.B =
.RI [ remote-addr ]
.IB network / mask
+\&...
.PP
This means that the peer
.I tag
-should be selected if the host's current IP address is within the
-network indicated by
+should be selected if the host's current IP address is within one of the
+networks indicated by
.IB network / mask \fR.
-Here,
+Here, a
.I network
-is an IP address in dotted-quad form, and
+is an IPv4 or IPv6 address in dotted-quad form, and
.I mask
-is a netmask, either in dotted-quad form, or as a number of 1-bits.
-Only one peer in each group may be connected at any given time; if a
-change is needed, any existing peer in the group is killed before
-connecting the new one. If no match is found in a particular group,
-then no peers in the group are connected. Strange and unhelpful things
-will happen if you put the same peer in several different groups.
+is a netmask, either in dotted-quad form (for IPv4), or as a prefix
+length (i.e., the number of initial 1-bits). Only one peer in each
+group may be connected at any given time; if a change is needed, any
+existing peer in the group is killed before connecting the new one. If
+no match is found in a particular group, then no peers in the group are
+connected. Strange and unhelpful things will happen if you put the same
+peer in several different groups.
.PP
The tags
.B down
The notion of `current IP address' is somewhat vague. The
.B conntrack
service calculates it as the source address that the host would put on
-an IP packet sent to an arbitrarily chosen remote address. The default
-remote address is 1.2.3.4 (which is unlikely ever to be assigned); this
-should determine an IP address on the network interface closest to the
-default gateway. You can influence this process in two ways. Firstly,
-you can change the default remote address used by adding a line
+an IP packet sent to a particular remote address; note that this is
+entirely hypothetical, and no actual packets are transmitted. The
+default remote addresses are 1.2.3.4 (for IPv4, which is unlikely ever
+to be assigned), and 2001::1 (for IPv6); this should determine an IP
+address on the network interface closest to the default gateway. You
+can influence this process in two ways. Firstly, you can change the
+default remote address used by adding one or more lines
.IP
.B "test-addr ="
.I remote-addr
+\&...
.PP
before the first peer group section. Secondly, you can specify a
particular
to use when checking whether a particular peer is applicable.
.PP
The peer definitions in each group are checked in the order given, and
-searching stops as soon as a match is found.
+searching stops as soon as a match is found. (In older versions of
+.BR conntrack ,
+definitions were processed according to a most-specific-first order, but
+that doesn't provide an ordering between IPv4 and IPv6 networks, which
+is important; so this has been changed.)
.PP
Peers are connected using the
.BR connect (8)