[Swan] What to do with some rare KLIPS-only options, currently broken
David McCullough
ucdevel at gmail.com
Fri Jun 21 02:18:40 EEST 2013
Paul Wouters wrote the following:
>
> Hi,
>
> When we merged _startklips/_startnetkey into _stackmanager, support for
> the following KLIPS-only config setup options was lost:
>
> overridemtu=<value>
> hidetos=yes|no (default yes)
> fragicmp=yes|no (default yes)
>
> The first one was simply setting the mtu on the ipsecX interface. It
> would not be too hard to bring this back. However, I don't know of any
> scenario where this option was ever needed. So unless someone can give
> me an example of when it was/is needed, I'm going to change this keyword
> to kt_obsolete.
>
> The hidetos and fragicmp options _could_ be useful. However, these are
> options that can be set using sysctl directly against the ipsec.ko
> module. Again, we could add support for this into addconn --configsetup,
> so _stackmanager can set these when on klips, but I wonder if it is
> better to just leave these out as well, and just document the KLIPS
> option for people to use. Especially because KLIPS is mostly used for
> embedded systems, and those systems tend to not use our initscripts
> anyway. So I'm tempted to also kt_obsolete these.
>
> If we think hidetos/fragicmp are that important, one should wonder how
> NETKEY is doing this, and whether we should fix the option to support
> NETKEY as well, which would likely require some kernel changes.
>
> Opinions?
I can only say that we have used overridemtu and hidetos in the past. I am
not sure about fragicmp.
All I can say is that we already have a number of other klips only options
(like interfaces, klipsdebug). If we can manage those, is it really a
huge burden to maintain compat with older config files ?
I can say that more and more embedded systems will be using at least the
"ipsec setup start" and similar scripts. I would probably say most already
do. Any systemd/init.d stuff is probably a little less used but not that
far from main stream.
Of course we switched to NSS completely as well so this is pretty minor in
comparison IMO ;-) :-) ;-)
Cheers,
Davidm
--
David McCullough, ucdevel at gmail.com, Ph: 0410 560 763
More information about the Swan
mailing list