[Swan-dev] WIP: supporting xfrm SA expire

Antony Antony antony at phenome.org
Tue Jun 21 17:59:01 EEST 2022

Hi Paul,
Here is a new iteration sa-expire branch. I cherry picked changes from

and rebased to origin/main.

I have created a PR to make it easy to review my branch.

I ignored "<unset>" change.
I am not in favor of "<unset>" :  for 2^64 or the default. Currently it look 
ipsec_max_bytes: 16EiB
ipsec_max_packets: 16Ei

Also there are ciphers which only allow 2^32 bytes and packets as default.
So it is better to print the default value in abbreviated form than unset
based on values.  Also another concern is if a user actually set to 16Ei or 
16EiB in the config, your proposal will show that as "unset"?
We don't print unset when using other defaults! So it feels odd to me.
I undderstand 18446744073709551615 is very confusing, and I feel 16Ei and 
16EiB is better. Would that work for you?

I am presently surprised at your proposal to rename salifetime -> 
ipsec-max-time. I think that is greate, and good for consistency. However,
lot of changes to keep track of on seperate branch before merge, ie.  
variable names output. changes whack command ..
So I propose we change the those right after merge of sa-expire-2022*. i
As an atomic operation change config option, whack command and test output.


and reserve "ike-max-bytes" and "ike-max-packets" for FIPS complience.


On Thu, Jan 06, 2022 at 10:34:36PM -0500, Paul Wouters wrote:
> On Tue, 7 Dec 2021, Antony Antony wrote:
> > I have rebased the branches a couple days ago. minor fixes to ignore
> > acquire SA expire. GiB...EiB support.
> I've reviewed and rebased, added man page entries, and made the
> names more consistent. I've created a PR:
> https://github.com/antonyantony/libreswan/pull/2
> A full test run can be found on https://lake.libreswan.org/
> Paul
> ps. (on Jan 7, lake will be down for a few hours due to an eletrical
>      panel replacement)

More information about the Swan-dev mailing list