[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Fri Sep 1 02:05:53 UTC 2017 

New commits:
commit fe58cf1564df430ddcf54b221ecfe370fa6c1823
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Aug 31 22:04:56 2017 -0400

    testing: updated console output with new ikebuf= value

commit 800a839302ea39a6624795690e17b44765ad70fe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Aug 31 22:01:23 2017 -0400

    pluto: Add support for ike-socket-bufsize= and --ike-socket-bufsize
    
    This allows setting the send and receive buffers for the IKE socket.
    A value of 0 means to not change it from the system default.
    
    Currently only implemented for Linux. It uses SO_RCVBUFFORCE and
    SO_SNDBUFFORCE so it can override/ignore the system's default maximum
    values specified in /proc/sys/net/core/rmem_max and /proc/sys/net/core/wmem_max
    
    This can be changed during runtime as well using:
    
    	ipsec whack --ike-sock-bufsize XXXXX

commit cb2810c36bf06bd98e5c27c7fd26d15a8d5cc5c5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Aug 31 15:37:15 2017 -0400

    pluto: cleanup nokernel code
    
    - Rename "noklips" to "nokernel"
    - Remove code in kernel_klip.c/kernel_netlink.c testing for NO_KERNEL
      since that cannot happen.

commit 5b6ed225f3d4d878bb7c1efd734a3a08ec0fdcff
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Aug 31 15:16:10 2017 -0400

    pluto: Try to give IKE packets priority over other packets (eg ESPinUDP)
    
    Uses setsockopt to set SO_PRIORITY to 7
    
    This required CAP_NET_ADMIN, but we still have that capability when we
    setup the socket. Afterwards, we drop the capability
    
    This might need admin tuning with qdisc to fully take advantage of.

commit 5f6f08c858f328139b1a95bbebffd86c7036509a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Aug 31 15:12:18 2017 -0400

    pluto: don't call sanitize_string() in fmt_log() as it is expensive
    
    fmt_log() is only used to write logs, not to pass anything to
    updown. We leave the call in for DBG_log() since if you're in
    debugging mode, you're slow anyway.
    
    Strings taken from the network and passed to updown are few, and
    those calls go via cisco_stringify() which calls sanitize_string()

More information about the Swan-commit mailing list