Merge commit '9ef45d9d8fb5b86da848b0ec3da0938c6c9644ff'

Conflicts:
	doc/tunnel.md

doc/LICENSE.txt

@@ -0,0 +1,393 @@
+Attribution 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+	wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More_considerations
+     for the public: 
+	wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution 4.0 International Public License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution 4.0 International Public License ("Public License"). To the
+extent this Public License may be interpreted as a contract, You are
+granted the Licensed Rights in consideration of Your acceptance of
+these terms and conditions, and the Licensor grants You such rights in
+consideration of benefits the Licensor receives from making the
+Licensed Material available under these terms and conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  d. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  e. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  f. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  g. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  h. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  i. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  j. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  k. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+       4. If You Share Adapted Material You produce, the Adapter's
+          License You apply must not prevent recipients of the Adapted
+          Material from complying with this Public License.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material; and
+
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public licenses.
+Notwithstanding, Creative Commons may elect to apply one of its public
+licenses to material it publishes and in those instances will be
+considered the "Licensor." Except for the limited purpose of indicating
+that material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the public
+licenses.
+
+Creative Commons may be contacted at creativecommons.org.

doc/README.md

@@ -1,6 +1,82 @@
-# Documentation
+# Docs
+
 *Documenting things related to the meshnet*
 
-We're writing documentation for meshnet related things. Feel free to submit pull requests.
+[cjdns](https://github.com/hyperboria/cjdns) addresses a large number of complex issues in an elegant way. While efforts have been made to provide a default configuration that matches the greatest number of use cases, it is impractical to expect software to replace understanding.
+
+> Enter the documentation project...
+
+The good citizens of Hyperboria decided to put together this collection of documentation to help make the inner workings of cjdns more transparent.
+
+We want you to [get involved](http://www.roaming-initiative.com/blog/posts/wtfm)! Feel free to submit pull requests.
 
 See [index.md](index.md) for current progress. We'd love more languages!
+
+Also have a look at [Prose for Programmers](https://github.com/joshuacc/prose-for-programmers), a work-in-progress book aimed at helping software developers write better prose.
+
+
+## The scope of this project
+
+We are interested in documenting a range of topics:
+
+1. cjdns internals: bugs and features
+2. operator culture and best practices
+3. meshlocal resources
+4. introductory literature
+
+
+## Reporting bugs
+
+[cjd](https://github.com/cjdelisle) would rather write code than troubleshoot trivial issues which often turn out to have resulted from user error. To make this easier, a few members of the community have offered to investigate issues on his behalf.
+
+If you think you've found a bug, report it on [our fork's issue tracker](https://github.com/hyperboria/cjdns/issues). We'll try to gather up documentation related to the issue, to better understand where it might be coming from. Once we can narrow it down, and research some of the background details to that particular piece of functionality, we may be able to submit patches ourselves.
+
+Anything you can submit that gets us closer to understanding some bug or function within cjdns is welcome. By starting an inquiry, you make it just a little bit easier for someone else to continue it. With that in mind, please read [this note on reporting bugs](bugs/reporting.md) and [our more general contribution policy](bugs/policy.md). Get involved!
+
+## License
+
+Unless otherwise noted, the contained documents are licensed under a
+Creative Commons Attribution 4.0 Unported License.
+
+See [LICENSE.txt](LICENSE.txt), or <[creativecommons.org/licenses/by/4.0/](https://creativecommons.org/licenses/by/4.0/)>
+
+
+## For committers
+
+Please remember that the canonical repo is at [gitboria.com/projectmeshnet/documentation](http://gitboria.com/projectmeshnet/documentation) in Hyperboria.
+Pull from there, and push there first.
+If the canonical repo and mirror at [github.com/hyperboria/docs](https://github.com/hyperboria/docs) diverge,
+the canonical repo's respective branch shall be force-pushed to the mirror.
+
+
+## Documentation in cjdns.git/doc
+
+This repository is semi-regularly merged into cjdns' `doc/` directory.
+It's useful to ship documentation with the code.
+We use the following commands.
+
+```sh
+$ cd cjdns/
+$ git remote add hyperboria git@github.com:hyperboria/cjdns.git
+$ git remote add docs git@gitboria.com:projectmeshnet/docs.git
+```
+
+To merge documentation changes into cjdns,
+we squash all new commits since the last merge into one commit,
+and merge that commit into master.
+
+```sh
+$ git checkout master
+$ git pull hyperboria master
+$ git subtree pull --squash -P doc/ docs/master
+$ git push hyperboria master
+```
+
+To merge documentation changes in cjdns back upstream into this repository,
+we create a merge commit, and push it.
+
+```
+$ git subtree split -P doc/
+38e3bc6f899de49213aed754c74046b9ae4a85d2
+$ git push docs 38e3bc6f:master
+```

doc/achievements.md

@@ -49,6 +49,10 @@ Achievements expire, so if at any given time you don't qualify, you lose those p
 37. Document an undocumented function or component of cjdns.
 38. Implement a function or component of cjdns in an alternate language
 39. Translate an article into another language (and maintain it).
+40. Update cjdns without pinging out on IRC.
+41. Configure an authorizedPassword without restarting cjdns.
+42. Find out whether your home router can run cjdns: [OpenWrt table of hardware](http://wiki.openwrt.org/toh/start)
+43. Try out the [Meshbox firmware](https://github.com/seattlemeshnet/meshbox) on your home router.
 
 ## Penalties
 

doc/bugs/configurator-timeout.md

@@ -0,0 +1,74 @@
+# Configurator.c: Timed out waiting for a response
+
+In some scenario cjdns could fail at starting up with the following cryptic
+messages:
+
+```
+1428440513 DEBUG AdminClient.c:333 Connecting to [127.0.0.1:11234]
+1428440513 DEBUG UDPAddrIface.c:294 Bound to address [0.0.0.0:58063]
+1428440518 CRITICAL Configurator.c:96 Failed to make function call [Timed out waiting for a response], error: [ping]
+1428440518 CRITICAL Configurator.c:56 enable Log_LEVEL=KEYS to see message content.
+1428440523 CRITICAL Configurator.c:68 Failed to stop the core.
+1428440523 CRITICAL Configurator.c:70 Aborting.
+```
+
+## Cause
+
+cjdns is configured via the admin interface, listening by default on
+`localhost`, port `11234`.
+
+However, there are some machine configurations where the firewall has a default
+policy different from ACCEPT for the INPUT chain and there's an exception for
+loopback interface missing. Checking with `iptables -t filter -L` (as root)
+should output something like:
+
+```
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination
+
+Chain FORWARD (policy ACCEPT)
+target     prot opt source               destination
+
+Chain OUTPUT (policy ACCEPT)
+target     prot opt source               destination
+```
+
+The above output is the default configuration of the firewall, with everything
+allowed, your own could be configured in many different ways. However, you have
+to check your INPUT chain policy, if it's REJECT or DROP that could be causing
+the problem above.
+
+## Solution
+
+There are a couple of solutions to this issue.
+
+### ACCEPT everything on INPUT
+
+Piece of cake: just run `iptables -t filter -P INPUT ACCEPT`.
+
+### Add an exception for loopback traffic
+
+This solution is more complex, but allows you to retain your full firewall
+functionality while allowing cjdns at the same time.
+You have to allow both inbound and outbound traffic on the loopback interface,
+usually named `lo`. That name is the one which is going to be used in the
+following code snippet.
+
+```
+iptables -t filter -I INPUT -i lo -j ACCEPT
+iptables -t filter -I INPUT -o lo -j ACCEPT
+```
+
+Ok, I cheated. The rules are really simple: just ACCEPT everything from (`-i`) or
+to (`-o`) loopback interface (`lo`) on chain `INPUT`.
+
+Maybe not so simple really...
+
+#### ... and now you can't peer
+
+Just adding an exception for `lo` is not enough if you want to peer via UDP and
+you didn't load the conntrack module. Load it or add an exception for the port
+used by the UDPInterface.
+
+Or just use the first solution.
+

doc/bugs/connectTo-overflow.md

@@ -0,0 +1,89 @@
+## cjdns connectTo buffer overflow bug
+
+I (and [several others](https://github.com/cjdelisle/cjdns/issues/701)) experienced an issue where cjdroute would fail to launch, with the following error:
+
+```
+...
+1423794312 INFO cjdroute2.c:560 Forking angel to background.
+1423794312 DEBUG Pipe.c:135 Buffering a message
+1423794312 DEBUG cjdroute2.c:597 Sent [204] bytes to angel process
+1423794312 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_client-angel-yubd7j5m8vvjn3fju1nvw47v316g05] established connection
+1423794312 DEBUG Pipe.c:254 Sending buffered message
+1423794312 DEBUG AdminClient.c:333 Connecting to [127.0.0.1:11234]
+1423794312 DEBUG UDPAddrInterface.c:293 Bound to address [0.0.0.0:36018]
+1423794317 CRITICAL Configurator.c:96 Failed to make function call [Timed out waiting for a response], error: [UDPInterface_beginConnection]
+1423794317 CRITICAL Configurator.c:56 enable Log_LEVEL=KEYS to see message content.
+1423794317 CRITICAL Configurator.c:70 Aborting.
+```
+
+## The cause
+
+After some trial and error, I narrowed the cause of the factor down to a particular block in the `connectTo` section of my configuration file.
+
+```
+"192.168.10.102:6447":
+{
+"password":"anArbitraryPasswordOfThisLength",
+"publicKey":"3kcy5s4fvp6f1tzx2f9llm0dp19y4xz1z9t1rftf45103s2b7670.k",
+"operator":"aLargeNumberOfAliasesforAUser",
+"contact":"aNodeOperator@anEmail.tld",
+"location":"aVerboseDescriptionOfAPhysicalLocation",
+"ipv6":"fc00:0000:0000:0000:0000:0000:0000:0000"
+}
+```
+
+At first I commented out the `"ipv6"` line, and suddenly my node was able to launch. Using **pigeon logic**, I figured that perhaps "ipv6" had some special significance in an outgoing connectTo block. I tried making it "IPV6" instead, and padded the ipv6 with missing zeros to bring it up to the standard 39 character representation. Nothing worked.
+
+At this point, I just commented out the ipv6 field, and relaunched the node. It worked, and for a while I was happy enough with that solution, but I wanted to understand what was happening.
+
+I asked [cjd](http://github.com/cjdelisle/) and he suggested commenting out a different field instead. Surely enough, commenting out any member of the data structure (other than those that are required by the cjdns angel) was enough to make the configuration file valid.
+
+So as it turns out, the error occurred as a result of the length of the bencoded packet being sent to the angel exceeding the hard limit of the length of a UDP packet. Again, at **cjd**'s suggestion, I used a commonly available tool to diagnose the issue:
+
+
+## How to do it yourself
+
+**excerpted from IRC logs**
+
+```
+10:49 <@__cjd__> did you tcpdump lo ?
+10:49 <@__cjd__> tcpdump -A -s0 -i lo
+```
+
+I personally ran `sudo tcpdump -A -s0 -i lo > connectTo.overflow.log`, then attempted to launch cjdns using my `buggy.conf`.
+
+## What the traffic looks like
+
+```
+E..'..@.@.............+....'d0000006:cookie10:13904808324:hash64:723280ffa58bd47ce5dad1f42199fe3d3ff73c4e9fd6859d342b872f31c848ab1:q4:auth2:aq28:UDPInterface_beginConnection4:argsd7:address19:192.168.10.102:644715:interfaceNumberi0e4:ipv639:fc00:0000:0000:0000:0000:0000:0000:00008:location38:aVerboseDescriptionOfAPhysicalLocation7:contact25:aNodeOperator@anEmail.tld8:operator40:anEspeciallyVerboseListOfAliasesForAUser9:publicKey54:3kcy5s4fvp6f1tzx2f9llm0dp19y4xz1z9t1rftf45103s2b7670.k8:password31:anArbitraryPasswordOfThisLengthe4:txid8:07000000e
+13:32:52.313755 IP localhost.11234 > localhost.34563: UDP, length 28
+E..8..@.@...........+....$.7d5:error16:Request too big.e
+```
+
+## A successful conf
+
+I shortened this `connectTo` block one character at a time until `cjdroute` launched successfully. This block is the maximum length that passes. 
+
+```
+"192.168.10.102:6447":
+{
+  "password":"anArbitraryPasswordOfThisLength",
+  "publicKey":"3kcy5s4fvp6f1tzx2f9llm0dp19y4xz1z9t1rftf45103s2b7670.k",
+  "operator":"a_ShorterListOfAliasesForAUser",
+  "contact":"aNodeOperator@anEmail.tld",
+  "location":"aVerboseDescriptionOfAPhysicalLocation",
+  "ipv6":"fc00:0000:0000:0000:0000:0000:0000:0000"
+}
+```
+
+The `bencode`d form is displayed below:
+
+```
+E.....@.@.yS.........X+.....d6:cookie10:13904809584:hash64:7f050f5968df6d94c2cd044625e00b10d066555eee5bb5fbdc5f763e256126891:q4:auth2:aq28:UDPInterface_beginConnection4:argsd7:address19:192.168.10.102:644715:interfaceNumberi0e4:ipv639:fc00:0000:0000:0000:0000:0000:0000:00008:location38:aVerboseDescriptionOfAPhysicalLocation7:contact25:aNodeOperator@anEmail.tld8:operator30:a_ShorterListOfAliasesForAUser9:publicKey54:3kcy5s4fvp6f1tzx2f9llm0dp19y4xz1z9t1rftf45103s2b7670.k8:password31:anArbitraryPasswordOfThisLengthe4:txid8:07000000e
+13:35:01.776419 IP localhost.11234 > localhost.53848: UDP, length 36
+E..@..@.@.{)........+..X.,.?d000005:error4:none4:txid8:07000000e
+```
+
+## Conclusion
+
+Keep your connectTo sections short! It's useful to have an ipv6, a contact, and a nick for a user. If you want to add a "location" field, add it in an abbreviated form, like `"location":"Toronto,CA"`.

