(peer, 2), len(peer))
                     bootstrap = False
                     if self._makeTunnel(peer, address):
                         new += 1

re6stnet.spec

@@ -11,8 +11,8 @@ Requires:  babeld >= 1.3.1
 Requires:  iproute
 Requires:  openssl
 Requires:  openvpn
-Requires:  python = 2.7
-Requires:  pyOpenSSL
+Requires:  python >= 2.7
+Requires:  pyOpenSSL >= 0.13
 
 %description
 

setup.py

@@ -38,7 +38,7 @@ setup(
             'ovpn-client',
         ],
     },
-    install_requires = ['pyOpenSSL', 'miniupnpc'],
+    install_requires = ['pyOpenSSL >= 0.13', 'miniupnpc'],
     #dependency_links = [
     #    "http://miniupnp.free.fr/files/download.php?file=miniupnpc-1.7.20120714.tar.gz#egg=miniupnpc-1.7",
     #    ],