then no peers in the group are connected. Strange and unhelpful things
will happen if you put the same peer in several different groups.
.PP
+The tags
+.B down
+and
+.BI down/ anything
+are special and mean that no peer from the group should be active. This
+is useful for detecting a `home' network, where a VPN is unnecessary
+(or, worse, break routing completely).
+.PP
The notion of `current IP address' is somewhat vague. The
.B conntrack
service calculates it as the source address that the host would put on
.TP
.BI state= label
The service's internal state machine is confused.
+.RE
.SP
-.BI "USER conntrack " up \fR| down " " reason\fR...
+.BI "USER conntrack " up \fR| down " " group = peer\fR... " " reason\fR...
The network connection has apparently gone up or down, and
.B conntrack
-is about to kill and/or connect peers accordingly. The
+is about to kill and/or connect peers accordingly: for each group, the
+selected peer is listed; if a group is not listed, then either the group
+is to be brought down, or no matching peer was found. The
.I reason
is one of the following.
.RS