-is a netmask, either in dotted-quad form, or as a number of 1-bits.
-Only one peer in each group may be connected at any given time; if a
-change is needed, any existing peer in the group is killed before
-connecting the new one. If no match is found in a particular group,
-then no peers in the group are connected. Strange and unhelpful things
-will happen if you put the same peer in several different groups.
+is a netmask, either in dotted-quad form (for IPv4), or as a prefix
+length (i.e., the number of initial 1-bits). Only one peer in each
+group may be connected at any given time; if a change is needed, any
+existing peer in the group is killed before connecting the new one. If
+no match is found in a particular group, then no peers in the group are
+connected. Strange and unhelpful things will happen if you put the same
+peer in several different groups.
+.PP
+The tags
+.B down
+and
+.BI down/ anything
+are special and mean that no peer from the group should be active. This
+is useful for detecting a `home' network, where a VPN is unnecessary
+(or, worse, break routing completely).