[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri Sep 1 02:05:53 UTC 2017
New commits:
commit fe58cf1564df430ddcf54b221ecfe370fa6c1823
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Aug 31 22:04:56 2017 -0400
testing: updated console output with new ikebuf= value
commit 800a839302ea39a6624795690e17b44765ad70fe
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Aug 31 22:01:23 2017 -0400
pluto: Add support for ike-socket-bufsize= and --ike-socket-bufsize
This allows setting the send and receive buffers for the IKE socket.
A value of 0 means to not change it from the system default.
Currently only implemented for Linux. It uses SO_RCVBUFFORCE and
SO_SNDBUFFORCE so it can override/ignore the system's default maximum
values specified in /proc/sys/net/core/rmem_max and /proc/sys/net/core/wmem_max
This can be changed during runtime as well using:
ipsec whack --ike-sock-bufsize XXXXX
commit cb2810c36bf06bd98e5c27c7fd26d15a8d5cc5c5
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Aug 31 15:37:15 2017 -0400
pluto: cleanup nokernel code
- Rename "noklips" to "nokernel"
- Remove code in kernel_klip.c/kernel_netlink.c testing for NO_KERNEL
since that cannot happen.
commit 5b6ed225f3d4d878bb7c1efd734a3a08ec0fdcff
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Aug 31 15:16:10 2017 -0400
pluto: Try to give IKE packets priority over other packets (eg ESPinUDP)
Uses setsockopt to set SO_PRIORITY to 7
This required CAP_NET_ADMIN, but we still have that capability when we
setup the socket. Afterwards, we drop the capability
This might need admin tuning with qdisc to fully take advantage of.
commit 5f6f08c858f328139b1a95bbebffd86c7036509a
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Aug 31 15:12:18 2017 -0400
pluto: don't call sanitize_string() in fmt_log() as it is expensive
fmt_log() is only used to write logs, not to pass anything to
updown. We leave the call in for DBG_log() since if you're in
debugging mode, you're slow anyway.
Strings taken from the network and passed to updown are few, and
those calls go via cisco_stringify() which calls sanitize_string()
More information about the Swan-commit
mailing list