[Swan-dev] [libreswan/libreswan] Sa expire 20220620 (PR #777)
Antony Antony
antony at phenome.org
Thu Jun 23 21:52:18 EEST 2022
I rebased the PR 777 again today. The fixes include couple of output bugs.
I think this version is ready for merge into main. Any feedback? If there
are no feedback or no further comments I would like to merge it around July
1st. That is my goal. Right after the merge Paul please complete renaming
s/ikelifetime/ike-max-time/ Would you able to work on it?
I didn't rename the existing keywords because that need renaming of many
variables and big changes to test output. It is better do that work in #main
otherwise it will create complex merge conflict.
regards,
-antony
On Tue, Jun 21, 2022 at 04:59:01PM +0200, Antony Antony wrote:
> Hi Paul,
> Here is a new iteration sa-expire branch. I cherry picked changes from
> https://github.com/paulwouters/libreswan/tree/sa-expire-2022-01-06
>
> and rebased to origin/main.
>
> I have created a PR to make it easy to review my branch.
> https://github.com/libreswan/libreswan/pull/777
>
>
> I ignored "<unset>" change.
> I am not in favor of "<unset>" : for 2^64 or the default. Currently it look
> ipsec_max_bytes: 16EiB
> ipsec_max_packets: 16Ei
>
> Also there are ciphers which only allow 2^32 bytes and packets as default.
> So it is better to print the default value in abbreviated form than unset
> based on values. Also another concern is if a user actually set to 16Ei or
> 16EiB in the config, your proposal will show that as "unset"?
> We don't print unset when using other defaults! So it feels odd to me.
> I undderstand 18446744073709551615 is very confusing, and I feel 16Ei and
> 16EiB is better. Would that work for you?
>
> I am presently surprised at your proposal to rename salifetime ->
> ipsec-max-time. I think that is greate, and good for consistency. However,
> lot of changes to keep track of on seperate branch before merge, ie.
> variable names output. changes whack command ..
> So I propose we change the those right after merge of sa-expire-2022*. i
> As an atomic operation change config option, whack command and test output.
>
> s/salifetime/ipsec-max-time/
> s/ikelifetime/ike-max-time/
>
> and reserve "ike-max-bytes" and "ike-max-packets" for FIPS complience.
>
> regards,
> -antony
>
> On Thu, Jan 06, 2022 at 10:34:36PM -0500, Paul Wouters wrote:
> > On Tue, 7 Dec 2021, Antony Antony wrote:
> >
> > > I have rebased the branches a couple days ago. minor fixes to ignore
> > > acquire SA expire. GiB...EiB support.
> >
> > I've reviewed and rebased, added man page entries, and made the
> > names more consistent. I've created a PR:
> >
> > https://github.com/antonyantony/libreswan/pull/2
> >
> > A full test run can be found on https://lake.libreswan.org/
> >
> > Paul
> > ps. (on Jan 7, lake will be down for a few hours due to an eletrical
> > panel replacement)
More information about the Swan-dev
mailing list