3 .\" Manual for the conntrack service
5 .\" (c) 2010 Straylight/Edgeware
8 .\"----- Licensing notice ---------------------------------------------------
10 .\" This file is part of Trivial IP Encryption (TrIPE).
12 .\" TrIPE is free software; you can redistribute it and/or modify
13 .\" it under the terms of the GNU General Public License as published by
14 .\" the Free Software Foundation; either version 2 of the License, or
15 .\" (at your option) any later version.
17 .\" TrIPE is distributed in the hope that it will be useful,
18 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
19 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 .\" GNU General Public License for more details.
22 .\" You should have received a copy of the GNU General Public License
23 .\" along with TrIPE; if not, write to the Free Software Foundation,
24 .\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 .\"--------------------------------------------------------------------------
27 .so ../common/defs.man \"@@@PRE@@@
29 .\"--------------------------------------------------------------------------
30 .TH conntrack 8tripe "8 January 2007" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
32 .\"--------------------------------------------------------------------------
35 conntrack \- tripe service to start/stop peers depending on external connectivity
37 .\"--------------------------------------------------------------------------
53 .\"--------------------------------------------------------------------------
58 service watches D-Bus network management services like
59 .BR NetworkManager (8)
62 bringing peers up and down automatically. It's designed to be useful on
63 a mobile device, such as a laptop; I expect servers to stay where
64 they're put and be configured statically.
68 service reads a configuration file, by default
70 explaining which peers to bring up under which circumstances. The
71 configuration file is automatically re-read if it's changed.
74 configuration is split into sections, each describing a
76 A section begins with the peer group name in square brackets:
80 The group name is entirely arbitrary, and affects nothing else. This is
81 followed by peer definitions, each of which looks like this:
88 This means that the peer
90 should be selected if the host's current IP address is within the
92 .IB network / mask \fR.
95 is an IP address in dotted-quad form, and
97 is a netmask, either in dotted-quad form, or as a number of 1-bits.
98 Only one peer in each group may be connected at any given time; if a
99 change is needed, any existing peer in the group is killed before
100 connecting the new one. If no match is found in a particular group,
101 then no peers in the group are connected. Strange and unhelpful things
102 will happen if you put the same peer in several different groups.
108 are special and mean that no peer from the group should be active. This
109 is useful for detecting a `home' network, where a VPN is unnecessary
110 (or, worse, break routing completely).
112 The notion of `current IP address' is somewhat vague. The
114 service calculates it as the source address that the host would put on
115 an IP packet sent to an arbitrarily chosen remote address. The default
116 remote address is 1.2.3.4 (which is unlikely ever to be assigned); this
117 should determine an IP address on the network interface closest to the
118 default gateway. You can influence this process in two ways. Firstly,
119 you can change the default remote address used by adding a line
124 before the first peer group section. Secondly, you can specify a
127 to use when checking whether a particular peer is applicable.
129 The peer definitions can be in any order. They are checked
130 most-specific first, and searching stops as soon as a match is found.
131 Therefore a default definition can be added as
137 without fear of overriding any more specific definitions. For avoidance
138 of doubt, one peer definition is
140 than another if either the former has a specified
142 and the latter has not, or the former is wholly contained within the
143 latter. (Overlapping definitions are not recommended, and will be
144 processed in an arbitrary order.)
146 Peers are connected using the
150 .B SVCSUBMIT connect active
153 In addition to the standard options described in
154 .BR tripe-service (7),
155 the following command-line options are recognized.
157 .BI "\-f, \-\-config=" file
160 as the configuration file. In the absence of this option, the
163 in the current working directory is used instead.
165 .\"--------------------------------------------------------------------------
166 .SH "SERVICE COMMAND REFERENCE"
168 .\"* 10 Service commands
169 The commands provided by the service are as follows.
171 .BI "up " reason\fR...
172 Informs the service that the network connection has been established:
173 peer groups should be connected. The
175 is quoted in the status notification.
177 .BI "down " reason\fR...
178 Informs the service that the network connection has been lost:
179 peer groups should be disconnected. The
181 is quoted in the status notification.
183 .\"--------------------------------------------------------------------------
186 .\"* 30 Notification broadcasts (NOTE codes)
187 All notifications issued by
189 begin with the tokens
190 .BR "USER conntrack" .
192 .BI "USER conntrack dbus-connection " status
193 The service's connection to D-Bus has changed state. The
195 is one of the following.
199 Initially trying to connect.
202 Successfully established a connection to the bus.
205 A connection has been lost.
208 The service's internal state machine is confused.
211 .BI "USER conntrack " up \fR| down " " group = peer\fR... " " reason\fR...
212 The network connection has apparently gone up or down, and
214 is about to kill and/or connect peers accordingly: for each group, the
215 selected peer is listed; if a group is not listed, then either the group
216 is to be brought down, or no matching peer was found. The
218 is one of the following.
221 .B "nm initially-connected"
222 NetworkManager was detected on startup, and has an active network
225 .B "nm initially-disconnected"
226 NetworkManager was detected on startup, and has no active network
230 NetworkManager has acquired an active network connection.
233 NetworkManager has lost its active network connection.
235 .B "nm default-connection-change"
236 NetworkManager has changed its default route.
238 .BI "icd initially-connected " iap
239 Maemo ICd was detected on startup, and has an active network connection
243 .B "icd initially-disconnected"
244 Maemo ICd was detected on startup, and has no active network connection.
246 .BI "icd connected " iap
247 Maemo ICd has acquired an active network connection, identified by
251 Maemo ICd has lost its active network connection.
254 A change was detected during
256 periodic status check. This usually means that the network connection
257 was reconfigured manually without informing
260 .BI "manual " reason\fR...
261 The connection status was changed manually, using the
268 .\"--------------------------------------------------------------------------
271 .\"* 40 Warning broadcasts (WARN codes)
272 All warnings issued by
274 begin with the tokens
275 .BR "USER conntrack" .
277 .BI "USER conntrack config-file-error " exception " " error-text
278 The configuration file is invalid. The
280 token names a Python exception; the
282 describes the problem encountered, though it may not be very useful.
284 .BI "USER conntrack connect-failed " peer " " tokens\fR...
285 An attempt to connect the named
287 failed; the error message is given by the
290 .\"--------------------------------------------------------------------------
295 .\"--------------------------------------------------------------------------
298 .BR tripe-service (7),
303 .\"--------------------------------------------------------------------------
306 Mark Wooding, <mdw@distorted.org.uk>
308 .\"----- That's all, folks --------------------------------------------------