[Swan-dev] protostack "noklips" broken with libevent

Paul Wouters paul at nohats.ca
Thu Sep 17 20:56:13 EEST 2015

On Thu, 17 Sep 2015, D. Hugh Redelmeier wrote:

> Back in the FreeS/WAN days, I did a lot of testing with no kernel
> involvement.  It was efficient and effective.
> We don't do that any longer, but it it is easy to keep this feature, I
> would like that.

Keeping it is easy although it has been untested for years.

> I t would be a mistake to let it get used by accident.

agreed, which is why I made the change yesterday.

> We really should be doing unit testing, and this could enable some
> kinds of unit testing.

It's not entirely clear to me how that works in a way that we could not
do using containers.

> It allows testing without serious priviledges (root).

That assumes IKE on non-500 works well, and with NAT-T on port 4500
things got a lot more complicated. Things like SElinux would also
have to be disabled for non-standard ports.

> Is there any reason that this has to be hard?

It's more that using containers/namespaces seems easier then working
around not needing root. In the end, I don't think it matters that
much that we need root. These are no longer the university terminal
times :)


More information about the Swan-dev mailing list