tteras/strongswan - tteras' strongSwan tree

	Commit message (Collapse)	Author	Age	Files	Lines
*	kernel-netlink: Use total retransmit timeout as acquire timeout	Tobias Brunner	2017-05-23	1	-3/+3
\| \| \| \| \| \| \|	By using the total retransmit timeout, modifications of timeout settings automatically reflect on the value of xfrm_acq_expires. If set, the value of xfrm_acq_expires configured by the user takes precedence over the calculated value.
*	kernel-netlink: Allow change of Netlink socket receive buffer size	Thomas Egerer	2017-01-25	1	-0/+17
\| \| \| \|	Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
*	kernel-netlink: Support configuring XFRM policy hashing thresholds	Tobias Brunner	2016-09-30	1	-0/+29
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	If the number of flows over a gateway exceeds the flow cache size of the Linux kernel, policy lookup gets very expensive. Policies covering more than a single address don't get hash-indexed by default, which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use. Starting with several hundred policies the overhead gets inacceptable. Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet to perform indexed lookup. With correctly chosen netbits, this can completely eliminate the performance impact of policy lookups, freeing the resources for ESP crypto. WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a NULL pointer dereference if a socket policy is installed while hash thresholds are changed. And because the hashtable rebuild triggered by the threshold change that causes this is scheduled it might also happen if the socket policies are seemingly installed after setting the thresholds. The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when rebuilding hash tables") - is included since 4.8 (and might get backported). As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled to replace the socket policies that allow IKE traffic with port specific bypass policies.
*	conf: Extend description of charon.plugins.kernel-netlink.xfrm_acq_expires	Tobias Brunner	2016-08-29	1	-5/+9
\|
*	kernel-netlink: Use PAGE_SIZE as default size for the netlink receive buffer	Tobias Brunner	2015-08-04	1	-1/+1
\| \| \| \| \| \| \| \|	The kernel uses NLMSG_GOODSIZE as default buffer size, which defaults to the PAGE_SIZE if it is lower than 8192 or to that value otherwise. In some cases (e.g. for dump messages) the kernel might use up to 16k for messages, which might require increasing this value.
*	kernel-netlink: Make buffer size for received Netlink messages configurable	Tobias Brunner	2015-05-21	1	-0/+3
\|
*	kernel-netlink: Add missing documentation for two options	Tobias Brunner	2014-12-19	1	-0/+6
\|
*	kernel-netlink: Alternatively support global port based IKE bypass policies	Martin Willi	2014-11-21	1	-0/+9
\| \| \| \| \| \|	The socket based IKE bypass policies are usually superior, but not supported on all networking stacks. The port based variant uses global policies for the UDP ports we have IKE sockets for.
*	conf: Document kernel-netlink retransmission and parallelization options	Martin Willi	2014-11-21	1	-0/+17
\|
*	kernel-netlink: Optionally install protocol and ports on transport mode SAs	Tobias Brunner	2014-09-12	1	-0/+9
\|
*	kernel-netlink: Add global option to configure MSS-clamping on installed routes	Tobias Brunner	2014-09-12	1	-0/+3
\|
*	kernel-netlink: Add global option to set MTU on installed routes	Tobias Brunner	2014-09-12	1	-0/+3
\|
*	conf: Options of all plugins documented	Tobias Brunner	2014-02-12	1	-0/+18
	Some options are still missing descriptions though.