doc/bugs/distro-quirks.md

@@ -0,0 +1,18 @@
+# OS/distribution-specific quirks
+
+## OSX
+
+### Failure to autopeer
+
+```IRC
+16:46 < ansuz> sounds like you guys are in srs mode, but that mac no-auto-peering thing only really has one line of documentation
+16:46 < ansuz> at some point if someone could fill me in on the why, it would get more
+16:47 <@cjd> ahh, it's because generating ethernet frames is different per operating system
+16:47 <@cjd> there's no standardized socket(SO_LINK_LAYER, "eth0")
+16:48 <@cjd> so ETHInterface_darwin.c just isn't written
+16:49 <@cjd> now you can copy/paste that into a little txt file and when some poor bastard asks why, tell him and then shout at him to update the documentation
+16:49 <@cjd> and if he doesn't, shitlist him so no more questions \:D/
+16:49 <@Arceliar> or bug people who own a mac to write ETHInterface_darwin.c
+```
+
+There you have it, Macs don't autopeer via ethernet frames.

doc/bugs/hidden-peers.md

@@ -0,0 +1,55 @@
+# The Hidden Peers Bug
+
+## THIS BUG HAS BEEN FIXED AS OF V14 ##
+
+This is a class of bugs where direct peers
+
+- fall out of the NodeStore (i.e. the routing table)
+- make it into the NodeStore delayed by seconds to minutes
+- never make it into the NodeStore at all
+
+If you have only one peer, the result of this obviously is totally broken
+routing. In rare cases, packet forwarding works, and you can still (to some
+degree) establish connectivity to the peer without it being in the NodeStore.
+
+With multiple peers, the result might be less bad -- needs more information.
+
+
+## Diagnostics
+
+Assuming your peer's IP address is `fc67:9816:2ccc:c4c2:f76c:1d09:a7a5:044e`,
+you can use the following tools to diagnose the Hidden Peers bug.
+
+```
+$ contrib/nodejs/tools/peerStats.js | grep 044e
+fc67:9816:2ccc:c4c2:f76c:1d09:a7a5:044e  0000.0000.0000.0015  in 1844334  out 1012270  ESTABLISHED  dup 0 los 6 oor 0
+
+$ contrib/nodejs/tools/dumptable.js | grep 044e
+fc67:9816:2ccc:c4c2:f76c:1d09:a7a5:044e 0000.0000.0000.0015 199687481 13 76
+```
+
+If you are hitting the bug, peerStats.js looks just like above, but the output
+of dumptable.js doesn't include the peer.
+
+In some cases, dumptable.js does include the peer, but the path reads `ffff.ffff.ffff.ffff`.
+This is likely the case shortly before the peer falls out of the NodeStore, right
+after the link has turned bad, for whatever reason.
+
+
+# Collecting logs
+
+On both ends, e.g. my laptop and the VPS it's peered with, I collect logs
+related to the respective other node.
+
+```
+$ sudo gdb ./cjdroute -ex 'set follow-fork-mode child' -ex 'run < /etc/cjdroute.conf' -ex 'thread apply all bt' -ex 'quit' &> gdb.log
+# In another shell
+$ tail -f gdb.log | grep -P '044e|vsbxsthgml9l7wxyqn1b9nc2c9cucbmdps0fh3gd2jn9ys017590'
+```
+
+
+# Underlying issues
+
+Maybe something related to SwitchPings. The peering gets established, but in
+order for the peer to be added to the NodeStore, we need to find out its
+protocol version, which is why we send a SwitchPing.

doc/bugs/index.md

@@ -0,0 +1,7 @@
+* [black-hole](black-hole.md)
+* [configurator-timeout](configurator-timeout.md)
+* [connectTo-overflow](connectTo-overflow.md)
+* ~~[hidden-peers](hidden-peers.md)~~ :: **fixed**
+* [policy](policy.md)
+* [reporting](reporting.md)
+* [santa](santa.md)

doc/bugs/policy.md

@@ -0,0 +1,20 @@
+## Policy
+
+cjd recently closed the issue tracker on his [cjdns repo](http://github.com/cjdelisle/cjdns) on the basis that it had the effect of encouraging people to submit errors, then wander off feeling like they had done their part in solving the problem (my words, not his (--ansuz)).
+
+Several of us from within the community encouraged him to do so, justifying the action by considering that it had not been maintained in some time, and without having someone assume responsibility for its maintenance there was little reason to keep it around.
+
+To make up for its absence, however, we decided to provide [a fork of cjdns](http://github.com/hyperboria/cjdns), with [its own issue tracker](https://github.com/hyperboria/cjdns/issues) which would be maintained by the community. There are quite a few of us who care enough about this project to invest our time in improving things, however, it should be understood that:
+
+1. like cjd, we are contributing our own personal time to do so
+2. many of us balance these volunteer commitments against full time jobs
+3. our volunteers are generally intelligent, charming, motivated individuals who could otherwise spend their personal time cavorting with other similarly charming, intelligent, and motivated humans
+
+With that in mind, the [remarkably small group](https://github.com/orgs/hyperboria/people) who have pushed to curate our documentation and maintain our cjdns fork could really use some help.
+
+> This document exists to explain how you can get involved, as well as what our terms are for continuing to offer our collective efforts
+
+1. We are going to push harder to implement a stricter [WTFM](http://www.roaming-initiative.com/blog/posts/wtfm) policy. If a solution to your problem has been documented, you will be directed to it. If it has not, it will be explained to you under the assumption that you will contribute documentation for the next person to encounter the problem.
+2. If you say you will document something, but you don't, you might end up on a blacklist. Nobody is under any obligation to ignore you, and there will not be any repercussions for offering assistance. However, you probably want to avoid developing a bad reputation. Negative reenforcement tends to be ineffective, though, so you may want a method of encouraging people to contribute, and keeping track of those that have. [VOILA](https://github.com/hyperboria/docs/graphs/contributors)! Contributing lands you on the contributers list.
+3. Issues will be closed if nobody volunteers to investigate further. If three months go by, and nobody contributes more information, we may just assume that the problem has been solved. Similarly, if your issue is vague, or lacks a descriptive title, you will be asked to elaborate. If you do not, it will be closed.
+4. [Gitboria](http://gitboria.com), a GitLab instance on Hyperboria, hosts the canonical repository for these documents. If at all possible, make pull requests or issues there, and not here on github.

doc/bugs/reporting.md

@@ -0,0 +1,13 @@
+## When is it appropriate to report a bug?
+
+There are lots of known bugs in older revisions of cjdns. Many of them have been fixed. Before making a big issue of some odd behaviour, first ask yourself if you're using [the latest crashey branch](https://github.com/cjdelisle/cjdns/tree/crashey).
+
+If you are **not** running the latest _crashey_, then it is quite likely the bug has already been fixed. While others out there may be experiencing the same bug, it is critical that you indicate which revision you were using when you encountered it. Others can then test for it on newer versions, and if it has been fixed, isolate **where** and **how** it was fixed.
+
+## What should I report?
+
+1. On which device are you encountering the issue?
+2. When was that device last updated?
+3. Do you have any other applications running which might interfere with some behaviour? (firewalls are a common cause of issues)
+4. On which OS/distro did you encounter the issue?
+

doc/cjdns/anatomy.md

@@ -82,7 +82,9 @@ We notice a few things about this TUN interface.
 2. The `inet` and `P-t-P` addresses, which are assigned by cjdns' tunneling functionality: [IPTunnel](iptunnel.md)
 3. The `RX` and `TX` values, which count the IP traffic received and transmitted by this cjdns node.
 
-The routes look a bit more obscure.
+The routes look a bit more obscure. <!-- maybe delete this line? -->
 
 1. All packets for addresses starting with `fc` are handed to cjdns' TUN interface.
-2. TODO: what's the reason for the additional route?
+2. Packets addressed to the local `fc` address are redirected to loopback device (`lo`).
+   That route is managed by the OS kernel and it's needed to actually send packets to local machine
+   network stack. That's like the _self interface director_ used by cjdns.

doc/cjdns/data_structures/Address.md

@@ -1,29 +0,0 @@
-### Address
-
-- uint32_t protocolVersion;
-  - The protocol version of the node.
-
-- uint32_t padding;
-  - unused
-```javascript
-union {
-    struct {
-        // tricksy: this is effectively a 64 bit rotate of the following bytes array
-        uint32_t three_be;
-        uint32_t four_be;
-        uint32_t one_be;
-        uint32_t two_be;
-    } ints;
-
-    struct {
-        uint64_t two_be;
-        uint64_t one_be;
-    } longs;
-xxxxi  - $diwx
-    uint8_t bytes[Address_SEARCH_TARGET_SIZE];
-} ip6;
-```
-- uint8_t key[Address_KEY_SIZE];
-
-- uint64_t path;  
-TODO: This struct is in dire need of some annotation

doc/cjdns/data_structures/Allocator.md

@@ -1,12 +0,0 @@
-### Allocator
-
-const char* fileName;
-  - The name of the file where this allocator was created.
-
-int lineNum;
-  -The number of the line where this allocator was created.
-
-int isFreeing;
-  - Non-zero if allocator is currently freeing.  
-
-TODO: Copy/Remove allocator documentation and premise to somehwere more appropereate.

doc/cjdns/data_structures/EventBase.md

@@ -1,4 +0,0 @@
-### EventBase
-
-- int unused;
-  - TODO: check to see that this is unused.

doc/cjdns/data_structures/Identity.md

@@ -1,40 +0,0 @@
-### Identity
-
-We don't know how its mistress works maybe we don't want to know
-
-```javascript
-#if defined(Identity_CHECK)
-
-    /** This goes in each structure which will be checked. */
-    #define Identity \
-        unsigned long Identity_verifier;
-
-    #define Identity_set(pointer) \
-        (pointer)->Identity_verifier = Identity_MAGIC
-
-    #define Identity_check(pointer) \
-        (__extension__ ({                                                      \
-            __typeof__(pointer) Identity_ptr = (pointer);                      \
-            Assert_true(Identity_ptr->Identity_verifier == Identity_MAGIC);  \
-            Identity_ptr;                                                      \
-        }))
-
-    #define Identity_ncheck(pointer) \
-        (__extension__ ({                                                                       \
-            __typeof__(pointer) Identity_ptr = (pointer);                                       \
-            Assert_true(!Identity_ptr || Identity_ptr->Identity_verifier == Identity_MAGIC);  \
-            Identity_ptr;                                                                       \
-        }))
-
-#else
-    #define Identity
-    #define Identity_set(pointer)
-
-    #define Identity_check(pointer) \
-        (__extension__ ({                                                      \
-            (pointer);                                                         \
-        }))
-
-    #define Identity_ncheck(pointer) Identity_check(pointer)
-#endif
-```

doc/cjdns/data_structures/Log.md

@@ -1,4 +0,0 @@
-### Log
-
-- Log_callback print;
-  - TODO: Explain what is going on here

doc/cjdns/data_structures/Log_callback.md

@@ -1,7 +0,0 @@
-### sorry not sure what to make of this quite yet
-typedef void (* Log_callback) (struct Log* log,
-                               enum Log_Level logLevel,
-                               const char* file,
-                               int line,
-                               const char* format,
-                               va_list args);

