Annotation of embedaddon/strongswan/conf/plugins/kernel-netlink.opt, revision 1.1.1.1
1.1 misho 1: charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
2: Buffer size for received Netlink messages.
3:
4: charon.plugins.kernel-netlink.force_receive_buffer_size = no
5: Force maximum Netlink receive buffer on Netlink socket.
6:
7: If the maximum Netlink socket receive buffer in bytes set by
8: _receive_buffer_size_ exceeds the system-wide maximum from
9: /proc/sys/net/core/rmem_max, this option can be used to override the limit.
10: Enabling this option requires special privileges (CAP_NET_ADMIN).
11:
12: charon.plugins.kernel-netlink.fwmark =
13: Firewall mark to set on the routing rule that directs traffic to our routing
14: table.
15:
16: Firewall mark to set on the routing rule that directs traffic to our routing
17: table. The format is [!]mark[/mask], where the optional exclamation mark
18: inverts the meaning (i.e. the rule only applies to packets that don't match
19: the mark).
20:
21: charon.plugins.kernel-netlink.hw_offload_feature_interface = lo
22: Interface to be used to find hardware offload feature flag on.
23:
24: If the kernel supports hardware offloading, the plugin needs to find the
25: feature flag which represents hardware offloading support for network
26: devices. Using the loopback device for this purpose is usually fine, since
27: it should always be present. For rare cases in which the loopback device
28: cannot be used to obtain the appropriate feature flag, this option can
29: be used to specify an alternative interface for offload feature detection.
30:
31: charon.plugins.kernel-netlink.mss = 0
32: MSS to set on installed routes, 0 to disable.
33:
34: charon.plugins.kernel-netlink.mtu = 0
35: MTU to set on installed routes, 0 to disable.
36:
37: charon.plugins.kernel-netlink.parallel_route = no
38: Whether to perform concurrent Netlink ROUTE queries on a single socket.
39:
40: Whether to perform concurrent Netlink ROUTE queries on a single socket.
41: While parallel queries can improve throughput, it has more overhead. On
42: vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
43: decreasing performance.
44:
45: charon.plugins.kernel-netlink.parallel_xfrm = no
46: Whether to perform concurrent Netlink XFRM queries on a single socket.
47:
48: charon.plugins.kernel-netlink.policy_update = no
49: Whether to always use XFRM_MSG_UPDPOLICY to install policies.
50:
51: charon.plugins.kernel-netlink.port_bypass = no
52: Whether to use port or socket based IKE XFRM bypass policies.
53:
54: Whether to use port or socket based IKE XFRM bypass policies.
55: IKE bypass policies are used to exempt IKE traffic from XFRM processing.
56: The default socket based policies are directly tied to the IKE UDP sockets,
57: port based policies use global XFRM bypass policies for the used IKE UDP
58: ports.
59:
60: charon.plugins.kernel-netlink.process_rules = no
61: Whether to process changes in routing rules to trigger roam events.
62:
63: Whether to process changes in routing rules to trigger roam events. This is
64: currently only useful if the kernel based route lookup is used (i.e. if
65: route installation is disabled or an inverted fwmark match is configured).
66:
67: charon.plugins.kernel-netlink.receive_buffer_size = 0
68: Maximum Netlink socket receive buffer in bytes.
69:
70: Maximum Netlink socket receive buffer in bytes. This value controls how many
71: bytes of Netlink messages can be received on a Netlink socket. The default
72: value is set by /proc/sys/net/core/rmem_default. The specified value cannot
73: exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
74: _force_receive_buffer_size_ is enabled.
75:
76: charon.plugins.kernel-netlink.roam_events = yes
77: Whether to trigger roam events when interfaces, addresses or routes change.
78:
79: charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
80: Whether to set protocol and ports in the selector installed on transport
81: mode IPsec SAs in the kernel.
82:
83: Whether to set protocol and ports in the selector installed on transport
84: mode IPsec SAs in the kernel. While doing so enforces policies for inbound
85: traffic, it also prevents the use of a single IPsec SA by more than one
86: traffic selector.
87:
88: charon.plugins.kernel-netlink.spdh_thresh {}
89: XFRM policy hashing threshold configuration for IPv4 and IPv6.
90:
91: XFRM policy hashing threshold configuration for IPv4 and IPv6.
92:
93: The section defines hashing thresholds to configure in the kernel during
94: daemon startup. Each address family takes a threshold for the local subnet
95: of an IPsec policy (src in out-policies, dst in in- and forward-policies)
96: and the remote subnet (dst in out-policies, src in in- and
97: forward-policies).
98:
99: If the subnet has more or equal net bits than the threshold, the first
100: threshold bits are used to calculate a hash to lookup the policy.
101:
102: Policy hashing thresholds are not supported before Linux 3.18 and might
103: conflict with socket policies before Linux 4.8.
104:
105: charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32
106: Local subnet XFRM policy hashing threshold for IPv4.
107:
108: charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32
109: Remote subnet XFRM policy hashing threshold for IPv4.
110:
111: charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128
112: Local subnet XFRM policy hashing threshold for IPv6.
113:
114: charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128
115: Remote subnet XFRM policy hashing threshold for IPv6.
116:
117: charon.plugins.kernel-netlink.retries = 0
118: Number of Netlink message retransmissions to send on timeout.
119:
120: charon.plugins.kernel-netlink.timeout = 0
121: Netlink message retransmission timeout, 0 to disable retransmissions.
122:
123: charon.plugins.kernel-netlink.ignore_retransmit_errors = no
124: Whether to ignore errors potentially resulting from a retransmission.
125:
126: charon.plugins.kernel-netlink.xfrm_acq_expires = 165
127: Lifetime of XFRM acquire state and allocated SPIs in kernel.
128:
129: Lifetime of XFRM acquire state created by the kernel when traffic matches a
130: trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
131: Indirectly controls the delay between XFRM acquire messages triggered by the
132: kernel for a trap policy. The same value is used as timeout for SPIs
133: allocated by the kernel. The default value equals the total retransmission
134: timeout for IKE messages, see IKEv2 RETRANSMISSION in
135: **strongswan.conf**(5).
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to kernel-netlink.opt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / plugins