[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri Jun 28 00:42:03 EEST 2013
New commits:
commit e4f416e3f6ebb1a813d31c99e5b92cc4c24cdb17
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 17:41:30 2013 -0400
updated changes
commit 95bf6c54be76fbca6b675bcca5ff96225993bd70
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 17:37:19 2013 -0400
_stackmanager: re-add support for hidetos=
This support was lost when _realsetup/_start* was merged into
_stackmanager
commit df94c9eebd942762a0cb9a6b680963cf3f81b458
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 17:32:42 2013 -0400
KLIPS: change default for hidetos (quality of service) to yes
The ToS field was supposed to be hidden per default using the hidetos=yes
default in "config setup". This was read by _realsetup to set the ipsec.ko
option via /proc/sys/net/ipsec/tos. At least since openswan 2.0.0, and
probably earlier, this was no longer being set.
The default upon loading the KLIPS kernel module is now to enable it.
A separate commit will re-add support to _stackmanager to disable this
when the user specifies hidetos=no in "config setup"
commit 1c7695d0fdfb793f20e791651001389ba72189ac
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 16:37:58 2013 -0400
_stackmanager: add support back for overridemtu=
commit 8998e906fb0ac5156b8c95589d92d424b12bd7a4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 16:22:32 2013 -0400
_stackmanager: add support back for fragicmp= and fix man page
_stackmanager did not support the fragicmp= option that _realsetup
did. This commit fixes that.
Although the man page said fragicmp defaults to yes, and the parser
set it to yes as well, I cannot find any openswan 2.x version that
actually defaulted it to yes. Although there was a comment in _realsetup.in
saying IPSECfragicmp = yes, the KLIPS code actually has:
int sysctl_ipsec_icmp = 0;
(in ipsec_xmit.c in older versions, ipsec_proc.c in newer versions)
So while the parser would claim fragicmp=yes, the KLIPS option actually has
it disabled, as can be seen from performing a modprobe ipsec, and running
cat /proc/sys/net/ipsec/icmp
I changed the parser to set it to "no" per default, and _stackmanager will
only set the proc value to 1 when it sees fragicmp=yes (the non-default)
I also updated the man page.
I opted for changing the man page instead of the code, because as far as I
tracked it down (to openswan 2.3.1) it was already disabled in KLIPS and
_realsetup.in.
More information about the Swan-commit
mailing list