[ViewVC] Diff of: cvs/gvpe/doc/gvpe.conf.5.pod

Comparing gvpe/doc/gvpe.conf.5.pod (file contents):
Revision 1.22 by pcg, Mon Sep 1 06:06:11 2008 UTC vs.
Revision 1.25 by pcg, Fri Sep 10 21:13:52 2010 UTC

 other programs.
 The default is 47 (GRE), which has a good chance of tunneling
 through firewalls (but note that gvpe's rawip protocol is not GRE
 compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4
-(IPIP tunnels) or 98 (ENCAP, rfc1241)
+(IPIP tunnels) or 98 (ENCAP, rfc1241).
+Many versions of Linux seem to have a bug that causes them to reorder
+packets for some ip protocols (GRE, ESP) but not for others (AH), so
+choose wisely (that is, use 51, AH).
 =item http-proxy-host = hostname/ip
 The C<http-proxy-*> family of options are only available if gvpe was
 compiled with the C<--enable-http-proxy> option and enable tunneling of
 is established (even on rekeying operations). Note that node-up/down
 scripts will be run asynchronously, but execution is serialised, so there
 will only ever be one such script running.
 In addition to all the variables passed to C<if-up> scripts, the following
-environment variables will be set:
+environment variables will be set (values are just examples):
 =over 4
 =item DESTNODE=branch2
 The name of the remote node.
 =item DESTID=2
 The node id of the remote node.
+=item DESTSI=rawip/88.99.77.55:0
+The "socket info" of the target node, protocol dependent but usually in
+the format protocol/ip:port.
 =item DESTIP=188.13.66.8
 The numerical IP address of the remote node (gvpe accepts connections from
 everywhere, as long as the other node can authenticate itself).
 =item DESTPORT=655 # deprecated
-The UDP port used by the other side.
+The protocol port used by the other side, if applicable.
-=item STATE=UP
+=item STATE=up
-Node-up scripts get called with STATE=UP, node-down scripts get called
+Node-up scripts get called with STATE=up, node-change scripts get called
-with STATE=DOWN.
+with STATE=change and node-down scripts get called with STATE=down.
 =back
 Here is a nontrivial example that uses nsupdate to update the name => ip
 mapping in some DNS zone:
      echo update delete $DESTNODE.lowttl.example.net. a
      echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP
      echo
    } | nsupdate -d -k $CONFBASE:key.example.net.
+=item node-change = relative-or-absolute-path
+Same as C<node-change>, but gets called whenever something about a
+connection changes (such as the source IP address).
 =item node-down = relative-or-absolute-path
 Same as C<node-up>, but gets called whenever a connection is lost.
 =item pid-file = path
 =item rekey = seconds
 Sets the rekeying interval in seconds (default: C<3600>). Connections are
 reestablished every C<rekey> seconds, making them use a new encryption
 key.
+=item nfmark = integer
+This advanced option, when set to a nonzero value (default: C<0>), tries
+to set the netfilter mark (or fwmark) value on all sockets gvpe uses to
+send packets.
+This can be used to make gvpe use a different set of routing rules. For
+example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then
+put all routing rules into table C<99> and then use an ip rule to make
+gvpe traffic avoid that routing table, in effect routing normal traffic
+via gvpe and gvpe traffic via the normal system routing tables:
+   ip rule add not fwmark 1000 lookup 99
 =back
 =head2 NODE SPECIFIC SETTINGS

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/doc/gvpe.conf.5.pod (file contents): Revision 1.22 by pcg, Mon Sep 1 06:06:11 2008 UTC vs. Revision 1.25 by pcg, Fri Sep 10 21:13:52 2010 UTC

Diff Legend

Comparing gvpe/doc/gvpe.conf.5.pod (file contents):
Revision 1.22 by pcg, Mon Sep 1 06:06:11 2008 UTC vs.
Revision 1.25 by pcg, Fri Sep 10 21:13:52 2010 UTC