<div dir="ltr">Hi,<div><br></div><div>Thank you very much for your prompt answer. </div><div><br></div><div>2013/5/23 Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@<span class="" style>strongswan</span>.org</a>></span><br>
</div><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi Francois,<br>
<div><br>
> Anyway, these variables seems to be hard coded in charon (at ./configure<br>
> time). As IKEv2 support is really required, I was wondering if I missed<br>
> something. Is there any way to change these parameters on a per-process<br>
> basis?<br>
<br>
</div>No, these paths are hard coded, there are currently no runtime options.<br>
<br>
Unix control sockets are set up by the plugin, and it is quite difficult<br>
to pass command line arguments to them. So instead we probably should<br>
just add an option for a strongswan.conf, which then may contain custom<br>
paths for control sockets, pid file etc.</blockquote><div><br></div><div>This would be great!</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><span style="color:rgb(34,34,34)"> </span><br></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
> Or maybe have you plan to make charon netns aware?<br>
<br>
</div>We had some discussions about integrated netns support, but no,<br>
currently there are no concrete plans for implementing it (this might<br>
change if someone is willing to sponsor the development).<br></blockquote><div><br></div><div style>I can't figure out how complex that would be, but it may be tricky to manage several IKE & <span class="" style>netkey</span> sockets from a single daemon.<br>
</div><div style><span class="" style>netns</span> context would probably have to be handled in a large part of the code...</div><div style>Some other <span class="" style>people</span> were talking about that here: <a href="http://www.spinics.net/lists/netdev/msg219734.html">http://www.<span class="" style>spinics</span>.net/lists/<span class="" style>netdev</span>/msg219734.html</a><br>
</div><div style><br></div><div style>While investigating using containers to run several daemons, I started thinking having one isolated <span class="" style>userland</span> process per <span class="" style>netns</span> could be better from a security point of view (but more <span class="" style>resource</span> consuming, of course). Any thought on that?</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Kind Regards<br>
<span><font color="#888888">Martin<br>
<br>
</font></span></blockquote></div><br></div></div></div>