[Swan-dev] [libreswan/libreswan] Sa expire 20220620 (PR #777)

Antony Antony antony at phenome.org
Thu Jun 23 21:52:18 EEST 2022

I rebased the PR 777 again today. The fixes include couple of output bugs.  
I think this version is ready for merge into main. Any feedback? If there 
are no feedback or no further comments I would like to merge it around July 
1st.  That is my goal. Right after the merge Paul please complete renaming 
s/ikelifetime/ike-max-time/  Would you able to work on it?

I didn't rename the existing keywords because that need renaming of many 
variables and big changes to test output. It is better do that work in #main 
otherwise it will create complex merge conflict.


On Tue, Jun 21, 2022 at 04:59:01PM +0200, Antony Antony wrote:
> Hi Paul,
> Here is a new iteration sa-expire branch. I cherry picked changes from
> https://github.com/paulwouters/libreswan/tree/sa-expire-2022-01-06
> and rebased to origin/main.
> I have created a PR to make it easy to review my branch.
> https://github.com/libreswan/libreswan/pull/777
> I ignored "<unset>" change.
> I am not in favor of "<unset>" :  for 2^64 or the default. Currently it look 
> ipsec_max_bytes: 16EiB
> ipsec_max_packets: 16Ei
> Also there are ciphers which only allow 2^32 bytes and packets as default.
> So it is better to print the default value in abbreviated form than unset
> based on values.  Also another concern is if a user actually set to 16Ei or 
> 16EiB in the config, your proposal will show that as "unset"?
> We don't print unset when using other defaults! So it feels odd to me.
> I undderstand 18446744073709551615 is very confusing, and I feel 16Ei and 
> 16EiB is better. Would that work for you?
> I am presently surprised at your proposal to rename salifetime -> 
> ipsec-max-time. I think that is greate, and good for consistency. However,
> lot of changes to keep track of on seperate branch before merge, ie.  
> variable names output. changes whack command ..
> So I propose we change the those right after merge of sa-expire-2022*. i
> As an atomic operation change config option, whack command and test output.
> s/salifetime/ipsec-max-time/
> s/ikelifetime/ike-max-time/
> and reserve "ike-max-bytes" and "ike-max-packets" for FIPS complience.
> regards,
> -antony
> On Thu, Jan 06, 2022 at 10:34:36PM -0500, Paul Wouters wrote:
> > On Tue, 7 Dec 2021, Antony Antony wrote:
> > 
> > > I have rebased the branches a couple days ago. minor fixes to ignore
> > > acquire SA expire. GiB...EiB support.
> > 
> > I've reviewed and rebased, added man page entries, and made the
> > names more consistent. I've created a PR:
> > 
> > https://github.com/antonyantony/libreswan/pull/2
> > 
> > A full test run can be found on https://lake.libreswan.org/
> > 
> > Paul
> > ps. (on Jan 7, lake will be down for a few hours due to an eletrical
> >      panel replacement)

More information about the Swan-dev mailing list