From 185b1376a3701939ba7107deac724e5e663ae7b3 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 14 Oct 2022 10:53:26 +0200 Subject: [PATCH 1/4] conf: Explicitly add time unit to default value for options that accept them --- conf/options/charon.opt | 2 +- conf/plugins/eap-radius.opt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/options/charon.opt b/conf/options/charon.opt index dc525a8070..5d64d1f930 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -392,7 +392,7 @@ charon.retransmit_jitter = 0 charon.retransmit_limit = 0 Upper limit in seconds for calculated retransmission timeout (0 to disable). -charon.retry_initiate_interval = 0 +charon.retry_initiate_interval = 0s Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS resolution failed), 0 to disable retries. diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index 192996c737..dfed781659 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -5,7 +5,7 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. -charon.plugins.eap-radius.accounting_interval = 0 +charon.plugins.eap-radius.accounting_interval = 0s Interval in seconds for interim RADIUS accounting updates, if not specified by the RADIUS server in the Access-Accept message. From 64b10dfb28393ebac3f617742728493fc1202bdb Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 14 Oct 2022 10:54:04 +0200 Subject: [PATCH 2/4] conf: Document accepted number and time formats --- conf/strongswan.conf.5.head.in | 21 +++++++++++++++++++++ src/swanctl/swanctl.conf.5.head.in | 15 +++------------ 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/conf/strongswan.conf.5.head.in b/conf/strongswan.conf.5.head.in index 9337c19e22..31231c99a1 100644 --- a/conf/strongswan.conf.5.head.in +++ b/conf/strongswan.conf.5.head.in @@ -59,6 +59,27 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +.SH NUMBER FORMATS +Options that define an integer value can be specified as decimal (the default) +or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted). +Locale-dependent strings (e.g. the thousands separator of the current locale) +may also be accepted in locales other than "C". +.PP +Options that define a floating-point value can be specified as decimal (the +default) or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted). +The radix character (decimal separator) in either case is locale-dependent, +usually ".". + +.SH TIME FORMATS +Unless stated otherwise, options that define a time are specified in seconds. +The "s", "m", "h" and "d" suffixes may be used to automatically convert values +given in seconds, minutes, hours or days (for instance, instead of configuring +a rekey time of 4 hours as "14400" seconds, "4h" may be used). +.PP +There are some global options that don't accept these suffixes as they are +configured as integer values in seconds or milliseconds, or even as +floating-point numbers (e.g. the retransmission timeout). Options that accept +the suffixes have a corresponding default value. .SH REFERENCING OTHER SECTIONS It is possible to inherit settings and sections from another section. This diff --git a/src/swanctl/swanctl.conf.5.head.in b/src/swanctl/swanctl.conf.5.head.in index a14225df04..8ac7b1e6ba 100644 --- a/src/swanctl/swanctl.conf.5.head.in +++ b/src/swanctl/swanctl.conf.5.head.in @@ -6,20 +6,11 @@ swanctl.conf is the configuration file used by the .BR swanctl (8) tool to load configurations and credentials into the strongSwan IKE daemon. -For a description of the basic file syntax, including how to reference sections -or split the configuration in multiple files by including other files, refer to +For a description of the basic file syntax, including numer/time formats, or how +to reference sections or split the configuration in multiple files by including +other files, refer to .BR strongswan.conf (5). -.SH TIME FORMATS -For all options that define a time, the time is specified in seconds. The -.RI "" "s" "," -.RI "" "m" "," -.RI "" "h" "" -and -.RI "" "d" "" -suffixes explicitly define the units for seconds, minutes, hours and days, -respectively. - .SH SETTINGS The following settings can be used to configure connections, credentials and pools. From 284fc2f7966cbdb309369953e88a848cafbe8026 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 14 Oct 2022 10:57:53 +0200 Subject: [PATCH 3/4] swanctl: Document the behavior of %unique[-dir] on IKE_SAs --- src/swanctl/swanctl.opt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 553831eca8..9cdf78434d 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -301,12 +301,22 @@ connections..if_id_in = 0 XFRM interface ID set on inbound policies/SA, can be overridden by child config, see there for details. + The special value _%unique_ allocates a unique interface ID per IKE_SA, + which is inherited by all its CHILD_SAs (unless overriden there), beyond + that the value _%unique-dir_ assigns a different unique interface ID for + each direction (in/out). + connections..if_id_out = 0 Default outbound XFRM interface ID for children. XFRM interface ID set on outbound policies/SA, can be overridden by child config, see there for details. + The special value _%unique_ allocates a unique interface ID per IKE_SA, + which is inherited by all its CHILD_SAs (unless overriden there), beyond + that the value _%unique-dir_ assigns a different unique interface ID for + each direction (in/out). + connections..mediation = no Whether this connection is a mediation connection. From c1c85b0fd159058685e6e1a6a602ac224d8fd461 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 14 Oct 2022 11:04:38 +0200 Subject: [PATCH 4/4] swanctl: Document the type/size of interface IDs --- src/swanctl/swanctl.opt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 9cdf78434d..92da610372 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -1002,7 +1002,7 @@ connections..children..set_mark_out = 0/0x00000000 requires at least Linux 4.19. connections..children..if_id_in = 0 - Inbound XFRM interface ID. + Inbound XFRM interface ID (32-bit unsigned integer). XFRM interface ID set on inbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same @@ -1011,7 +1011,7 @@ connections..children..if_id_in = 0 interface ID for each CHILD_SA direction (in/out). connections..children..if_id_out = 0 - Outbound XFRM interface ID. + Outbound XFRM interface ID (32-bit unsigned integer). XFRM interface ID set on outbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same