doc/cjdns/data_structures/NodeStore.md

@@ -1,22 +0,0 @@
-Used in NodeStore_pvt
-defined in NodeStore.h
-### NodeStore
-
-- struct Address* selfAddress;
-<br>
-
-- struct Node_Two* selfNode;
-<br>
-- int peerCount;
-- int linkedNodes;
-  - corolated data
-<br>
-<br>
-- int nodeCount;
-- int nodeCapacity;
-  - corolated data
-<br>
-<br>
-- int linkCount;
-- int linkCapacity;
-  - corolated data

doc/cjdns/data_structures/NodeStore_pvt.md

@@ -1,27 +0,0 @@
-### NodeStore_pvt
-
-- struct [NodeStore][] pub
-- struct [Node_Link][]* selfLink
-- struct [NodeRBTree][] { struct [Node_Two][]* rbh_root; } nodeTree;
-  - inplace struct [NodeRBTree][] generated here  
-    it contains a tree holding all nodes orderd by ipv6 address?
-- struct [Allocator][]* alloc;
-- struct [Node_Link][]* linksToFree;
-  - operated on by freePendingLinks()
-- struct [RumorMill][]* renumberMill;
-  - nodes that have probably been reset?
-- struct [Log][]* logger;
-  - [sic] The means for this node store to log.
-- struct [EventBase][]* eventBase;
-  - To track time?
-- [Identity][]
-  - mesterious checking macro
-[NodeStore]: ./NodeStore.md
-[Node_Link]: ./Node_Link.md
-[Node_Two]: ./Node_Two.md
-[NodeRBTree]: ./NodeRBTree.md
-[Allocator]: ./Allocator.md
-[RumorMill]: ./RumorMill.md
-[Log]: ./Log.md
-[EventBase]: ./EventBase.md
-[Identity]: ./Identity.md

doc/cjdns/data_structures/Node_Link.md

@@ -1,51 +0,0 @@
-defined in Node.h
-Used by NodeStore_pvt
-### Node_Link
-
-- struct {
-    struct [Node_Link][]* rbe_left;
-    struct [Node_Link][]* rbe_right;
-    struct [Node_Link][]* rbe_parent;
-    int rbe_color;
-} peerTree;
-  - Used by the parent's [RBTree][] of links (?).
-
-- int inverseLinkEncodingFormNumber;
- - The Encoding Form number which is used to represent the first director in the path from  
-   child to parent.(?)
-
-- uint32_t linkState;
- - The quality of the link between parent and child,  
-   between 0xFFFFFFFF (perfect) and 0 (intolerable).
-
-- uint64_t timeLastSeen;
-  - The time this link was last seen carrying traffic. (Currently limited to ping traffic.) 
-
-- struct [Node_Two][]* parent;
-  - The parent of this peer, this is where the root of the [RBTree][] is. 
-  
-- struct [Node_Two][]* child;
-  - The child of this link.
-
-- struct [Node_Link][]* nextPeer;
-  - linked list
-  - The next link which points to the same child.
-  - For each child there are many links pointing to it,
-
-- struct [Node_Link][]* nextInSplitList;
-  - linked list
-  - Used internally by NodeStore for creating a list used for splitting links.
-
-- uint64_t cannonicalLabel;
-  - The label which would be used to reach the child from the parent.
-  - This label is in a cannonical state and must be altered so that the first Director uses
-  - at least as many bits as are required to reach the grandparent from the parent
-  - in the reverse direction.
-
-- uint64_t discoveredPath;
-  - The path which the incoming packet followed when this node was discovered.
-
-Identity
-[Node_Link]: ./Node_Link.md
-[Node_Two]: ./Node_Two.md
-[RBTree]: ./RBTree.md

doc/cjdns/data_structures/Node_Two.md

@@ -1,52 +0,0 @@
-Defined in Node.h
-Used by [Node_Link][]
-Used by [NodeRBTree][] inside of [NodeStore_pvt][] and others
-
-### Node_Two
-
-- uint32_t reach_pvt;
-  - The reach of the node (how big/fast/close it is).
-  - Since reach is a fraction, the reach number represents a percentage where 0xFFFFFFFF = 100%
-  - DO NOT ALTER THIS OUTSIDE OF NODESTORE
-
-- uint64_t timeLastPinged;
-  - Time the node was last pinged
-  - **not** reset on path changes.
-- int marked;
-  - This is only used to mark/sweep nodes in getWorstNode(), it is meaningless otherwise.
-
-- struct [Address][] address;
-  - addr of current node
-
-- struct [EncodingScheme][]* encodingScheme;
-  - The encoding method used by this node.
-    - TODO: list encodeing methods here
-
-- struct [PeerRBTree][] { struct Node_Link* rbh_root; } peerTree;
-  - Peers of this node for which we know the forward direction.
-  - Use RB_NFIND(PeerRBTree, node->peerTree, struct type* elm)
-
-- struct [Node_Link][]* reversePeers;
-  - Used for freeing the links associated with this node.
-
-
-- struct [Node_Link][]* bestParent_pvt;
-  - The best link for getting to this node.
-
-- struct { struct [Node_Two][]* rbe_left; struct [Node_Two][]* rbe_right; struct [Node_Two][]* rbe_parent; int rbe_color; } nodeTree;
-  - Used by nodeStore's RBTree of nodes by address.
-
-- struct [Allocator][]* alloc;
-  - TODO: find out what this does
-
-- Identity
-  - Magical macro mostly a noop  
-
-[Node_Link]: ./Node_link.md
-[NodeStore_pvt]: ./NodeStore_pvt.md
-[Node_Two]: ./Node_Two.md
-TODO: finish these links
-[NodeRBTree]: ./NodeRBTree.md
-[EncodingScheme]: ./EncodingScheme.md
-[Address]: ./Address.md
-[PeerRBTree]: ./PeerRBTree.md

doc/cjdns/data_structures/RumorMill.md

@@ -1,11 +0,0 @@
-
-The rumor mill is for new nodes which have been discovered by search and
-getPeers requests but, we(who?) have never actually communicated with them so 
-we(who?) are not sure if they exist. More importantly, we(who?) *cannot* link
-them into the nodeStore tree because we(who?) are not sure of their encoding
-scheme.
-
-### RumorMill
-
-- int count;
-  - TODO: Provide some more information about this one.

doc/cjdns/functions/iface-h.md

@@ -0,0 +1,10 @@
+## Iface.h
+
+TODO: This lacks context. What is an interface?
+
+Check out the new `[Iface.h]`(https://github.com/hyperboria/cjdns/blob/master/interface/Iface.h) which replaced the old `Interface.h`.
+
+It features a manual tail call optimization which will likely be reused throughout the codebase.
+
+See [the flag used to turn on the optimization](https://github.com/hyperboria/cjdns/blob/master/interface/Iface.h#L65).
+

