--- gvpe/doc/gvpe.conf.5.pod 2008/09/01 05:31:28 1.21 +++ gvpe/doc/gvpe.conf.5.pod 2011/02/15 14:34:39 1.27 @@ -239,7 +239,11 @@ The default is 47 (GRE), which has a good chance of tunneling through firewalls (but note that gvpe's rawip protocol is not GRE compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 -(IPIP tunnels) or 98 (ENCAP, rfc1241) +(IPIP tunnels) or 98 (ENCAP, rfc1241). + +Many versions of Linux seem to have a bug that causes them to reorder +packets for some ip protocols (GRE, ESP) but not for others (AH), so +choose wisely (that is, use 51, AH). =item http-proxy-host = hostname/ip @@ -316,7 +320,7 @@ will only ever be one such script running. In addition to all the variables passed to C scripts, the following -environment variables will be set: +environment variables will be set (values are just examples): =over 4 @@ -328,6 +332,11 @@ The node id of the remote node. +=item DESTSI=rawip/88.99.77.55:0 + +The "socket info" of the target node, protocol dependent but usually in +the format protocol/ip:port. + =item DESTIP=188.13.66.8 The numerical IP address of the remote node (gvpe accepts connections from @@ -335,12 +344,12 @@ =item DESTPORT=655 # deprecated -The UDP port used by the other side. +The protocol port used by the other side, if applicable. -=item STATE=UP +=item STATE=up -Node-up scripts get called with STATE=UP, node-down scripts get called -with STATE=DOWN. +Node-up scripts get called with STATE=up, node-change scripts get called +with STATE=change and node-down scripts get called with STATE=down. =back @@ -354,6 +363,11 @@ echo } | nsupdate -d -k $CONFBASE:key.example.net. +=item node-change = relative-or-absolute-path + +Same as C, but gets called whenever something about a +connection changes (such as the source IP address). + =item node-down = relative-or-absolute-path Same as C, but gets called whenever a connection is lost. @@ -381,6 +395,20 @@ reestablished every C seconds, making them use a new encryption key. +=item nfmark = integer + +This advanced option, when set to a nonzero value (default: C<0>), tries +to set the netfilter mark (or fwmark) value on all sockets gvpe uses to +send packets. + +This can be used to make gvpe use a different set of routing rules. For +example, on GNU/Linux, the C could set C to 1000 and then +put all routing rules into table C<99> and then use an ip rule to make +gvpe traffic avoid that routing table, in effect routing normal traffic +via gvpe and gvpe traffic via the normal system routing tables: + + ip rule add not fwmark 1000 lookup 99 + =back =head2 NODE SPECIFIC SETTINGS @@ -398,9 +426,12 @@ =item compress = yes|true|on | no|false|off -Wether to compress data packets sent to this node (default: C). -Compression is really cheap even on slow computers and has no size -overhead at all, so enabling this is often a good idea. +For the current node, this specified whether it will accept compressed +packets, and for all other nodes, this specifies whether to try to +compress data packets sent to this node (default: C). Compression is +really cheap even on slow computers, has no size overhead at all and will +only be used when the other side supports compression, so enabling this is +often a good idea. =item connect = ondemand | never | always | disabled @@ -501,13 +532,7 @@ See gvpe.protocol(7) for a description of the UDP transport protocol. -Enable the UDPv4 transport using the C port (default: C, -unless no other protocol is enabled for a node, in which case this -protocol is enabled automatically). - -NOTE: Please specify C if you want to use it even though -it might get switched on automatically, as some future version might -default to another default protocol. +Enable the UDPv4 transport using the C port (default: C). =item hostname = hostname | ip [can not be defaulted] @@ -536,7 +561,7 @@ =item inherit-tos = yes|true|on | no|false|off -Wether to inherit the TOS settings of packets sent to the tunnel when +Whether to inherit the TOS settings of packets sent to the tunnel when sending packets to this node (default: C). If set to C then outgoing tunnel packets will have the same TOS setting as the packets sent to the tunnel device, which is usually what you want. @@ -609,23 +634,23 @@ =over 4 -=item X +=item gvpe.conf The config file. -=item X +=item if-up The if-up script -=item X, X +=item node-up, node-down If used the node up or node-down scripts. -=item X +=item hostkey The private key (taken from C) of the current host. -=item X +=item pubkey/nodename The public keys of the other nodes, one file per node.