--- gvpe/doc/gvpe.conf.5 2008/09/01 05:31:28 1.22 +++ gvpe/doc/gvpe.conf.5 2010/12/02 07:15:14 1.26 @@ -1,15 +1,7 @@ -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -53,7 +45,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -132,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "GVPE.CONF 5" -.TH GVPE.CONF 5 "2008-09-01" "2.2" "GNU Virtual Private Ethernet" +.TH GVPE.CONF 5 "2010-09-10" "2.22" "GNU Virtual Private Ethernet" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -198,7 +190,7 @@ node section they will set the default values for all following nodes. .SH "CONFIG VARIABLES" .IX Header "CONFIG VARIABLES" -.Sh "\s-1GLOBAL\s0 \s-1SETTINGS\s0" +.SS "\s-1GLOBAL\s0 \s-1SETTINGS\s0" .IX Subsection "GLOBAL SETTINGS" Global settings will affect the behaviour of the running gvpe daemon, that is, they are in some sense node-specific (config files can set different @@ -358,7 +350,11 @@ The default is 47 (\s-1GRE\s0), which has a good chance of tunneling through firewalls (but note that gvpe's rawip protocol is not \s-1GRE\s0 compatible). Other common choices are 50 (\s-1IPSEC\s0, \s-1ESP\s0), 51 (\s-1IPSEC\s0, \s-1AH\s0), 4 -(\s-1IPIP\s0 tunnels) or 98 (\s-1ENCAP\s0, rfc1241) +(\s-1IPIP\s0 tunnels) or 98 (\s-1ENCAP\s0, rfc1241). +.Sp +Many versions of Linux seem to have a bug that causes them to reorder +packets for some ip protocols (\s-1GRE\s0, \s-1ESP\s0) but not for others (\s-1AH\s0), so +choose wisely (that is, use 51, \s-1AH\s0). .IP "http-proxy-host = hostname/ip" 4 .IX Item "http-proxy-host = hostname/ip" The \f(CW\*(C`http\-proxy\-*\*(C'\fR family of options are only available if gvpe was @@ -429,7 +425,7 @@ will only ever be one such script running. .Sp In addition to all the variables passed to \f(CW\*(C`if\-up\*(C'\fR scripts, the following -environment variables will be set: +environment variables will be set (values are just examples): .RS 4 .IP "DESTNODE=branch2" 4 .IX Item "DESTNODE=branch2" @@ -437,17 +433,21 @@ .IP "DESTID=2" 4 .IX Item "DESTID=2" The node id of the remote node. +.IP "DESTSI=rawip/88.99.77.55:0" 4 +.IX Item "DESTSI=rawip/88.99.77.55:0" +The \*(L"socket info\*(R" of the target node, protocol dependent but usually in +the format protocol/ip:port. .IP "DESTIP=188.13.66.8" 4 .IX Item "DESTIP=188.13.66.8" The numerical \s-1IP\s0 address of the remote node (gvpe accepts connections from everywhere, as long as the other node can authenticate itself). .IP "DESTPORT=655 # deprecated" 4 .IX Item "DESTPORT=655 # deprecated" -The \s-1UDP\s0 port used by the other side. -.IP "STATE=UP" 4 -.IX Item "STATE=UP" -Node-up scripts get called with STATE=UP, node-down scripts get called -with STATE=DOWN. +The protocol port used by the other side, if applicable. +.IP "STATE=up" 4 +.IX Item "STATE=up" +Node-up scripts get called with STATE=up, node-change scripts get called +with STATE=change and node-down scripts get called with STATE=down. .RE .RS 4 .Sp @@ -463,6 +463,10 @@ \& } | nsupdate \-d \-k $CONFBASE:key.example.net. .Ve .RE +.IP "node-change = relative-or-absolute-path" 4 +.IX Item "node-change = relative-or-absolute-path" +Same as \f(CW\*(C`node\-change\*(C'\fR, but gets called whenever something about a +connection changes (such as the source \s-1IP\s0 address). .IP "node-down = relative-or-absolute-path" 4 .IX Item "node-down = relative-or-absolute-path" Same as \f(CW\*(C`node\-up\*(C'\fR, but gets called whenever a connection is lost. @@ -486,7 +490,22 @@ Sets the rekeying interval in seconds (default: \f(CW3600\fR). Connections are reestablished every \f(CW\*(C`rekey\*(C'\fR seconds, making them use a new encryption key. -.Sh "\s-1NODE\s0 \s-1SPECIFIC\s0 \s-1SETTINGS\s0" +.IP "nfmark = integer" 4 +.IX Item "nfmark = integer" +This advanced option, when set to a nonzero value (default: \f(CW0\fR), tries +to set the netfilter mark (or fwmark) value on all sockets gvpe uses to +send packets. +.Sp +This can be used to make gvpe use a different set of routing rules. For +example, on GNU/Linux, the \f(CW\*(C`if\-up\*(C'\fR could set \f(CW\*(C`nfmark\*(C'\fR to 1000 and then +put all routing rules into table \f(CW99\fR and then use an ip rule to make +gvpe traffic avoid that routing table, in effect routing normal traffic +via gvpe and gvpe traffic via the normal system routing tables: +.Sp +.Vb 1 +\& ip rule add not fwmark 1000 lookup 99 +.Ve +.SS "\s-1NODE\s0 \s-1SPECIFIC\s0 \s-1SETTINGS\s0" .IX Subsection "NODE SPECIFIC SETTINGS" The following settings are node-specific, that is, every node can have different settings, even within the same gvpe instance. Settings that are @@ -686,20 +705,20 @@ .SH "CONFIG DIRECTORY LAYOUT" .IX Header "CONFIG DIRECTORY LAYOUT" The default (or recommended) directory layout for the config directory is: -.IP "" 4 -.IX Xref "gvpe.conf" +.IP "gvpe.conf" 4 +.IX Item "gvpe.conf" The config file. -.IP "" 4 -.IX Xref "if-up" +.IP "if-up" 4 +.IX Item "if-up" The if-up script -.IP "," 4 -.IX Xref "node-up node-down" +.IP "node-up, node-down" 4 +.IX Item "node-up, node-down" If used the node up or node-down scripts. -.IP "" 4 -.IX Xref "hostkey" +.IP "hostkey" 4 +.IX Item "hostkey" The private key (taken from \f(CW\*(C`hostkeys/nodename\*(C'\fR) of the current host. -.IP "" 4 -.IX Xref "pubkey nodename" +.IP "pubkey/nodename" 4 +.IX Item "pubkey/nodename" The public keys of the other nodes, one file per node. .SH "SEE ALSO" .IX Header "SEE ALSO"