| … | |
… | |
| 314 | is established (even on rekeying operations). Note that node-up/down |
314 | is established (even on rekeying operations). Note that node-up/down |
| 315 | scripts will be run asynchronously, but execution is serialised, so there |
315 | scripts will be run asynchronously, but execution is serialised, so there |
| 316 | will only ever be one such script running. |
316 | will only ever be one such script running. |
| 317 | |
317 | |
| 318 | In addition to all the variables passed to C<if-up> scripts, the following |
318 | In addition to all the variables passed to C<if-up> scripts, the following |
| 319 | environment variables will be set: |
319 | environment variables will be set (values are just examples): |
| 320 | |
320 | |
| 321 | =over 4 |
321 | =over 4 |
| 322 | |
322 | |
| 323 | =item DESTNODE=branch2 |
323 | =item DESTNODE=branch2 |
| 324 | |
324 | |
| 325 | The name of the remote node. |
325 | The name of the remote node. |
| 326 | |
326 | |
| 327 | =item DESTID=2 |
327 | =item DESTID=2 |
| 328 | |
328 | |
| 329 | The node id of the remote node. |
329 | The node id of the remote node. |
|
|
330 | |
|
|
331 | =item DESTSI=rawip/88.99.77.55:0 |
|
|
332 | |
|
|
333 | The "socket info" of the target node, protocol dependent but usually in |
|
|
334 | the format protocol/ip:port. |
| 330 | |
335 | |
| 331 | =item DESTIP=188.13.66.8 |
336 | =item DESTIP=188.13.66.8 |
| 332 | |
337 | |
| 333 | The numerical IP address of the remote node (gvpe accepts connections from |
338 | The numerical IP address of the remote node (gvpe accepts connections from |
| 334 | everywhere, as long as the other node can authenticate itself). |
339 | everywhere, as long as the other node can authenticate itself). |
| 335 | |
340 | |
| 336 | =item DESTPORT=655 # deprecated |
341 | =item DESTPORT=655 # deprecated |
| 337 | |
342 | |
| 338 | The UDP port used by the other side. |
343 | The protocol port used by the other side, if applicable. |
| 339 | |
344 | |
| 340 | =item STATE=UP |
345 | =item STATE=up |
| 341 | |
346 | |
| 342 | Node-up scripts get called with STATE=UP, node-down scripts get called |
347 | Node-up scripts get called with STATE=up, node-change scripts get called |
| 343 | with STATE=DOWN. |
348 | with STATE=change and node-down scripts get called with STATE=down. |
| 344 | |
349 | |
| 345 | =back |
350 | =back |
| 346 | |
351 | |
| 347 | Here is a nontrivial example that uses nsupdate to update the name => ip |
352 | Here is a nontrivial example that uses nsupdate to update the name => ip |
| 348 | mapping in some DNS zone: |
353 | mapping in some DNS zone: |
| … | |
… | |
| 352 | echo update delete $DESTNODE.lowttl.example.net. a |
357 | echo update delete $DESTNODE.lowttl.example.net. a |
| 353 | echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
358 | echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
| 354 | echo |
359 | echo |
| 355 | } | nsupdate -d -k $CONFBASE:key.example.net. |
360 | } | nsupdate -d -k $CONFBASE:key.example.net. |
| 356 | |
361 | |
|
|
362 | =item node-change = relative-or-absolute-path |
|
|
363 | |
|
|
364 | Same as C<node-change>, but gets called whenever something about a |
|
|
365 | connection changes (such as the source IP address). |
|
|
366 | |
| 357 | =item node-down = relative-or-absolute-path |
367 | =item node-down = relative-or-absolute-path |
| 358 | |
368 | |
| 359 | Same as C<node-up>, but gets called whenever a connection is lost. |
369 | Same as C<node-up>, but gets called whenever a connection is lost. |
| 360 | |
370 | |
| 361 | =item pid-file = path |
371 | =item pid-file = path |
| … | |
… | |
| 378 | =item rekey = seconds |
388 | =item rekey = seconds |
| 379 | |
389 | |
| 380 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
390 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
| 381 | reestablished every C<rekey> seconds, making them use a new encryption |
391 | reestablished every C<rekey> seconds, making them use a new encryption |
| 382 | key. |
392 | key. |
|
|
393 | |
|
|
394 | =item nfmark = integer |
|
|
395 | |
|
|
396 | This advanced option, when set to a nonzero value (default: C<0>), tries |
|
|
397 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
|
|
398 | send packets. |
|
|
399 | |
|
|
400 | This can be used to make gvpe use a different set of routing rules. For |
|
|
401 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
402 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
403 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
404 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
405 | |
|
|
406 | ip rule add not fwmark 1000 lookup 99 |
| 383 | |
407 | |
| 384 | =back |
408 | =back |
| 385 | |
409 | |
| 386 | =head2 NODE SPECIFIC SETTINGS |
410 | =head2 NODE SPECIFIC SETTINGS |
| 387 | |
411 | |
