Annotation of embedaddon/strongswan/conf/plugins/kernel-netlink.opt, revision 1.1
1.1 ! misho 1: charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
! 2: Buffer size for received Netlink messages.
! 3:
! 4: charon.plugins.kernel-netlink.force_receive_buffer_size = no
! 5: Force maximum Netlink receive buffer on Netlink socket.
! 6:
! 7: If the maximum Netlink socket receive buffer in bytes set by
! 8: _receive_buffer_size_ exceeds the system-wide maximum from
! 9: /proc/sys/net/core/rmem_max, this option can be used to override the limit.
! 10: Enabling this option requires special privileges (CAP_NET_ADMIN).
! 11:
! 12: charon.plugins.kernel-netlink.fwmark =
! 13: Firewall mark to set on the routing rule that directs traffic to our routing
! 14: table.
! 15:
! 16: Firewall mark to set on the routing rule that directs traffic to our routing
! 17: table. The format is [!]mark[/mask], where the optional exclamation mark
! 18: inverts the meaning (i.e. the rule only applies to packets that don't match
! 19: the mark).
! 20:
! 21: charon.plugins.kernel-netlink.hw_offload_feature_interface = lo
! 22: Interface to be used to find hardware offload feature flag on.
! 23:
! 24: If the kernel supports hardware offloading, the plugin needs to find the
! 25: feature flag which represents hardware offloading support for network
! 26: devices. Using the loopback device for this purpose is usually fine, since
! 27: it should always be present. For rare cases in which the loopback device
! 28: cannot be used to obtain the appropriate feature flag, this option can
! 29: be used to specify an alternative interface for offload feature detection.
! 30:
! 31: charon.plugins.kernel-netlink.mss = 0
! 32: MSS to set on installed routes, 0 to disable.
! 33:
! 34: charon.plugins.kernel-netlink.mtu = 0
! 35: MTU to set on installed routes, 0 to disable.
! 36:
! 37: charon.plugins.kernel-netlink.parallel_route = no
! 38: Whether to perform concurrent Netlink ROUTE queries on a single socket.
! 39:
! 40: Whether to perform concurrent Netlink ROUTE queries on a single socket.
! 41: While parallel queries can improve throughput, it has more overhead. On
! 42: vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
! 43: decreasing performance.
! 44:
! 45: charon.plugins.kernel-netlink.parallel_xfrm = no
! 46: Whether to perform concurrent Netlink XFRM queries on a single socket.
! 47:
! 48: charon.plugins.kernel-netlink.policy_update = no
! 49: Whether to always use XFRM_MSG_UPDPOLICY to install policies.
! 50:
! 51: charon.plugins.kernel-netlink.port_bypass = no
! 52: Whether to use port or socket based IKE XFRM bypass policies.
! 53:
! 54: Whether to use port or socket based IKE XFRM bypass policies.
! 55: IKE bypass policies are used to exempt IKE traffic from XFRM processing.
! 56: The default socket based policies are directly tied to the IKE UDP sockets,
! 57: port based policies use global XFRM bypass policies for the used IKE UDP
! 58: ports.
! 59:
! 60: charon.plugins.kernel-netlink.process_rules = no
! 61: Whether to process changes in routing rules to trigger roam events.
! 62:
! 63: Whether to process changes in routing rules to trigger roam events. This is
! 64: currently only useful if the kernel based route lookup is used (i.e. if
! 65: route installation is disabled or an inverted fwmark match is configured).
! 66:
! 67: charon.plugins.kernel-netlink.receive_buffer_size = 0
! 68: Maximum Netlink socket receive buffer in bytes.
! 69:
! 70: Maximum Netlink socket receive buffer in bytes. This value controls how many
! 71: bytes of Netlink messages can be received on a Netlink socket. The default
! 72: value is set by /proc/sys/net/core/rmem_default. The specified value cannot
! 73: exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
! 74: _force_receive_buffer_size_ is enabled.
! 75:
! 76: charon.plugins.kernel-netlink.roam_events = yes
! 77: Whether to trigger roam events when interfaces, addresses or routes change.
! 78:
! 79: charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
! 80: Whether to set protocol and ports in the selector installed on transport
! 81: mode IPsec SAs in the kernel.
! 82:
! 83: Whether to set protocol and ports in the selector installed on transport
! 84: mode IPsec SAs in the kernel. While doing so enforces policies for inbound
! 85: traffic, it also prevents the use of a single IPsec SA by more than one
! 86: traffic selector.
! 87:
! 88: charon.plugins.kernel-netlink.spdh_thresh {}
! 89: XFRM policy hashing threshold configuration for IPv4 and IPv6.
! 90:
! 91: XFRM policy hashing threshold configuration for IPv4 and IPv6.
! 92:
! 93: The section defines hashing thresholds to configure in the kernel during
! 94: daemon startup. Each address family takes a threshold for the local subnet
! 95: of an IPsec policy (src in out-policies, dst in in- and forward-policies)
! 96: and the remote subnet (dst in out-policies, src in in- and
! 97: forward-policies).
! 98:
! 99: If the subnet has more or equal net bits than the threshold, the first
! 100: threshold bits are used to calculate a hash to lookup the policy.
! 101:
! 102: Policy hashing thresholds are not supported before Linux 3.18 and might
! 103: conflict with socket policies before Linux 4.8.
! 104:
! 105: charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32
! 106: Local subnet XFRM policy hashing threshold for IPv4.
! 107:
! 108: charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32
! 109: Remote subnet XFRM policy hashing threshold for IPv4.
! 110:
! 111: charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128
! 112: Local subnet XFRM policy hashing threshold for IPv6.
! 113:
! 114: charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128
! 115: Remote subnet XFRM policy hashing threshold for IPv6.
! 116:
! 117: charon.plugins.kernel-netlink.retries = 0
! 118: Number of Netlink message retransmissions to send on timeout.
! 119:
! 120: charon.plugins.kernel-netlink.timeout = 0
! 121: Netlink message retransmission timeout, 0 to disable retransmissions.
! 122:
! 123: charon.plugins.kernel-netlink.ignore_retransmit_errors = no
! 124: Whether to ignore errors potentially resulting from a retransmission.
! 125:
! 126: charon.plugins.kernel-netlink.xfrm_acq_expires = 165
! 127: Lifetime of XFRM acquire state and allocated SPIs in kernel.
! 128:
! 129: Lifetime of XFRM acquire state created by the kernel when traffic matches a
! 130: trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
! 131: Indirectly controls the delay between XFRM acquire messages triggered by the
! 132: kernel for a trap policy. The same value is used as timeout for SPIs
! 133: allocated by the kernel. The default value equals the total retransmission
! 134: timeout for IKE messages, see IKEv2 RETRANSMISSION in
! 135: **strongswan.conf**(5).
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to kernel-netlink.opt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / plugins