[strongSwan-dev] Backward compatibility option for inbound SA/SP marking

Christophe Gouault christophe.gouault at 6wind.com
Thu Aug 24 11:30:53 CEST 2017


2017-08-24 10:43 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Christophe,
>
>> I had a look in the mark-inbound-sa branch, I think there are other
>> methods where the SA mark must be set: child_sa_t.update,
>> child_sa_t.destroy.
>
> You're right, thanks!

you're welcome

> (You missed the one in update_usebytes() btw.)

Darn! :)

> While I appreciate your creating that stroke patch, I probably won't
> apply it.  We need to stop adding new features to starter/stroke.  Maybe
> that will get people to abandon the legacy interface and switch to
> swanctl/vici already.

I completely understand your will to get rid of the legacy
ipsec.conf/stroke API. However in this specific case, it is not
exactly a new feature. It is the restauration of the former (legacy)
behavior.

Then maybe the behavior when using the legacy API should be the old
behavior: if using stroke/ipsec.conf, the inbound SAs are marked as
they used to be (OPT_MARK_IN_SA). If using the new swanctl API, you
benefit from the new behavior by default (inbound SAs are not marked,
but you may alter this behavior via configuration). This would avoid
to add new features in stroke/ipsec.conf, while not breaking existing
deployments based on stroke.

Christophe


More information about the Dev mailing list