doc/cjdns/order-of-compilation.md

@@ -1,386 +0,0 @@
-Here is the order of compilation on  my Linux box (3.13.0-43-generic #72-Ubuntu SMP x86_64) of `*.c` files when `./do` spawns `gcc` using '`-c`', '`-S`' or '`-E`':
-
-The top-most files were compiled first, and has the least number of dependencies. This listing includes the compilation of `cnacl` and `libuv` libraries included in the source tree.
-
-1. `cjdns/node_build/dependencies/cnacl/randombytes/devurandom.c`
-1. `cjdns/node_build/dependencies/cnacl/okcompilers/abiname_xcompile.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_hashblocks/sha512/inplace/blocks.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_scalarmult/curve25519/donna_c64/base.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_scalarmult/curve25519/donna_c64/smult.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_verify/16/ref/verify.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_hash/sha512/ref/hash.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_box/curve25519xsalsa20poly1305/ref/after.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_box/curve25519xsalsa20poly1305/ref/before.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_box/curve25519xsalsa20poly1305/ref/box.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_box/curve25519xsalsa20poly1305/ref/keypair.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_onetimeauth/poly1305/amd64/verify.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_stream/xsalsa20/ref/stream.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_stream/xsalsa20/ref/xor.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_core/salsa208/ref/core.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_stream/aes128ctr/core2/stream.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_stream/aes128ctr/core2/xor.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_hashblocks/sha256/ref/blocks.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_core/hsalsa20/ref/core.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_verify/32/ref/verify.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_core/salsa2012/ref/core.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_hash/sha256/ref/hash.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_core/salsa20/ref/core.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_auth/hmacsha256/ref/hmac.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_auth/hmacsha256/ref/verify.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_secretbox/xsalsa20poly1305/ref/box.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_auth/hmacsha512256/ref/hmac.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_auth/hmacsha512256/ref/verify.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_0.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_1.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_add.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_cmov.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_copy.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_frombytes.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_invert.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_isnegative.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_isnonzero.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_mul.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_neg.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_pow22523.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_sq.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_sq2.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_sub.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/fe_tobytes.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_add.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_double_scalarmult.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_frombytes.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_madd.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_msub.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p1p1_to_p2.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p1p1_to_p3.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p2_0.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p2_dbl.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p3_0.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p3_dbl.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p3_to_cached.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p3_to_p2.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_p3_tobytes.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_precomp_0.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_scalarmult_base.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_sub.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge_tobytes.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/keypair.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/open.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/sc_muladd.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/sc_reduce.c`
-1. `cjdns/node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/sign.c`
-1. `cjdns/node_build/dependencies/libuv/src/fs-poll.c`
-1. `cjdns/node_build/dependencies/libuv/src/inet.c`
-1. `cjdns/node_build/dependencies/libuv/src/version.c`
-1. `cjdns/node_build/dependencies/libuv/src/uv-common.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/async.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/core.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/dl.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/fs.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/getaddrinfo.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/loop.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/loop-watcher.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/pipe.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/poll.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/process.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/signal.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/stream.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/tcp.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/thread.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/threadpool.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/timer.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/tty.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/udp.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/proctitle.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/linux-core.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/linux-inotify.c`
-1. `cjdns/node_build/dependencies/libuv/src/unix/linux-syscalls.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-async.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-fs-stat.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-async-pummel.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-getaddrinfo.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-loop-count.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-million-async.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-million-timers.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-multi-accept.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-ping-pongs.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-pound.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-pump.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-sizes.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-spawn.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-thread.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-tcp-write-batch.c`
-1. `cjdns/node_build/dependencies/libuv/test/benchmark-udp-pummel.c`
-1. `cjdns/node_build/dependencies/libuv/test/dns-server.c`
-1. `cjdns/node_build/dependencies/libuv/test/echo-server.c`
-1. `cjdns/node_build/dependencies/libuv/test/blackhole-server.c`
-1. `cjdns/node_build/dependencies/libuv/test/run-benchmarks.c`
-1. `cjdns/node_build/dependencies/libuv/test/runner.c`
-1. `cjdns/node_build/dependencies/libuv/test/runner-unix.c`
-1. `cjdns/node_build/dependencies/libuv/test/blackhole-server.c`
-1. `cjdns/node_build/dependencies/libuv/test/echo-server.c`
-1. `cjdns/node_build/dependencies/libuv/test/run-tests.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-get-loadavg.c`
-1. `cjdns/node_build/dependencies/libuv/test/runner.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-active.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-async.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-async-null-cb.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-callback-stack.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-callback-order.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-close-fd.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-close-order.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-connection-fail.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-cwd-and-chdir.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-delayed-accept.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-error.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-embed.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-emfile.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-fail-always.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-fs.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-fs-event.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-get-currentexe.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-get-memory.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-getaddrinfo.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-getsockname.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-hrtime.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-idle.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-iocp.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-ipc.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-ipc-send-recv.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-loop-handles.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-loop-alive.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-loop-stop.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-walk-handles.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-loop-time.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-watcher-cross-stop.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-multiple-listen.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-osx-select.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-pass-always.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-ping-pong.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-pipe-bind-error.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-pipe-connect-error.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-pipe-server-close.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-platform-output.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-poll.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-poll-close.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-process-title.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-ref.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-run-nowait.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-run-once.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-semaphore.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-shutdown-close.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-shutdown-eof.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-signal.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-spawn.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-signal-multiple-loops.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-fs-poll.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-stdio-over-pipes.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-bind-error.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-bind6-error.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-close.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-close-accept.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-close-while-connecting.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-connect-error-after-write.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-shutdown-after-write.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-flags.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-connect-error.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-connect-timeout.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-connect6-error.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-open.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-write-to-half-open-connection.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-writealot.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-try-write.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-unexpected-read.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tcp-read-stop.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-threadpool.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-threadpool-cancel.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-mutexes.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-thread.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-barrier.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-condvar.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-timer-again.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-timer-from-check.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-timer.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-tty.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-udp-dgram-too-big.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-udp-open.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-udp-ipv6.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-udp-options.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-udp-send-and-recv.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-udp-multicast-join.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-dlerror.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-udp-multicast-ttl.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-ip4-addr.c`
-1. `cjdns/node_build/dependencies/libuv/test/test-ip6-addr.c`
-1. `cjdns/node_build/dependencies/libuv/test/runner-unix.c`
-1. `cjdns/admin/angel/cjdroute2.c`
-1. `cjdns/contrib/c/publictoip6.c`
-1. `cjdns/contrib/c/privatetopublic.c`
-1. `cjdns/contrib/c/sybilsim.c`
-1. `cjdns/contrib/c/makekeys.c`
-1. `cjdns/crypto/random/randombytes.c`
-1. `cjdns/test/testcjdroute.c`
-1. `cjdns/util/platform/Sockaddr.c`
-1. `cjdns/util/Hex.c`
-1. `cjdns/crypto/Key.c`
-1. `cjdns/benc/String.c`
-1. `cjdns/util/CString.c`
-1. `cjdns/memory/Allocator.c`
-1. `cjdns/util/Assert.c`
-1. `cjdns/dht/Address.c`
-1. `cjdns/crypto/AddressCalc.c`
-1. `cjdns/memory/MallocAllocator.c`
-1. `cjdns/crypto/random/Random.c`
-1. `cjdns/crypto/random/seed/RandomSeed.c`
-1. `cjdns/util/log/Log.c`
-1. `cjdns/exception/Except.c`
-1. `cjdns/util/log/WriterLog.c`
-1. `cjdns/util/Security.c`
-1. `cjdns/util/events/libuv/Process.c`
-1. `cjdns/util/events/libuv/Pipe.c`
-1. `cjdns/util/SysInfo.c`
-1. `cjdns/util/ArchInfo.c`
-1. `cjdns/net/SwitchPinger_admin.c`
-1. `cjdns/benc/serialization/standard/BencMessageWriter.c`
-1. `cjdns/benc/serialization/standard/BencMessageReader.c`
-1. `cjdns/benc/serialization/json/JsonBencSerializer.c`
-1. `cjdns/io/FileWriter.c`
-1. `cjdns/io/FileReader.c`
-1. `cjdns/interface/UDPInterface_admin.c`
-1. `cjdns/interface/InterfaceController.c`
-1. `cjdns/net/SwitchPinger.c`
-1. `cjdns/dht/dhtcore/RouterModule_admin.c`
-1. `cjdns/dht/dhtcore/RouterModule.c`
-1. `cjdns/dht/dhtcore/NodeStore.c`
-1. `cjdns/dht/SerializationModule.c`
-1. `cjdns/dht/ReplyModule.c`
-1. `cjdns/crypto/CryptoAuth_benchmark.c`
-1. `cjdns/admin/Configurator.c`
-1. `cjdns/admin/AuthorizedPasswords.c`
-1. `cjdns/crypto/CryptoAuth.c`
-1. `cjdns/admin/angel/Core.c`
-1. `cjdns/net/Ducttape.c`
-1. `cjdns/util/version/Version.c`
-1. `cjdns/tunnel/IpTunnel.c`
-1. `cjdns/admin/angel/Hermes.c`
-1. `cjdns/switch/SwitchCore.c`
-1. `cjdns/dht/dhtcore/RumorMill.c`
-1. `cjdns/dht/dhtcore/Router.c`
-1. `cjdns/dht/dhtcore/Node.c`
-1. `cjdns/switch/EncodingScheme.c`
-1. `cjdns/benc/List.c`
-1. `cjdns/dht/DHTModuleRegistry.c`
-1. `cjdns/admin/angel/AngelInit.c`
-1. `cjdns/admin/angel/InterfaceWaiter.c`
-1. `cjdns/admin/AdminClient.c`
-1. `cjdns/admin/Admin.c`
-1. `cjdns/util/events/libuv/EventBase.c`
-1. `cjdns/benc/Dict.c`
-1. `cjdns/io/ArrayWriter.c`
-1. `cjdns/util/events/libuv/Timeout.c`
-1. `cjdns/crypto/random/libuv/LibuvEntropyProvider.c`
-1. `cjdns/util/log/FileWriterLog.c`
-1. `cjdns/io/ArrayReader.c`
-1. `cjdns/./interface/tuntap/windows/test/TAPInterface_root_test.c`
-1. `cjdns/./interface/tuntap/windows/test/TAPDevice_root_test.c`
-1. `cjdns/./util/platform/test/Sockaddr_test.c`
-1. `cjdns/./interface/tuntap/test/TUNInterface_ipv6_root_test.c`
-1. `cjdns/./interface/tuntap/test/TUNInterface_ipv4_root_test.c`
-1. `cjdns/./interface/tuntap/test/TAPWrapper_root_test.c`
-1. `cjdns/./dht/dhtcore/test/VersionList_test.c`
-1. `cjdns/./crypto/random/test/Random_test.c`
-1. `cjdns/./util/test/UniqueName_test.c`
-1. `cjdns/./util/test/Seccomp_test.c`
-1. `cjdns/./util/test/Process_test.c`
-1. `cjdns/./util/test/Map_test.c`
-1. `cjdns/./util/test/Identity_test.c`
-1. `cjdns/./util/test/Hex_test.c`
-1. `cjdns/./util/test/Endian_test.c`
-1. `cjdns/./util/test/Checksum_test.c`
-1. `cjdns/./util/test/Bits_test.c`
-1. `cjdns/./util/test/Base32_test.c`
-1. `cjdns/./util/test/Base10_test.c`
-1. `cjdns/./util/test/AverageRoller_test.c`
-1. `cjdns/./util/test/ArchInfo_test.c`
-1. `cjdns/./util/test/AddrTools_test.c`
-1. `cjdns/./tunnel/test/IpTunnel_test.c`
-1. `cjdns/./switch/test/PenaltyFloat_test.c`
-1. `cjdns/./switch/test/NumberCompress_test.c`
-1. `cjdns/./switch/test/LabelSplicer_test.c`
-1. `cjdns/./switch/test/EncodingScheme_test.c`
-1. `cjdns/./memory/test/Allocator_test.c`
-1. `cjdns/./io/test/FileReader_test.c`
-1. `cjdns/./interface/test/UDPInterface_test.c`
-1. `cjdns/./interface/test/UDPInterface_communication_test.c`
-1. `cjdns/./interface/test/MultiInterface_test.c`
-1. `cjdns/./interface/test/InterfaceController_test.c`
-1. `cjdns/./interface/test/InterfaceController_multiIface_test.c`
-1. `cjdns/./interface/test/FramingInterface_test.c`
-1. `cjdns/./interface/test/FramingInterface_fuzz_test.c`
-1. `cjdns/./dht/test/DHTModules_handleOutgoing_test.c`
-1. `cjdns/./dht/test/DHTModules_handleIncoming_test.c`
-1. `cjdns/./crypto/test/ReplayProtector_test.c`
-1. `cjdns/./crypto/test/CryptoAuth_unit_test.c`
-1. `cjdns/./crypto/test/CryptoAuth_test.c`
-1. `cjdns/./crypto/test/CryptoAuth_async_test.c`
-1. `cjdns/./admin/test/Admin_test.c`
-1. `cjdns/./test/threeNodes_test.c`
-1. `cjdns/./test/printIp_test.c`
-1. `cjdns/./test/cjdroute_routerPing_test.c`
-1. `cjdns/./test/cjdroute_injection_test.c`
-1. `cjdns/./test/CryptoAddress_test.c`
-1. `cjdns/util/events/libuv/Time.c`
-1. `cjdns/crypto/random/seed/SystemRandomSeed.c`
-1. `cjdns/util/Seccomp.c`
-1. `cjdns/util/Base10.c`
-1. `cjdns/interface/UDPInterface.c`
-1. `cjdns/dht/dhtcore/ReplySerializer.c`
-1. `cjdns/util/Pinger.c`
-1. `cjdns/util/AverageRoller.c`
-1. `cjdns/dht/dhtcore/VersionList.c`
-1. `cjdns/util/events/libuv/Event.c`
-1. `cjdns/interface/SessionManager_admin.c`
-1. `cjdns/interface/SessionManager.c`
-1. `cjdns/util/Security_admin.c`
-1. `cjdns/util/platform/netdev/NetDev.c`
-1. `cjdns/util/log/IndirectLog.c`
-1. `cjdns/tunnel/IpTunnel_admin.c`
-1. `cjdns/memory/Allocator_admin.c`
-1. `cjdns/interface/addressable/PacketHeaderToUDPAddrInterface.c`
-1. `cjdns/interface/DNSServer.c`
-1. `cjdns/interface/RainflyClient_admin.c`
-1. `cjdns/interface/RainflyClient.c`
-1. `cjdns/interface/FramingInterface.c`
-1. `cjdns/interface/InterfaceController_admin.c`
-1. `cjdns/interface/InterfaceConnector.c`
-1. `cjdns/interface/tuntap/TUNInterface_linux.c`
-1. `cjdns/interface/ETHInterface_admin.c`
-1. `cjdns/util/events/libuv/UDPAddrInterface.c`
-1. `cjdns/dht/dhtcore/Janitor.c`
-1. `cjdns/dht/dhtcore/NodeStore_admin.c`
-1. `cjdns/dht/dhtcore/SearchRunner_admin.c`
-1. `cjdns/dht/dhtcore/SearchRunner.c`
-1. `cjdns/dht/EncodingSchemeModule.c`
-1. `cjdns/admin/angel/Angel.c`
-1. `cjdns/admin/AdminLog.c`
-1. `cjdns/switch/Penalty.c`
-1. `cjdns/benc/serialization/cloner/Cloner.c`
-1. `cjdns/interface/tuntap/test/TUNTools.c`
-1. `cjdns/admin/testframework/AdminTestFramework.c`
-1. `cjdns/interface/tuntap/TAPWrapper.c`
-1. `cjdns/interface/tuntap/NDPServer.c`
-1. `cjdns/crypto/random/test/DeterminentRandomSeed.c`
-1. `cjdns/util/Order.c`
-1. `cjdns/test/TestFramework.c`
-1. `cjdns/util/platform/Socket.c`
-1. `cjdns/interface/MultiInterface.c`
-1. `cjdns/crypto/random/seed/ProcSysKernelRandomUuidRandomSeed.c`
-1. `cjdns/interface/MultiInterface.c`
-1. `cjdns/crypto/random/seed/ProcSysKernelRandomUuidRandomSeed.c`
-1. `cjdns/crypto/random/seed/LinuxRandomUuidSysctlRandomSeed.c`
-1. `cjdns/crypto/random/seed/DevUrandomRandomSeed.c`
-1. `cjdns/util/platform/netdev/NetPlatform_linux.c`
-1. `cjdns/memory/BufferAllocator.c`
-1. `cjdns/interface/ETHInterface_linux.c`
-1. `cjdns/dht/dhtcore/SearchStore.c`
-1. `cjdns/interface/addressable/AddrInterfaceAdapter.c`

doc/cjdns/order-of-linking.md

@@ -1,5 +0,0 @@
-Here is the order of linking on  my Linux box (3.13.0-43-generic #72-Ubuntu SMP x86_64) of various build targets:
-
-The type of files are color coded, so see the legend below the image for more understanding. Tip: Try opening the image in a new tab for better legibility.
-
-![CJDNS Build Targets And Order Of Linking](/en/cjdns/order-of-linking.png)

doc/ctrls.md

@@ -4,7 +4,7 @@ To automate some simple tasks with cjdns, there are a lot of scripts that people
 
