[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Fri Jun 28 00:42:03 EEST 2013 

New commits:
commit e4f416e3f6ebb1a813d31c99e5b92cc4c24cdb17
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 17:41:30 2013 -0400

    updated changes

commit 95bf6c54be76fbca6b675bcca5ff96225993bd70
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 17:37:19 2013 -0400

    _stackmanager: re-add support for hidetos=
    
    This support was lost when _realsetup/_start* was merged into
    _stackmanager

commit df94c9eebd942762a0cb9a6b680963cf3f81b458
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 17:32:42 2013 -0400

    KLIPS: change default for hidetos (quality of service) to yes
    
    The ToS field was supposed to be hidden per default using the hidetos=yes
    default in "config setup". This was read by _realsetup to set the ipsec.ko
    option via /proc/sys/net/ipsec/tos. At least since openswan 2.0.0, and
    probably earlier, this was no longer being set.
    
    The default upon loading the KLIPS kernel module is now to enable it.
    A separate commit will re-add support to _stackmanager to disable this
    when the user specifies hidetos=no in "config setup"

commit 1c7695d0fdfb793f20e791651001389ba72189ac
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 16:37:58 2013 -0400

    _stackmanager: add support back for overridemtu=

commit 8998e906fb0ac5156b8c95589d92d424b12bd7a4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 16:22:32 2013 -0400

    _stackmanager: add support back for fragicmp= and fix man page
    
    _stackmanager did not support the fragicmp= option that _realsetup
    did. This commit fixes that.
    
    Although the man page said fragicmp defaults to yes, and the parser
    set it to yes as well, I cannot find any openswan 2.x version that
    actually defaulted it to yes. Although there was a comment in _realsetup.in
    saying IPSECfragicmp = yes, the KLIPS code actually has:
    
    	int sysctl_ipsec_icmp = 0;
    
    (in ipsec_xmit.c in older versions, ipsec_proc.c in newer versions)
    
    So while the parser would claim fragicmp=yes, the KLIPS option actually has
    it disabled, as can be seen from performing a modprobe ipsec, and running
    cat /proc/sys/net/ipsec/icmp
    
    I changed the parser to set it to "no" per default, and _stackmanager will
    only set the proc value to 1 when it sees fragicmp=yes (the non-default)
    
    I also updated the man page.
    
    I opted for changing the man page instead of the code, because as far as I
    tracked it down (to openswan 2.3.1) it was already disabled in KLIPS and
    _realsetup.in.

More information about the Swan-commit mailing list