mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
714c939018
Also simplify how we try to exceed the system-wide maximum. We basically just try to force the value and simply fall back to the regular call. The kernel actually won't let the latter fail if the value is too big, it just caps it at the internal maximum.
140 lines
6.2 KiB
Plaintext
140 lines
6.2 KiB
Plaintext
charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
|
|
Buffer size for received Netlink messages.
|
|
|
|
charon.plugins.kernel-netlink.fwmark =
|
|
Firewall mark to set on the routing rule that directs traffic to our routing
|
|
table.
|
|
|
|
Firewall mark to set on the routing rule that directs traffic to our routing
|
|
table. The format is [!]mark[/mask], where the optional exclamation mark
|
|
inverts the meaning (i.e. the rule only applies to packets that don't match
|
|
the mark).
|
|
|
|
charon.plugins.kernel-netlink.hw_offload_feature_interface = lo
|
|
Interface to be used to find hardware offload feature flag on.
|
|
|
|
If the kernel supports hardware offloading, the plugin needs to find the
|
|
feature flag which represents hardware offloading support for network
|
|
devices. Using the loopback device for this purpose is usually fine, since
|
|
it should always be present. For rare cases in which the loopback device
|
|
cannot be used to obtain the appropriate feature flag, this option can
|
|
be used to specify an alternative interface for offload feature detection.
|
|
|
|
charon.plugins.kernel-netlink.install_routes_xfrmi = no
|
|
Whether to install routes for SAs that reference XFRM interfaces.
|
|
|
|
Whether routes via XFRM interfaces are automatically installed for SAs that
|
|
reference such an interface via _if_id_out_. If the traffic selectors
|
|
include the IKE traffic to the peer, this requires special care (e.g.
|
|
installing bypass policies and/or routes, or setting a mark on the IKE
|
|
socket and excluding such packets from the configured routing table via
|
|
_fwmark_ option).
|
|
|
|
charon.plugins.kernel-netlink.mss = 0
|
|
MSS to set on installed routes, 0 to disable.
|
|
|
|
charon.plugins.kernel-netlink.mtu = 0
|
|
MTU to set on installed routes, 0 to disable.
|
|
|
|
charon.plugins.kernel-netlink.parallel_route = no
|
|
Whether to perform concurrent Netlink ROUTE queries on a single socket.
|
|
|
|
Whether to perform concurrent Netlink ROUTE queries on a single socket.
|
|
While parallel queries can improve throughput, it has more overhead. On
|
|
vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
|
|
decreasing performance.
|
|
|
|
charon.plugins.kernel-netlink.parallel_xfrm = no
|
|
Whether to perform concurrent Netlink XFRM queries on a single socket.
|
|
|
|
charon.plugins.kernel-netlink.policy_update = no
|
|
Whether to always use XFRM_MSG_UPDPOLICY to install policies.
|
|
|
|
charon.plugins.kernel-netlink.port_bypass = no
|
|
Whether to use port or socket based IKE XFRM bypass policies.
|
|
|
|
Whether to use port or socket based IKE XFRM bypass policies.
|
|
IKE bypass policies are used to exempt IKE traffic from XFRM processing.
|
|
The default socket based policies are directly tied to the IKE UDP sockets,
|
|
port based policies use global XFRM bypass policies for the used IKE UDP
|
|
ports.
|
|
|
|
charon.plugins.kernel-netlink.process_rules = no
|
|
Whether to process changes in routing rules to trigger roam events.
|
|
|
|
Whether to process changes in routing rules to trigger roam events. This is
|
|
currently only useful if the kernel based route lookup is used (i.e. if
|
|
route installation is disabled or an inverted fwmark match is configured).
|
|
|
|
charon.plugins.kernel-netlink.receive_buffer_size = 8388608
|
|
Maximum Netlink socket receive buffer in bytes.
|
|
|
|
Maximum Netlink socket receive buffer in bytes. This value controls how many
|
|
bytes of Netlink messages can be queued to a Netlink socket. If set to 0,
|
|
the default from /proc/sys/net/core/rmem_default will apply. Note that the
|
|
kernel doubles the configured value to account for overhead. To exceed the
|
|
system-wide maximum from /proc/sys/net/core/rmem_max, special privileges
|
|
(CAP_NET_ADMIN) are necessary, otherwise, the kernel silently caps the
|
|
value.
|
|
|
|
charon.plugins.kernel-netlink.roam_events = yes
|
|
Whether to trigger roam events when interfaces, addresses or routes change.
|
|
|
|
charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
|
|
Whether to set protocol and ports in the selector installed on transport
|
|
mode IPsec SAs in the kernel.
|
|
|
|
Whether to set protocol and ports in the selector installed on transport
|
|
mode IPsec SAs in the kernel. While doing so enforces policies for inbound
|
|
traffic, it also prevents the use of a single IPsec SA by more than one
|
|
traffic selector.
|
|
|
|
charon.plugins.kernel-netlink.spdh_thresh {}
|
|
XFRM policy hashing threshold configuration for IPv4 and IPv6.
|
|
|
|
XFRM policy hashing threshold configuration for IPv4 and IPv6.
|
|
|
|
The section defines hashing thresholds to configure in the kernel during
|
|
daemon startup. Each address family takes a threshold for the local subnet
|
|
of an IPsec policy (src in out-policies, dst in in- and forward-policies)
|
|
and the remote subnet (dst in out-policies, src in in- and
|
|
forward-policies).
|
|
|
|
If the subnet has more or equal net bits than the threshold, the first
|
|
threshold bits are used to calculate a hash to lookup the policy.
|
|
|
|
Policy hashing thresholds are not supported before Linux 3.18 and might
|
|
conflict with socket policies before Linux 4.8.
|
|
|
|
charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32
|
|
Local subnet XFRM policy hashing threshold for IPv4.
|
|
|
|
charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32
|
|
Remote subnet XFRM policy hashing threshold for IPv4.
|
|
|
|
charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128
|
|
Local subnet XFRM policy hashing threshold for IPv6.
|
|
|
|
charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128
|
|
Remote subnet XFRM policy hashing threshold for IPv6.
|
|
|
|
charon.plugins.kernel-netlink.retries = 0
|
|
Number of Netlink message retransmissions to send on timeout.
|
|
|
|
charon.plugins.kernel-netlink.timeout = 0
|
|
Netlink message retransmission timeout, 0 to disable retransmissions.
|
|
|
|
charon.plugins.kernel-netlink.ignore_retransmit_errors = no
|
|
Whether to ignore errors potentially resulting from a retransmission.
|
|
|
|
charon.plugins.kernel-netlink.xfrm_acq_expires = 165
|
|
Lifetime of XFRM acquire state and allocated SPIs in kernel.
|
|
|
|
Lifetime of XFRM acquire state created by the kernel when traffic matches a
|
|
trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
|
|
Indirectly controls the delay between XFRM acquire messages triggered by the
|
|
kernel for a trap policy. The same value is used as timeout for SPIs
|
|
allocated by the kernel. The default value equals the total retransmission
|
|
timeout for IKE messages, see IKEv2 RETRANSMISSION in
|
|
**strongswan.conf**(5).
|