 + https://github.com/kpcyrd/yrd
   + Displays nodeinfo
-  + Shows your neightbors and their neighbors
+  + Shows your neighbors and their neighbors
   + Show bandwidth
   + Ping nodes
   + Dump nodestore
@@ -13,4 +13,4 @@ To automate some simple tasks with cjdns, there are a lot of scripts that people
 + https://github.com/noway421/cjdmaid
 + https://github.com/inhies/cjdcmd
 + https://github.com/ehmry/cjdcmd-ng
-+ tcjdns (ask prurigro)
++ tcjdns (ask prurigro)

doc/faq/doppleganger.md

@@ -0,0 +1,61 @@
+# How does cjdns handle duplicate nodes?
+
+`cow_2001` asks:
+
+> what happens if there are ip clones?
+>
+> does the network knows how to handle that?
+
+## There are two ways that this can play out:
+
+1. At least two nodes with identical ipv6 addresses, but different keys.
+2. Two instances of the same public-private keypair (and necessarily the same ipv6) connected to the same network from different locations.
+
+## Scenario one
+
+As addressed by `gloe-ih`:
+
+> the address is in the range of a hash function and, by definition, multiple keys can have the same fingerprint, however you'll not be able to establish a cryptoauth session with that node with the knowledge of another key
+> because you know that key1 -> addr, so you'll try to use key1 as the pubkey for that session, and the node owning key2, with the same addr, won't be able to decrypt
+
+So the session _should_ be rejected, but in reality this is incredibly hard to test. As far as we know, nobody has generated to distinct private keys with identical ipv6 addresses. The probability of someone doing so is incredibly low..
+
+> <@ircerr> ? lotto
+>
+> <@irbawt> lotto: 1 in 1,329,227,995,784,915,872,903,807,060,280,344,576 chance of generating the same IPv6. Feeling Lucky?
+
+## Scenario two
+
+`cow_2001` asks:
+
+> won't the routing be all messed up because routing is address dependant?
+
+This hasn't really been tested, or, if it has been, nobody has reported their findings. Everything below is speculative, so if you find the answer, feel free to update this document.
+
+We expect that if two distinct nodes (using different ipv4 addresses if connecting via udp) cannot successfully connect to a common peer directly using the same configuration file. The common node won't know which connection to treat as the actual destination.
+
+If two nodes are launched, and they connect to different parts of the network using the same configuration file, then in theory they may both function. Since indirect connections are made using only a virtual address (your cjdns ipv6), the two nodes should be indistinguishable to anyone trying to connect to them.
+
+Cjdns works by using the first path it finds, then replacing that path if it finds a better one. It is commonly believed that if a node were to try to connect to that ipv6, they would first try to find a path to that node, then they would establish a cryptauth session. Whichever instance of a node it found first would establish this session. 
+
+It's possible that the connecting node might find a path to each target node, but it wouldn't know the difference between them aside from the fact that it had established a cryptauth session with one but not the other. We are unsure of how it would handle that information, however, it might prevent the connecting node from flipping between two distinct sessions. This would be desirable, since doing so would probably wreak havoc on the higher level protocols being established over such a connection.
+
+If that's the case, then this could be used to provide an inherent [load balancing](http://en.wikipedia.org/wiki/Load_balancing_%28computing%29) effect.
+
+As noted above, this has not been thoroughly tested. Changes to the source code in the future could possibly make this impossible (via assertion failures). If it is currently a _property_ of cjdns, then the best way to ensure that it continues to function would be if someone were to take advantage of it, and report its breakage with future revisions.
+
+So please, give it a try, and let us know what you experience. Write about how you used this to your advantage, and go down in cjdns history!
+
+
+09:55 < cow_2001> gloe-ih: yes
+09:55 < gloe-ih> check if it bounds to the tun interface
+09:56 < cow_2001> it has a build plan for x86_XVA or w/e it's called
+09:56 < gloe-ih> (when running as root by default it spawns it)
+09:56 < cow_2001> i don't want to run as root
+09:56 < cow_2001> too scary
+09:56 < gloe-ih> so follow the doc ;)
+09:56 < cow_2001> i'm reading on configuration of the cjdroute.conf
+09:57 < cow_2001> i've set up a tun thing for the cjdns user
+09:57 < gloe-ih> you'll have to add addresses / routes manually
+
+

doc/faq/general.md

@@ -24,7 +24,7 @@ In order for this to be plausible, we require a sufficiently dense number of nod
 
 Chains of nodes are vulnerable to being shut off if even one link is taken offline, so we aim for clusters of interconnected nodes.
 
-This is called a [Meshlocal](/locals). I am trying to start a [Toronto-based MeshLocal](/toronto).
+This is called a [Meshlocal](/meshlocals/intro.md). I am trying to start a [Toronto-based MeshLocal](/meshlocals/existing/toronto.md).
 
 To join the network, you need a password and a public key from someone who is already on the network. If you're in Toronto or the surrounding area, and are interested, <a href="/contact">contact</a> me.  
   

doc/faq/glossary.md

@@ -4,7 +4,7 @@
 
 This is an incomplete list of terms used in direct context of cjdns.
 
-- Please add terms convering cjdns itself, tools and best practices, peering,
+- Please add terms used in direct context of cjdns itself, tools and best practices, peering,
   community, Hyperboria, similar routing protocols --
   e.g. NodeStore, peer stats, WTFM, buildbot, 802.11s
 - Please don't add terms which are out of scope --
@@ -13,6 +13,10 @@ This is an incomplete list of terms used in direct context of cjdns.
 
 ## List of Terms
 
+### Blag
+
+The [correct pronunciation](http://xkcd.com/148/) of 'blog'.
+
 ### Hidden Peers
 
 This was a peering bug which was fixed in cjdns v14. Please make sure none of
@@ -27,3 +31,7 @@ The internal name of cjdns' routing table.
 ### P2P
 
 Abbreviation of Peer To Peer.
+
+### Wobsite
+
+See [blag](#blag).

doc/faq/peering.md

@@ -2,7 +2,7 @@
 
 [Hyperboria](http://hyperboria.net) is an encrypted [Mesh Network](http://en.wikipedia.org/wiki/Mesh_networking) designed for privacy and resiliency to censorship.
 
-It currently exists as an [Overlay](http://en.wikipedia.org/wiki/Overlay_network) test network for [Project Meshnet](https://projectmeshnet.org/), and is only accessible to those who install [cjdns](http://en.wikipedia.org/wiki/Cjdns). 
+It currently exists as an [Overlay](http://en.wikipedia.org/wiki/Overlay_network) test network for [Project Meshnet](https://projectmeshnet.org/), and is only accessible to those who install [cjdns](http://en.wikipedia.org/wiki/Cjdns).
 
 Ultimately, we hope to build a viable alternative to the regular internet, which we call [clearnet](http://www.urbandictionary.com/define.php?term=clearnet). Our ultimate goal is to replace the existing hierarchical internet with a non-hierarchical model.
 
@@ -14,31 +14,31 @@ Chains of nodes are vulnerable to being shut off if even one link is taken offli
 
 This is called a [Meshlocal](/locals). I am trying to start a [Toronto-based MeshLocal](/toronto).
 
-To join the network, you need a password and a public key from someone who is already on the network. If you're in Toronto or the surrounding area, and are interested, <a href="/contact">contact</a> me.  
-  
+To join the network, you need a password and a public key from someone who is already on the network. If you're in Toronto or the surrounding area, and are interested, <a href="/contact">contact</a> me.
+
 ## Can I run Cjdns in a virtual machine?
 
-You can, but you might have trouble finding willing peers, since you're not really contributing much to the network by having a 'sometimes-on' node.  
-  
-## Why is it taking so long to find a peer?  
+You can, but you might have trouble finding willing peers, since you're not really contributing much to the network by having a 'sometimes-on' node.
+
+## Why is it taking so long to find a peer?
 
-This project is run entirely by volunteers. In fact, 'run' might give you the idea that it's some kind of beureaucratic body. It isn't. We argue about things, sometimes <a class="clearnet" href="http://www.bestbytepc.com/uploads/2/6/6/1/2661857/7237729_orig.jpg">IN ALL CAPS</a>. Sometimes people <a href="https://encyclopediadramatica.es/Quitting_IRC_forever">QUIT IRC FOREVER</a>. We reach a consensus, or we don't, and people just do what they want. Actually, even if we do reach a consensus, we're still just doing what we want. If you expected something other than anarchy, I encourage you to read more about what a meshnet is.  
+This project is run entirely by volunteers. In fact, 'run' might give you the idea that it's some kind of beureaucratic body. It isn't. We argue about things, sometimes <a class="clearnet" href="http://www.bestbytepc.com/uploads/2/6/6/1/2661857/7237729_orig.jpg">IN ALL CAPS</a>. Sometimes people <a href="https://encyclopediadramatica.es/Quitting_IRC_forever">QUIT IRC FOREVER</a>. We reach a consensus, or we don't, and people just do what they want. Actually, even if we do reach a consensus, we're still just doing what we want. If you expected something other than anarchy, I encourage you to read more about what a meshnet is.
 
-That means you should be patient, since you're relying on other people's good will (crazy, I know). This is a friend of a friend network, which shocks people, because they actually have to make friends. Tell us about yourself. Where are you located? Do you operate any servers, or are you new to this? If you're new, why do you want to learn? Maybe you maintain a <a class="clearnet" href="http://blag.xkcd.com/">blag</a> or something? That's pretty much what we do on Hyperboria. If you aren't interested in doing that kind of thing, but want access, I'm not sure what your motivation is. We're basically a bunch of DIYers making our own internet. That kind of thing takes time. Think in terms of years, not months. Read <a class="clearnet" href="http://en.wikipedia.org/wiki/Internetwork">this</a> and <a class="clearnet" href="http://en.wikipedia.org/wiki/History_of_the_Internet#Three_terminals_and_an_ARPA">this</a> to get a sense of context for what this project is about.  
+That means you should be patient, since you're relying on other people's good will (crazy, I know). This is a friend of a friend network, which shocks people, because they actually have to make friends. Tell us about yourself. Where are you located? Do you operate any servers, or are you new to this? If you're new, why do you want to learn? Maybe you maintain a <a class="clearnet" href="http://blag.xkcd.com/">blag</a> or something? That's pretty much what we do on Hyperboria. If you aren't interested in doing that kind of thing, but want access, I'm not sure what your motivation is. We're basically a bunch of DIYers making our own internet. That kind of thing takes time. Think in terms of years, not months. Read <a class="clearnet" href="http://en.wikipedia.org/wiki/Internetwork">this</a> and <a class="clearnet" href="http://en.wikipedia.org/wiki/History_of_the_Internet#Three_terminals_and_an_ARPA">this</a> to get a sense of context for what this project is about.
 
-With that in mind, say hi, tell us what you're doing. We're pretty enthusiastic about sharing our interests if it's unlikely that you're a <a class="clearnet" href="http://www.urbandictionary.com/define.php?term=feds">FED</a>.  
+With that in mind, say hi, tell us what you're doing. We're pretty enthusiastic about sharing our interests if it's unlikely that you're a <a class="clearnet" href="http://www.urbandictionary.com/define.php?term=feds">FED</a>.
 
 Read [this document](/cjdns/peers) on peering for more info.
-  
-## Why should I prefer the friend of a friend model?  
 
-Hyperboria is a pseudonymous network, your direct peers can tell where you are (by virtue of their connection), no one else can (unless you expose your data personally).  
+## Why should I prefer the friend of a friend model?
 
-A network that presupposes this principle is resistant to censorship because people cannot simply find you and punish you for your opinions. Many of the links that make up our network cross between legal jurisdictions, and are not subject to the whims of a single government.  
+Hyperboria is a pseudonymous network, your direct peers can tell where you are (by virtue of their connection), no one else can (unless you expose your data personally).
 
-Other networks which do more to guarantee absolute anonymity tend to attract behaviour which would be reprehensible in almost any other social situation. We are proud of our network's ability to promote free speech, while minimizing behaviour which violates human rights. Some have made the point that restriction of any kind of content is censorship, and our views are self contradictory.  
+A network that presupposes this principle is resistant to censorship because people cannot simply find you and punish you for your opinions. Many of the links that make up our network cross between legal jurisdictions, and are not subject to the whims of a single government.
 
-The premise is simple: you get to decide who you connect to, provided they consent. It is not some centralized body which will decide to disconnect you if you use our bandwidth for malicious purposes. You are only accountable to your peers. The rest tends to sort itself out.  
+Other networks which do more to guarantee absolute anonymity tend to attract behaviour which would be reprehensible in almost any other social situation. We are proud of our network's ability to promote free speech, while minimizing behaviour which violates human rights. Some have made the point that restriction of any kind of content is censorship, and our views are self contradictory.
+
+The premise is simple: you get to decide who you connect to, provided they consent. It is not some centralized body which will decide to disconnect you if you use our bandwidth for malicious purposes. You are only accountable to your peers. The rest tends to sort itself out.
 
 ## Can I run cjdns from home (dynamic IP/NAT'ed connection)?
 
@@ -50,16 +50,16 @@ Anyone who can install and run cjdns can be an outbound peer
 
 ## Do I need to exchange credentials with all my peers?
 
-No, you do not. One of you needs to have an accessible IP in order to establish a connection, but once connected, traffic flow is bidirectional.  
+No, you do not. One of you needs to have an accessible IP in order to establish a connection, but once connected, traffic flow is bidirectional.
+
+It won't hurt for you to add each other to your conf file, but unless one of your IPs suddenly changes, there isn't much benefit to the redundancy.
 
-It won't hurt for you to add each other to your conf file, but unless one of your IPs suddenly changes, there isn't much benefit to the redundancy.  
-  
-## What information should I provide with my peering credentials?  
+## What information should I provide with my peering credentials?
 
