[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Tue Feb 10 04:25:47 EET 2015
New commits:
commit 19af1f3022019306dc909a555ecd63d3cdfe621b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 10 10:23:22 2015 +0800
testing: added ikev2-ddos-01
commit 7ea539844e2344f6852f5edca967ee764b6d5e44
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Feb 10 10:17:42 2015 +0800
pluto: anti-DDOS support
This adds the keywords:
ddos-ike-treshold : number of IKE SAs before sending DCOOKIES in IKEv2
(we should prob refuse new conn for IKEv1 when we hit this)
max-halfopen-ike : number of half-open IKE SAs before we start refusing new IKE_INIT
(we should prob refuse new conn for IKEv1 when we hit this)
New status output in ipsec status:
000 State Information: DDoS cookies REQUIRED, Accepting new IKE connections
000 IKE SAs: total(100), half-open(100), authenticated(0), anonymous(100)
000 IPsec SAs: total(0), anonymous(<todo>)
New command: ipsec whack --globalstatus (format will change) will show an enumered
list of states and count. The idea is to move most of the "config setup items from
"ipsec status" to "ipsec globalstatus"
More information about the Swan-commit
mailing list