sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

vici: Make UDP encapsulation for per-CPU SAs configurable

Browse Source
This commit is contained in:
Tobias Brunner 2021-06-15 11:10:40 +02:00
parent d594171d9e
commit 73083503f2
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/libcharon/plugins/vici/vici_config.c
View File

@ -583,7 +583,9 @@ static void log_child_data(child_data_t *data, char *name)
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
DBG2(DBG_CFG, " local_ts = %#R", data->local_ts);
DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts);
DBG2(DBG_CFG, " per_cpu_sas = %u", has_opt(cfg, OPT_PER_CPU_SAS));
DBG2(DBG_CFG, " per_cpu_sas = %s",
has_opt(cfg, OPT_PER_CPU_SAS_ENCAP) ? "encap" :
has_opt(cfg, OPT_PER_CPU_SAS) ? "1" : "0");
DBG2(DBG_CFG, " hw_offload = %N", hw_offload_names, cfg->hw_offload);
DBG2(DBG_CFG, " sha256_96 = %u", has_opt(cfg, OPT_SHA256_96));
DBG2(DBG_CFG, " copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF));
@ -1067,6 +1069,16 @@ CALLBACK(parse_opt_copy_ecn, bool,
CALLBACK(parse_opt_cpus, bool,
child_cfg_option_t *out, chunk_t v)
{
enum_map_t map[] = {
{ "encap", OPT_PER_CPU_SAS|OPT_PER_CPU_SAS_ENCAP },
};
int d;
if (parse_map(map, countof(map), &d, v))
{
*out |= d;
return TRUE;
}
return parse_option(out, OPT_PER_CPU_SAS, v, TRUE);
}

11
src/swanctl/swanctl.opt
View File

@ -1128,6 +1128,17 @@ connections.<conn>.children.<child>.replay_window = 32
connections.<conn>.children.<child>.per_cpu_sas = no
Enable per-CPU CHILD_SAs. Requires _trap_ in **start_action**.
Enable per-CPU CHILD_SAs. Requires _trap_ in **start_action**.
The value _encap_ enables a special type of UDP encapsulation (requires
enabling **encap** for the connection if there is no NAT), where a random
source port is used for each outbound per-CPU SA (the destination port for
all of them remains 4500). This allows using the port for RSS if the SPI
can't be used. Note that this type of behavior is not standardized and not
negotiated. So regardless of whether the option is enabled, inbound per-CPU
SAs with UDP-encapsulation always have the source port set to 0 as the
peer's random port is unknown if it has this option enabled.
connections.<conn>.children.<child>.hw_offload = no
Enable hardware offload for this CHILD_SA, if supported by the IPsec
implementation.