-<a href="https://wiki.projectmeshnet.org/User:Thefinn93">thefinn93</a> recommends offering <a class="clearnet" href="http://jsonlint.com/">valid JSON</a>, including fields labelled:  
+<a href="https://wiki.projectmeshnet.org/User:Thefinn93">thefinn93</a> recommends offering <a class="clearnet" href="http://jsonlint.com/">valid JSON</a>, including fields labelled:
 
 ```JSON
-"your.ip.add.ress:port":{  
+"your.ip.add.ress:port":{
   "publicKey":""
   ,"password":""
   ,"IPV6":""
@@ -68,51 +68,51 @@ It won't hurt for you to add each other to your conf file, but unless one of you
 }
 ```
 
-Technically, only the IP, port, publicKey, and password are required. IPV6 will make it easier to keep track of who is connected, and what kind of latency they are experiencing. The location helps your peer direct possible local meshers your way. Contact should be some non-hyperborian method, in case your connection breaks. <a class="clearnet" href="http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">Email</a>, <a class="clearnet" href="http://rows.io/">XMPP</a>, <a href="/gpg">PGP</a>, <a href="https://keybase.io/">Keybase.io</a>, <a href="/contact">etc</a>.  
-  
+Technically, only the IP, port, publicKey, and password are required. IPV6 will make it easier to keep track of who is connected, and what kind of latency they are experiencing. The location helps your peer direct possible local meshers your way. Contact should be some non-hyperborian method, in case your connection breaks. <a class="clearnet" href="http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">Email</a>, <a class="clearnet" href="http://rows.io/">XMPP</a>, <a href="/gpg">PGP</a>, <a href="https://keybase.io/">Keybase.io</a>, <a href="/contact">etc</a>.
+
 ## Beyond my first peer, how can I set up a more efficient network?
-  
+
 [Read this](http://en.wikipedia.org/wiki/Small-world_network)
 
-People are much more receptive to peering requests if you have already connected to Hyperboria.  EFNet has a much wider audience, and as such is treated with skepticism. Those with their foot already in the door will have an easier time making friends. If you think this is clique-ish or elitist, you may be right. If you want it to change, then <a class="clearnet" href="http://www.elephantjournal.com/2011/08/be-the-change-you-wish-to-see-in-the-world-not-gandhi/">be the change you want to see in the world</a>, and get on EFNet and start helping!  
+People are much more receptive to peering requests if you have already connected to Hyperboria.  EFNet has a much wider audience, and as such is treated with skepticism. Those with their foot already in the door will have an easier time making friends. If you think this is clique-ish or elitist, you may be right. If you want it to change, then <a class="clearnet" href="http://www.elephantjournal.com/2011/08/be-the-change-you-wish-to-see-in-the-world-not-gandhi/">be the change you want to see in the world</a>, and get on EFNet and start helping!
 
 It's  a bit circular, but it's a not a rule we have, more of an emergent behaviour. Many of us have spent a lot of time on EFNet helping newcomers to connect, only to have them leave after connecting for fifteen minutes.  Once we've seen that you are competent enough to connect, and that you have some lasting interest, there is far more incentive to spend time getting to know you.
 
-As to how the technical specifications of the network architecture...  
-  
+As to how the technical specifications of the network architecture...
+
 ## How many peers should I have?
 
-The number of peers you should have depends on a number of factors  
+The number of peers you should have depends on a number of factors
+
+if you're on a laptop that you travel with, you probably don't want to route for people. For instance, if you occasionally tether your phone, you might accidentally run up your data bill if you aren't mindful of the traffic you are routing. In such a case, keep only one peer, and you will never be a path, only a leaf node.
 
-if you're on a laptop that you travel with, you probably don't want to route for people. For instance, if you occasionally tether your phone, you might accidentally run up your data bill if you aren't mindful of the traffic you are routing. In such a case, keep only one peer, and you will never be a path, only a leaf node.  
+If, however, you are trying to peer with, say, a home connection with a decent data cap and throughput, you may want to add a few more connections. These ought to be limited to fairly local peers, as latency can add up fairly quickly with each successive hop. Home connections are primarily where the wireless aspect of the meshnet comes into play, since neither your laptop or VPS will likely be able to connect to a mid-range wireless antenna. If you have a clear line of sight to your peer (you live on a hill, or have really cool neighbours), all data travelling over this connection is free! Make use of that! Put each other on IP whitelists with access to higher bandwidth services. A meshlocal is capable of a lot of things that become difficult at the scale of a global meshnet.
 
-If, however, you are trying to peer with, say, a home connection with a decent data cap and throughput, you may want to add a few more connections. These ought to be limited to fairly local peers, as latency can add up fairly quickly with each successive hop. Home connections are primarily where the wireless aspect of the meshnet comes into play, since neither your laptop or VPS will likely be able to connect to a mid-range wireless antenna. If you have a clear line of sight to your peer (you live on a hill, or have really cool neighbours), all data travelling over this connection is free! Make use of that! Put each other on IP whitelists with access to higher bandwidth services. A meshlocal is capable of a lot of things that become difficult at the scale of a global meshnet.  
+If you're peering up a VPS with high throughput and unlimited data, you have the capacity to do things most residential connections can not. You are capable of acting as a highway for the meshnet. Keep in mind that it can be a bad idea for highway traffic to have direct exits into residential areas (metaphorically speaking). It's a good idea to use your connection to establish long range links between your meshLocal and others in far off places. Trans-Oceanic links help link together a greater number of node operators across the globe, and allow us all to communicate what kinds of issues we are each experiencing.
 
-If you're peering up a VPS with high throughput and unlimited data, you have the capacity to do things most residential connections can not. You are capable of acting as a highway for the meshnet. Keep in mind that it can be a bad idea for highway traffic to have direct exits into residential areas (metaphorically speaking). It's a good idea to use your connection to establish long range links between your meshLocal and others in far off places. Trans-Oceanic links help link together a greater number of node operators across the globe, and allow us all to communicate what kinds of issues we are each experiencing.  
+It would be unrealistic to expect any network to be completely uniform. The optimal configuration changes over time according to the habits of its many users. Healthy configurations look less like a <a class="clearnet" href="http://en.wikipedia.org/wiki/Spoke-hub_distribution_paradigm">spoke-hub distribution</a> and more alike a river, or tree. It is possible to have an efficient hierarchy without being centralized, just avoid <a class="clearnet" href="http://en.wikipedia.org/wiki/Single_point_of_failure">SPOF</a>s.
 
-It would be unrealistic to expect any network to be completely uniform. The optimal configuration changes over time according to the habits of its many users. Healthy configurations look less like a <a class="clearnet" href="http://en.wikipedia.org/wiki/Spoke-hub_distribution_paradigm">spoke-hub distribution</a> and more alike a river, or tree. It is possible to have an efficient hierarchy without being centralized, just avoid <a class="clearnet" href="http://en.wikipedia.org/wiki/Single_point_of_failure">SPOF</a>s.  
-  
-This may sound a lot like urban planning to you. It is! Consider <a class="clearnet" href="http://en.wikipedia.org/wiki/The_100-Mile_Diet">The 100-Mile Diet</a>. You don't want to have to 'drive halfway across town to get to the grocery store'. We are simply trying to mitigate the unpleasant side effects of urban sprawl. We are planning for <a class="clearnet" href="http://en.wikipedia.org/wiki/Walkability">walkable neigbourhoods</a>.  
+This may sound a lot like urban planning to you. It is! Consider <a class="clearnet" href="http://en.wikipedia.org/wiki/The_100-Mile_Diet">The 100-Mile Diet</a>. You don't want to have to 'drive halfway across town to get to the grocery store'. We are simply trying to mitigate the unpleasant side effects of urban sprawl. We are planning for <a class="clearnet" href="http://en.wikipedia.org/wiki/Walkability">walkable neigbourhoods</a>.
+
+If there is only one grocery store in a 400-mile radius, then everyone needs a car. Prime real estate (that which is close to the store) becomes quite expensive, while it is cheaper, yet <a class="clearnet" href="http://en.wikipedia.org/wiki/End-to-end_principle">inefficient</a>, to live on the fringe. Following this metaphor, ISPs are basically a grocery delivery service. If they decide not to deliver your groceries (remember <a class="clearnet" href="http://beattheblockade.org/">the wikileaks blockade</a>?) you starve. We want to help you plant a community garden, where everyone can benefit - as long as they contribute their fair share. I may have no reason to just give away vegetables that I worked hard for, but I'd be happy to trade for a different crop simply because I enjoy variety.
 
-If there is only one grocery store in a 400-mile radius, then everyone needs a car. Prime real estate (that which is close to the store) becomes quite expensive, while it is cheaper, yet <a class="clearnet" href="http://en.wikipedia.org/wiki/End-to-end_principle">inefficient</a>, to live on the fringe. Following this metaphor, ISPs are basically a grocery delivery service. If they decide not to deliver your groceries (remember <a class="clearnet" href="http://beattheblockade.org/">the wikileaks blockade</a>?) you starve. We want to help you plant a community garden, where everyone can benefit - as long as they contribute their fair share. I may have no reason to just give away vegetables that I worked hard for, but I'd be happy to trade for a different crop simply because I enjoy variety.  
-  
 ## How can I generate passwords for new peers?
 
-Easy, just run the following command:  
+Easy, just run the following command:
+
+<code>cat /dev/urandom | strings | head -n 20 | tr -d '\n"`\\ \t'  | head -c 40 && echo</code>
 
-<code>cat /dev/urandom | strings | head -n 20 | tr -d '\n"`\\ \t'  | head -c 40 && echo</code>  
-  
-## Can I use UPNP to bypass NAT?  
+## Can I use UPNP to bypass NAT?
 
-cjdns does not interact at all with your NAT setup. Use some other upnp client to control your router.  
+cjdns does not interact at all with your NAT setup. Use some other upnp client to control your router.
 
 ## Can I substitute a domain for an IP in my connectTo?
 
-cjd originally had no intention of implementing this, but someone<a href="/contrib">(?)</a> implemented it and submitted a pull request. Now you can.  
+cjd originally had no intention of implementing this, but someone<a href="/contrib">(?)</a> implemented it and submitted a pull request. Now you can.
 
 ## Is there a meshlocal in my vicinity?
 
-Check <a href="/locals">this page</a> for a basic list of some general areas. It is not an exhaustive list. If you'd like to get listed, check <a href="/contrib">my contributions page</a> for an idea on how to do that.  
+Check <a href="/locals">this page</a> for a basic list of some general areas. It is not an exhaustive list. If you'd like to get listed, check <a href="/contrib">my contributions page</a> for an idea on how to do that.
 
