[BACK]Return to kernel-netlink.opt CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / plugins
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / plugins / kernel-netlink.opt
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Jun 3 09:46:43 2020 UTC (4 years, 10 months ago) by misho
Branches: strongswan, MAIN
CVS tags: v5_9_2p0, v5_8_4p7, HEAD
Strongswan

    1: charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
    2: 	Buffer size for received Netlink messages.
    3: 
    4: charon.plugins.kernel-netlink.force_receive_buffer_size = no
    5: 	Force maximum Netlink receive buffer on Netlink socket.
    6: 
    7: 	If the maximum Netlink socket receive buffer in bytes set by
    8: 	_receive_buffer_size_ exceeds the system-wide maximum from
    9: 	/proc/sys/net/core/rmem_max, this option can be used to override the limit.
   10: 	Enabling this option requires special privileges (CAP_NET_ADMIN).
   11: 
   12: charon.plugins.kernel-netlink.fwmark =
   13: 	Firewall mark to set on the routing rule that directs traffic to our routing
   14: 	table.
   15: 
   16: 	Firewall mark to set on the routing rule that directs traffic to our routing
   17: 	table. The format is [!]mark[/mask], where the optional exclamation mark
   18: 	inverts the meaning (i.e. the rule only applies to packets that don't match
   19: 	the mark).
   20: 
   21: charon.plugins.kernel-netlink.hw_offload_feature_interface = lo
   22: 	Interface to be used to find hardware offload feature flag on.
   23: 
   24: 	If the kernel supports hardware offloading, the plugin needs to find the
   25: 	feature flag which represents hardware offloading support for network
   26: 	devices. Using the loopback device for this purpose is usually fine, since
   27: 	it should always be present. For rare cases in which the loopback device
   28: 	cannot be used to obtain the appropriate feature flag, this option can
   29: 	be used to specify an alternative interface for offload feature detection.
   30: 
   31: charon.plugins.kernel-netlink.mss = 0
   32: 	MSS to set on installed routes, 0 to disable.
   33: 
   34: charon.plugins.kernel-netlink.mtu = 0
   35: 	MTU to set on installed routes, 0 to disable.
   36: 
   37: charon.plugins.kernel-netlink.parallel_route = no
   38: 	Whether to perform concurrent Netlink ROUTE queries on a single socket.
   39: 
   40: 	Whether to perform concurrent Netlink ROUTE queries on a single socket.
   41: 	While parallel queries can improve throughput, it has more overhead. On
   42: 	vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
   43: 	decreasing performance.
   44: 
   45: charon.plugins.kernel-netlink.parallel_xfrm = no
   46: 	Whether to perform concurrent Netlink XFRM queries on a single socket.
   47: 
   48: charon.plugins.kernel-netlink.policy_update = no
   49: 	Whether to always use XFRM_MSG_UPDPOLICY to install policies.
   50: 
   51: charon.plugins.kernel-netlink.port_bypass = no
   52: 	Whether to use port or socket based IKE XFRM bypass policies.
   53: 
   54: 	Whether to use port or socket based IKE XFRM bypass policies.
   55: 	IKE bypass policies are used to exempt IKE traffic from XFRM processing.
   56: 	The default socket based policies are directly tied to the IKE UDP sockets,
   57: 	port based policies use global XFRM bypass policies for the used IKE UDP
   58: 	ports.
   59: 
   60: charon.plugins.kernel-netlink.process_rules = no
   61: 	Whether to process changes in routing rules to trigger roam events.
   62: 
   63: 	Whether to process changes in routing rules to trigger roam events. This is
   64: 	currently only useful if the kernel based route lookup is used (i.e. if
   65: 	route installation is disabled or an inverted fwmark match is configured).
   66: 
   67: charon.plugins.kernel-netlink.receive_buffer_size = 0
   68: 	Maximum Netlink socket receive buffer in bytes.
   69: 
   70: 	Maximum Netlink socket receive buffer in bytes. This value controls how many
   71: 	bytes of Netlink messages can be received on a Netlink socket. The default
   72: 	value is set by /proc/sys/net/core/rmem_default. The specified value cannot
   73: 	exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
   74: 	_force_receive_buffer_size_	is enabled.
   75: 
   76: charon.plugins.kernel-netlink.roam_events = yes
   77: 	Whether to trigger roam events when interfaces, addresses or routes change.
   78: 
   79: charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
   80: 	Whether to set protocol and ports in the selector installed on transport
   81: 	mode IPsec SAs in the kernel.
   82: 
   83: 	Whether to set protocol and ports in the selector installed on transport
   84: 	mode IPsec SAs in the kernel. While doing so enforces policies for inbound
   85: 	traffic, it also prevents the use of a single IPsec SA by more than one
   86: 	traffic selector.
   87: 
   88: charon.plugins.kernel-netlink.spdh_thresh {}
   89: 	XFRM policy hashing threshold configuration for IPv4 and IPv6.
   90: 
   91: 	XFRM policy hashing threshold configuration for IPv4 and IPv6.
   92: 
   93: 	The section defines hashing thresholds to configure in the kernel during
   94: 	daemon startup. Each address family takes a threshold for the local subnet
   95: 	of an IPsec policy (src in out-policies, dst in in- and forward-policies)
   96: 	and the remote subnet (dst in out-policies, src in in- and
   97: 	forward-policies).
   98: 
   99: 	If the subnet has more or equal net bits than the threshold, the first
  100: 	threshold bits are used to calculate a hash to lookup the policy.
  101: 
  102: 	Policy hashing thresholds are not supported before Linux 3.18 and might
  103: 	conflict with socket policies before Linux 4.8.
  104: 
  105: charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits = 32
  106: 	Local subnet XFRM policy hashing threshold for IPv4.
  107: 
  108: charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits = 32
  109: 	Remote subnet XFRM policy hashing threshold for IPv4.
  110: 
  111: charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits = 128
  112: 	Local subnet XFRM policy hashing threshold for IPv6.
  113: 
  114: charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits = 128
  115: 	Remote subnet XFRM policy hashing threshold for IPv6.
  116: 
  117: charon.plugins.kernel-netlink.retries = 0
  118: 	Number of Netlink message retransmissions to send on timeout.
  119: 
  120: charon.plugins.kernel-netlink.timeout = 0
  121: 	Netlink message retransmission timeout, 0 to disable retransmissions.
  122: 
  123: charon.plugins.kernel-netlink.ignore_retransmit_errors = no
  124: 	Whether to ignore errors potentially resulting from a retransmission.
  125: 
  126: charon.plugins.kernel-netlink.xfrm_acq_expires = 165
  127: 	Lifetime of XFRM acquire state and allocated SPIs in kernel.
  128: 
  129: 	Lifetime of XFRM acquire state created by the kernel when traffic matches a
  130: 	trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
  131: 	Indirectly controls the delay between XFRM acquire messages triggered by the
  132: 	kernel for a trap policy. The same value is used as timeout for SPIs
  133: 	allocated by the kernel. The default value equals the total	retransmission
  134: 	timeout for IKE messages, see IKEv2 RETRANSMISSION in
  135: 	**strongswan.conf**(5).
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>