[Swan] What to do with some rare KLIPS-only options, currently broken
Paul Wouters
pwouters at redhat.com
Thu Jun 20 23:01:14 EEST 2013
Hi,
When we merged _startklips/_startnetkey into _stackmanager, support for
the following KLIPS-only config setup options was lost:
overridemtu=<value>
hidetos=yes|no (default yes)
fragicmp=yes|no (default yes)
The first one was simply setting the mtu on the ipsecX interface. It
would not be too hard to bring this back. However, I don't know of any
scenario where this option was ever needed. So unless someone can give
me an example of when it was/is needed, I'm going to change this keyword
to kt_obsolete.
The hidetos and fragicmp options _could_ be useful. However, these are
options that can be set using sysctl directly against the ipsec.ko
module. Again, we could add support for this into addconn --configsetup,
so _stackmanager can set these when on klips, but I wonder if it is
better to just leave these out as well, and just document the KLIPS
option for people to use. Especially because KLIPS is mostly used for
embedded systems, and those systems tend to not use our initscripts
anyway. So I'm tempted to also kt_obsolete these.
If we think hidetos/fragicmp are that important, one should wonder how
NETKEY is doing this, and whether we should fix the option to support
NETKEY as well, which would likely require some kernel changes.
Opinions?
Paul
More information about the Swan
mailing list