 ## Can someone give me peering info?
 
@@ -140,8 +140,19 @@ I don't know, maybe start by asking your peer? If you don't know how to contact
 }
 ```
 
-Make a file called `~/.cjdnsadmin`, containing valid JSON with the properties above. These credentials will be used by any scripts which need to connect to the admin interface to gather data. 
+Make a file called `~/.cjdnsadmin`, containing valid JSON with the properties above. These credentials will be used by any scripts which need to connect to the admin interface to gather data.
 
 To find your peers, run `cjdns/contrib/nodejs/tools/peerStats.js`
 
 Alternatively, you can use [this tool which does a few other things as well](https://github.com/ehmry/cjdcmd-ng).
+
+## What are the EAGAIN errors about?
+
+This is a red herring. It simply means that UDPInterface received a packet, and that there's not immediately another packet received.
+
+Example:
+
+```
+recvmsg(13, {msg_name(16)={sa_family=AF_INET, sin_port=htons(25021), sin_addr=inet_addr("31.20.45.26")}, msg_iov(1)=[{"\0\0\0\1\1\312\250\207\206\6p\230\200\0k\333\305(\204\27`0\370\202\332B\341`89\376\210"..., 3496}], msg_controllen=0, msg_flags=0}, 0) = 160
+recvmsg(13, 0x7fff9490f030, 0)          = -1 EAGAIN (Resource temporarily unavailable)
+```

doc/faq/security.md

@@ -0,0 +1,50 @@
+## Security
+
+```
+16:39 < Erkan> well, I am not so sure about using VPS, tbh
+16:39 < Erkan> your hoster (or the agency showing him the judge's paper) can get your config
+```
+
+Suppose you want to [pull a snowden](http://en.wikipedia.org/wiki/Global_surveillance_disclosures_%282013%E2%80%93present%29) and release some sensitive documents. Suppose that for some reason you're relying on an experimental protocol (cjdns) to do so. `Erkan` is wondering about the wisdom of doing so.
+
+[cjdns](https://github.com/cjdelisle/cjdns) is big and complicated, and without a fair deal of experience with cryptographic tools you may have a hard time understanding what's safe and what is not.
+
+## If you're hosting a cjdns node on a VPS
+
+There are quite likely measures that you can take to encrypt your VPS's hard drive, and you should look into that, but suppose you haven't encrypted anything. In that case, yes, your VPS provider can probably just go and look at your private keys, and read your encrypted traffic.
+
+Even if you have encrypted your hard drive:
+
+> your provider can pause you for a moment and take a snapshot of your ram, then dump your keys
+
+> `--cjd`
+
+The implication of this is that any traffic originating with, or destined for your VPS, should not be treated as being absolutely secure.
+
+## The upside
+
+What you should understand is cjdns uses [end to end encryption](http://en.wikipedia.org/wiki/End-to-end_encryption). That means that having your own private key compromised only affects that particular node's security. A compromised node can continue to forward traffic, and because of the nature of public key cryptography, it will be unable to read the contents of the packets it relays.
+
+So, should you worry about hosting on a VPS? **Only if you intend to _send_ or _receive_ sensitive information on that particular node**.
+
+If you want to connect to Hyperboria, but are for whatever reason unable to do so from your main computer, using a VPS as a static link into the network is quite reasonable. As long as you take precautions to protect the private keys on any nodes which initiate connections, **your data will remain secure in transit**.
+
+## Perfect Forward Secrecy
+
+Temporary keys are used and destroyed when cryptAuth sessions time out. Timeouts are subject to environmental influence, but can be considered _random_ for most practical purposes. CryptAuth sessions are all killed when cjdroute is restarted.
+
+If your `cjdroute.conf` file is somehow compromised, it _does **not**_ mean that all prior sessions have also been compromised.
+
+A compromised private key means someone can impersonate you going forward, though, it is quite likely that any party motivated to compromise your node would not do so. It is far more likely that a skilled aggressor would simply use it to eavesdrop, and you would not realize that your node had been undermined.
+
+## A few notes
+
+cjdns is experimental! It is possible that someone is using a zero-day exploit in the wild to compromise a node's security. 
+
+If you're really worried, you can also use tools like PGP to further encrypt data before sending it.
+
+You could also use an [XMPP client](http://en.wikipedia.org/wiki/XMPP) that supports the [OTR](https://otr.cypherpunks.ca/) protocol, and use that to transfer PGP-encrypted data over cjdns.
+
+If you have good reason to protect your data (other than simply doing it on principal), then redundancy is your friend!
+
+If it's not completely clear from the information above, you should not store your PGP keys on your VPS either! Encrypt locally, protect your keys, and be mindful that others do not have physical access to the device which stores your private keys!

doc/index.md

@@ -1,38 +1,99 @@
-# Project Meshnet Documentation
-
-Here's some documentation we've been working on. Feel free to fork us and [add some pages!](notes/wanted.md)
-
-* [Intro](intro.md)
- * [General FAQ](faq/general.md)
- * [Peering FAQ](faq/peering.md)
- * [Glossay](faq/glossary.md)
- * [Changelog for cjdns](cjdns/changelog.md)
- * [Anatomy of a running cjdns](cjdns/anatomy.md)
- * [Node Operator Guidelines](cjdns/Operator_Guidelines.md)
- * [nodeinfo.json](cjdns/nodeinfo-json.md)
-* [Commodity routers and OpenWrt](openwrt.md)
-* [Mesh Local Intro](meshlocals/intro.md)
- * [Existing Meshlocals](meshlocals/existing/index.md)
- * [Starting Your Own](meshlocals/diy.md)
-* Known Bugs
- * [Black Hole](bugs/black-hole.md)
- * [Secret Santa](bugs/santa.md)
- * ~~Hidden Peers~~
-
-## These notes are unstructured and possibly outdated:
+# Hyperboria
+
+## The privacy-friendly network without borders
+
+We're a community of local Wifi initiatives, programmers, and enthusiasts.
+We run a peer-to-peer IPv6 network with automatic end-to-end encryption,
+distributed IP address allocation, and DHT-based Source Routing.
+
+- Existing applications Just Work
+- Low entry barriers for users and ISPs
+- Runs on Linux, Android, OpenWrt, OS X, and many others
+
+Hyperboria is based on the cjdns routing protocol.
+
+You can contribute to its documentaion: https://github.com/hyperboria/docs
+
+
+## About Hyperboria
+
+- [Asking Questions](wtfm.md) *TODO*
+- [Peering](faq/peering.md)
+- [Security](faq/security.md)
+- [Meshlocals](meshlocals/intro.md)
+  - [Meshlocals around the world](meshlocals/existing/index.md)
+  - [Starting a Meshlocal](meshlocals/diy.md)
+- [FAQ](faq/general.md)
+- [Achievements](achievements.md)
+- [Glossary](faq/glossary.md)
+
+
+## The cjdns routing protocol
+
+- About
+  - [Goals](projectGoals.md) ([russian](projectGoals_ru.md))
+  - [Original whitepaper](Whitepaper.md)
+  - [Brief intro](intro.md)
+  - [Security Specification](security_specification.md)
+- Installation
+  - [Most Linuxes](install/linux.md) *TODO*
+  - [OpenWrt](openwrt.md)
+  - [Android](install/android.md) *TODO*
+  - [Firefox OS](install/firefoxos.md) *TODO*
+  - [OS X](install/osx.md) *TODO*
+  - [Debian Wheezy](debian-wheezy.md)
+  - [FreeBSD](install/freebsd.md) *TODO*
+  - [OpenBSD](install/openbsd.md) *TODO*
+  - [Windows](windows.md)
+    - [Building *on* Windows](notes/build-on-windows.md)
+    - [Securing your Windows system](notes/windows-firewall.md)
+- Usage
+  - [Setup](configure.md)
+  - [Operator guidelines](cjdns/Operator_Guidelines.md)
+  - [Securing your system](network-services.md)
+  - [Tools](tools/index.md) *TODO*
+    - [Third party tools](ctrls.md)
+  - [Admin API](admin-api.md)
+- Working with cjdns
+  - [Anatomy of cjdroute](cjdns/anatomy.md)
+  - [Peering over UDP](cjdns/peering-over-UDP-IP.md)
+  - [nodeinfo.json](cjdns/nodeinfo-json.md)
+  - [Changelog](cjdns/changelog.md)
+- HowTo
+  - [Using cjdns as a VPN](tunnel.md)
+  - [Shorewall and VPN gateway](shorewall_and_vpn_gateway_howto.md)
+  - [NAT gateway for non-cjdns nodes](nat-gateway.md)
+  - [Autostart at login](autostart-at-login.md)
+  - [Run as non-root user](non-root-user.md)
+- Troubleshooting
+  - [Read this first](bugs/policy.md)
+  - [Memory leaks](debugging_memory_leaks.md)
+  - [SecComp](Seccomp.md)
+  - [Analyzing network IO](TrafficAnalisys.md)
+  - Known issues
+    - [Black Hole](bugs/black-hole.md)
+    - [Secret Santa](bugs/santa.md)
+    - Configurator timeout
+      - [Firewall on localhost](bugs/configurator-timeout.md)
+      - [UDP overflow](bugs/connectTo-overflow.md)
+    - ~~[Hidden Peers](bugs/hidden-peers.md)~~
+    - [OS/distro-specific quirks](bugs/distro-quirks.md)
+  - [Reporting bugs](bugs/reporting.md)
+
+
+## Random notes, work-in-progress, inbox
+
+These notes are unstructured, and most of them likely outdated.
 
 * [Interesting links](notes/links.md)
 * [ansuz' Q&A with Arceliar](notes/arc-workings.md)
 * [cjdns-core](notes/cjdns-core.md)
 * [cryptography](notes/cryptography.md)
 * [cjdroute.conf](notes/cjdroute.md)
-* [cjdns/do](notes/do.md)
+* [./do](notes/do.md)
 * [DNS ideas](notes/dns.md)
+* [DJC layer model](djc_layer_model.md)
+* [Benchmarks](benchmark.txt)
+* [Fun with the switch](switchfun.txt)
 
-## Cjdns ships with a fair amount of documentation
-
-...Though you may not think to look in all the places it's stored.
-
-[This document](https://github.com/lgierth/cjdns/blob/docs/docs/index.md) includes an index of those files.
-
-See also [tips and tricks](tipsAndTricks.md)
+More of this in `notes/`.

doc/meshlocals/existing/nyc.md

@@ -0,0 +1,6 @@
+NYC Meshnet
+===========
+
+**Website** : [nycmesh.net](https://nycmesh.net/blog/starting-with-the-basics/)
+
+**IRC Channel** : [#nycmeshnet on EFNet](irc://irc.efnet.org/#nycmeshnet)

doc/notes/build-on-windows.md

@@ -0,0 +1,93 @@
+CultureSpy worked out how to compile cjdns for Windows for Windows. So if you happen to use this broken ass OS and want to use cjdns....
+
+# Building cjdns On Windows For Windows
+
+
+Install Cygwin from [here](https://cygwin.com/install.html)
+
+Extra packages to install, if they're not installed by default:
+
+```
+gcc-core
+gcc-g++
+libltdl7
+mingw-binutils
+mingw-gcc-core
+mingw-pthreads
+mingw-w32api
+mingw64-i686-binutils
+ming64-i686-gcc
+ming64-i686-gcc-core
+ming64-i686-gcc-g++
+ming64-i686-headers
+ming64-i686-pthreads
+ming64-i686-runtime
+ming64-i686-windows-default-manifest
+ming64-i686-winpthreads
+python
+w32api-headers
+w32api-runtime
+windows-default-manifest
+make
+```
+
+[Install node.js](http://nodejs.org/download/)
+
+
+Get the [cjdns source](https://github.com/cjdelisle/cjdns)
+
+
+Create `C:\tmp`
+
+Start a cygwin session and update your environment for mingw compilation:
+
+```
+export CC=i686-w64-mingw32-gcc
+export CXX=i686-w64-mingw32-g++
+```
+
+Make a small edit to the cjdns JS build system:
+
+```
+--- a/node_build/make.js
++++ b/node_build/make.js
+@@ -43,7 +43,7 @@ Builder.configure({
+     systemName:     SYSTEM,
+     crossCompiling: process.env['CROSS'] !== undefined,
+     gcc:            GCC,
+-    tempDir:        '/tmp',
++    tempDir:        'C:\\tmp',
+     optimizeLevel:  '-O2',
+     logLevel:       process.env['Log_LEVEL'] || 'DEBUG'
+ }, function (builder, waitFor) {
+```
+(that is, replace the line that says `tempDir: '/tmp'` with `tempDir: 'C:\\tmp'`)
+
+This works around an issue with the detection of the tmp directory.
+
+Also, make sure libuv will build:
+
+`cp node_build/dependencies/libuv/Makefile.mingw node_build/dependencies/libuv/Makefile`
+
+Edit `node_build/dependencies/libuv/Makefile` so that it will use the mingw gcc instead of the cygwin gcc:
+
+```
+15c15
+< CC = gcc
+---
+> #CC = gcc
+```
+
+(That is, comment out the line that sets the CC variable.)
+
+Then run `./do` to build
+
+The system churns for a while, hopefully producing no errors. It will eventually tell you it's time to run `cjdroute`. It lies.
+
+`cp build_win32/admin_angel_cjdroute2_c.exe cjdroute.exe`
+
+Or put cjdroute.exe wherever you like.
+
+Continue following [instructions here](../windows.md#run-time-dependencies)
+
+And obviously [secure your shit](windows-firewall.md)

doc/notes/gsoc.md

@@ -0,0 +1,39 @@
+## cjdns google summer of code
+
+[Google Summer of Code](http://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2015/help_page) has several goals:
+
+1. Create and release open source code for the benefit of all
+2. Inspire young developers to begin participating in open source development
+3. Help open source projects identify and bring in new developers and committers
+4. Provide students the opportunity to do work related to their academic pursuits (think "flip bits, not burgers")
+5. Give students more exposure to real-world software development scenarios (e.g., distributed development, software licensing questions, mailing-list etiquette)
+
+## Our goals
+
+1. Get funding! Fixing cjdns is hard work, and it takes a lot of time. A precedent of funding from google might make it easier to pick up funding from other sources.
+2. Get attention! People pay attention to projects that google funds. We need more eyes.
+3. Structure! Hard deadlines get people moving. We'll get more done as a well-defined organization.
+4. A working product... an android app? Something to improve the core routing algorithm? Debugging/visualization/simulation tools? Userland config management?
+
+## Ideas
+
+### cjdns on the Freifunk backbone (BBB) and network (IC-VPN)
+
+The Berlin BackBone (BBB) is a network of dedicated wifi links between several sites at public buildings like churches or townhalls. It is the backbone of Freifunk Berlin's network, which other nodes in the neighbourhoods connect to. The InterCity VPN (IC-VPN) connects the Berlin network with the networks of other Freifunk communities, e.g. in Leipzig and Hamburg.
+
+The goal is to:
+
+- tunnel Internet traffic from the neighbourhood to the Freifunk <-> Internet exchanges
+- link cjdns islands in the community
+- automate the tunnel setup on leaf nodes
+
+TODO: need to think about how remote-friendly this idea is
+
+### Continuous simulations and benchmarks of cjdns
+
+- [HACKING.md#simulating](https://github.com/cjdelisle/cjdns/blob/master/HACKING.md#simulating)
+- [cjdns-testbed](https://github.com/lgierth/cjdns-testbed)
+
+### DNS
+
+See [DNS, with trust based on peering-like agreements](dns.html#dns-with-trust-based-on-peering-like-agreements)

doc/notes/links.md

@@ -19,6 +19,11 @@
   - An international effort to make community networks collaborate with one another.
 - [Wireless Commons](https://guifi.net/en/WCL_EN)
 
+## Protocols
+
+- [n2n](http://www.ntop.org/products/n2n/)
+  - A Layer Two Peer-to-Peer VPN
+
 ## Appliances
 
 - [Commotion Wireless](https://commotionwireless.net)

doc/notes/wanted.md

@@ -1,9 +1,19 @@
-# Ideas for new docs
+# Help Wanted
+
+First and foremost, we need someone to constantly review this repository, and keep this file up to date.
+
+If you see something listed here that has been taken care of, please knock it off the list. If you see something here, and take care of it yourself, please do us another favour and cross it out and link to your work.
 
 * cjdns
   + breakdown of 3 parts of cjdns as explained in the [whitepaper](https://github.com/cjdelisle/cjdns/blob/master/doc/Whitepaper.md)
   + how to [cjdroute.conf](https://wiki.projectmeshnet.org/Cjdroute.conf)
   + Admin API
+* Community
+  + latest news
+  + current public peers policy (with links to peers)
+  + public peers vs open peers (dedicated passwords)
+  + abuse policy
+  + what is _official_?
 * Peering
   + generating and transferring credentials
   + ~~over UDP/IP~~
@@ -27,7 +37,7 @@
 * the build system :(
   + cjdns/node_build/make.js
 * in the media
-* FAQ
+* [FAQ](../faq/)
   + My service doesn't like ipv6. how can I get it to run on hype? [6tunnel?](http://toxygen.net/6tunnel/)
     * inet6 with tcp6 and netcat
   + How can I help?
@@ -38,5 +48,7 @@
       - Go - help jph build zlarkd!
       - Windows/CrossPlatform devs - Help us make cjdns portable to *all* the devices!
   + Jargon file
-* Known bugs && their circumstances
-  + Failure to reestablish connection after disconnect/ipv4 change
+* [Known bugs && their circumstances](../bugs/index.md)
+  + Failure to reestablish connection after disconnect/ipv4 change
+  + [OS/distro-specific quirks](../bugs/distro-quirks.md)
+    - OSX doesn't autopeer

doc/notes/windows-firewall.md

@@ -0,0 +1,38 @@
+# Purpose
+
+With the Windows population of Hyperboria set to grow, some basic security advice may be needed. Because many of Windows' services cannot be disabled without sacrificing desktop functionality, we will rely on the Windows Firewall as a first line of defense,
+
+## Configuration
+
+On a general purpose desktop PC, it is possible for the firewall to become disabled for any number of reasons. This is generally considered bad practice but not fatal on a LAN. Cjdns will expose the PC to a large network where every node is considered local. The potential for hostile traffic is much higher. Therefore, we must make sure the firewall is enabled:
+
+
+1. Right click network icon in the system tray and select "Open Network and Sharing Center".
+2. On the left pane of the window, click "Change adapter settings".
+3. Make note of the name of TAP adapter and hit the Back button.
+4. Make sure the TAP adapter is listed as being in a "Public network" and that your LAN is listed as anything other than public. This procedure varies on different Windows versions:
+  * On Windows 7, you should be able to click the "Private" or "Work" indicator and select a new network type.
+  * On Windows 8, you need to enable Network Discovery to make a network "Private".
+5. On the left pane of the window, click "Windows Firewall".
+6. On the left pane of the window, click "Tuen Windows Firewall on or off".
+7. Make sure that the firewall is on for Public networks.
+8. Make sure that "Block all incoming connections..." is unchecked under Public networks.
+9. Make sure that "Notify me..." is checked under Public networks.
+10. Accept your changes, provide the Administrator password if needed.
+11. On the left pane of the window, click "Advanced settings".
+12. On the left pane of the window, click "Inbound Rules". (Here you will probably see an overwhelming amount of configuration options. Windows software is allowed to programmatically add firewall rules, sometimes without the approval of the user. Each of these is a potential attack vector, so we need to disable most of them.)
+13. On the right pane of the window, "Filter by profile: Public" and "Filter by state: Enabled"
+14. Sort by the "Action" column so that "Allowed" is at the top.
+15. For each enabled allow rule, you must do the following:
+  * Ignore "Core Networking - ...." rules.
+  * Ignore "File and Print Sharing (Echo Request ...)" rules.
+  * For any rule that is in more than one profile:
+    + Double click it.
+    + Switch to the Advanced tab.
+    + Uncheck "Public".
+  * For any rule that is in "Public" profile only, disable it.
+    + This can be done in batches, so it's a little less tedious.
+16. Done!
+
+This leaves your PC able to participate in basic networking functions like responding to pings, but closes all services to the Cjdns network.
+

doc/shorewall_and_vpn_gateway_howto.md

@@ -0,0 +1,138 @@
+# Shorewall and VPN gateway
+Tutorial for setting up an IP tunnel gateway from cjdns to clearnet, using a VPN and Shorewall.
+
+* From: https://wiki.projectmeshnet.org/Gateway_server_howto
+
+##General
+* Close any open ports also on IPv6, e.g.:
+ `ip6tables -A INPUT -i tun0 -p tcp --destination-port 22 -j REJECT`
+
+##VPN
+Connect to a VPN provider (I used mullvad.net). Make sure you can pay with bitcoins. Recommended connection: openvpn.
+
+##Firewall (shorewall)
+###Interfaces 
+```
+ #ZONE INTERFACE BROADCAST OPTIONS
+ net eth0 detect routefilter,dhcp,tcpflags,logmartians,nosmurfs
+ cjdns tun0 detect routefilter,dhcp,tcpflags,logmartians,nosmurfs
+ vpn tun1 detect routefilter,dhcp,tcpflags,logmartians,nosmurfs
+```
+###Zones
+```
+ #ZONE   TYPE    OPTIONS                 IN                      OUT
+ #                                       OPTIONS                 OPTIONS
+ fw      firewall
+ net     ipv4
+ cjdns   ipv4
+ vpn     ipv4
+```
+###Policy
+```
+ #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+ $FW             net             ACCEPT
+ $FW             vpn             ACCEPT
+ cjdns		vpn		ACCEPT
+ vpn		cjdns		DROP		info
+ net             $FW             DROP            info
+ vpn             $FW             DROP            info
+ cjdns		$FW		DROP		info
+ $FW		cjdns		DROP		info
+ net             all             DROP            info
+ # The FOLLOWING POLICY MUST BE LAST
+ all             all             REJECT          info
+```
+###Rules
+```
+ #ACTION         SOURCE                  DEST            PROTO   DEST
+ #                                                       PORT
+ # Cjdns over vpn:
+ ACCEPT          vpn                     $FW             udp     31777
+ # ping
+ ACCEPT          net                     $FW             icmp    8
+ # Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
+ Ping/REJECT     net                     $FW
+ # Permit all ICMP traffic FROM the firewall TO the net zone
+ ACCEPT          $FW                     net             icmp
+ ACCEPT          $FW                     cjdns           icmp
+ ACCEPT          cjdns                   $FW             icmp
+```
+##Networking
+Give an IPV4 address to the server side of the cjdns tunnel:
+
+ `ip addr add 10.42.0.3/32 dev tun0`
+
+Add route to each client side of the cjdns tunnel:
+
+ `ip route add 10.42.42.42 via 10.42.0.3 dev tun0`
+
+Set forwarding on:
+
+ `echo 1 > /proc/sys/net/ipv4/conf/all/forwarding`
+
+Add vpn address:
+
+ `route add $VPN_ENTRY_ADDRESS gateway $SERVER_REAL_ADDRESS`
+
+The default gw for the clients (to vpn):
+
+ `ip addr add 10.42.0.1/32 dev tun1`
+
+Masqurading (NAT):
+
+ `iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE`
+
+Remove original gateway:
+```
+ GW=`route -n | grep ^0.0.0.0 | awk -F ' ' '{ print $2 }'`
+ route del default gw $GW
+```
+Use DNS server from VPN provider to avoid leaks:
+ `cp /etc/resolv.conf.vpn /etc/resolv.conf`
+
+##Add user
+
+
+For convenience, I check the last 20 characters of the public key (not including .k) e.g.:
+ ```
+ publicKey="lsvf85b3bg9fwy74sdlbqyhlt5n7w32s4m1mwsxggjx5kfzfk120.k"
+ NODE=${publicKey: -22:22}
+ echo $NODE
+ 4m1mwsxggjx5kfzfk120.k
+```
+And I use it as part of the password added to cjdroute.conf under "authorizedPasswords":
+ `{"password":"4m1mwsxggjx5kfzfk120.k.foobarpassword"},`
+
+And under `ipTunnel` `allowedConnections`:
+```
+ {
+   "publicKey": "lsvf85b3bg9fwy74sdlbqyhlt5n7w32s4m1mwsxggjx5kfzfk120.k",
+   "ip4Address": "10.42.something.else",
+ },
+```
+##Quota
+
+Add a user
+```
+ # Check if chain exists
+ iptables -L | grep $NODE && exit 0
+ # Add the user
+ iptables -N $NODE
+ iptables -I cjdns2vpn 1 -s $IP -j $NODE
+ iptables -I vpn2cjdns 1 -d $IP -j $NODE
+ iptables -I $NODE 1 -j DROP
+ iptables -I $NODE 1 -m quota --quota $QUOTA -j ACCEPT
+```
+Delete a user:
+```
+ # Check if chain exists
+ iptables -L | grep $NODE || exit 0
+ # Delete the user
+ iptables -D $NODE -j DROP
+ iptables -D $NODE -m quota --quota $QUOTA -j ACCEPT
+ iptables -D cjdns2vpn -s $IP -j $NODE
+ iptables -D vpn2cjdns -d $IP -j $NODE
+ iptables -X $NODE
+```
+Reset user's quota:
+ `iptables -R $NODE 1 -m quota --quota $QUOTA -j ACCEPT`

