[Swan-dev] WIP: supporting xfrm SA expire
paul at nohats.ca
Fri Jun 24 21:22:14 EEST 2022
On Tue, 21 Jun 2022, Antony Antony wrote:
> Hi Paul,
> Here is a new iteration sa-expire branch. I cherry picked changes from
> and rebased to origin/main.
> I have created a PR to make it easy to review my branch.
Thanks. I'm reviewing it now.
> I ignored "<unset>" change.
> I am not in favor of "<unset>" : for 2^64 or the default. Currently it look
> ipsec_max_bytes: 16EiB
> ipsec_max_packets: 16Ei
> Also there are ciphers which only allow 2^32 bytes and packets as default.
> So it is better to print the default value in abbreviated form than unset
> based on values. Also another concern is if a user actually set to 16Ei or
> 16EiB in the config, your proposal will show that as "unset"?
> We don't print unset when using other defaults! So it feels odd to me.
> I undderstand 18446744073709551615 is very confusing, and I feel 16Ei and
> 16EiB is better. Would that work for you?
I prefer <unset> but it is fine. Anything but 18446744073709551615 is in
improvement but I do still think people won't know what 16EiB is.
> I am presently surprised at your proposal to rename salifetime ->
> ipsec-max-time. I think that is greate, and good for consistency. However,
> lot of changes to keep track of on seperate branch before merge, ie.
> variable names output. changes whack command ..
> So I propose we change the those right after merge of sa-expire-2022*. i
> As an atomic operation change config option, whack command and test output.
This is unfortunate. You could have fixed or told me the issues to fix.
It basically doubles my work because I have to do those from scratch
again after the merge.
More information about the Swan-dev