doc/tipsAndTricks.md

@@ -9,7 +9,7 @@
 
 #### You don't need to run cjdroute as root
 
-Uncomment the _TUN SECTION_ <!-- elaboration required --> of the conf and launch it like that. Your node will switch traffic, and peer effectively, though you will not be able to run services.
+Comment the _router.interface_ section <!-- elaboration required --> of the conf and launch it like that. Your node will switch traffic, and peer effectively, though you will not be able to run services.
 
 You have the option of configuring your TUN device manually. It will require root, but once established, cjdroute can otherwise run as an unprivileged user.
 

doc/tunnel.md

@@ -151,10 +151,10 @@ if nothing scrolls with the ipv6 associated with your client's on the tunnel, yo
 to make sure they're correct by running `ip -6 route`. The output should include four lines that look similar
 to the ones below (take special note of which device is associated with each line).
 
-1111:1111:1111:1111:1111:1111:1111:1 dev eth0 metric 1024
-1111:1111:1111:1111:1111:1111:1111:3 dev tun0 proto kernel metric 256
-1111:1111:1111:1111:1111:1111:1111:0/64 dev tun0 metric 1024
-default via 1111:1111:1111:1111:1111:1111:1111:1 dev eth0 metric 1024
+    1111:1111:1111:1111:1111:1111:1111:1 dev eth0 metric 1024
+    1111:1111:1111:1111:1111:1111:1111:3 dev tun0 proto kernel metric 256
+    1111:1111:1111:1111:1111:1111:1111:0/64 dev tun0 metric 1024
+    default via 1111:1111:1111:1111:1111:1111:1111:1 dev eth0 metric 1024
 
 If your routes are correct and things still aren't working, continue to let the ping process run on the client
 and run `tcpdump -n -i eth0 icmp6` on the gateway to check the traffic flowing through its ethernet device.