[strongSwan-dev] Backward compatibility option for inbound SA/SP marking
Christophe Gouault
christophe.gouault at 6wind.com
Thu Aug 24 14:26:27 CEST 2017
2017-08-24 13:50 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Christophe,
>
>> This would avoid
>> to add new features in stroke/ipsec.conf, while not breaking existing
>> deployments based on stroke.
>
> Except for your special use case it should not have an effect on
> existing deployments. With or without VTI devices marking packets
> before decryption, as was necessary before, should still work the same
> even if the SA has no mark set anymore (unless the SA is marked, the
> kernel just ignores the marks on packets, so it doesn't match only
> unmarked packets, to do so requires setting a mark of 0/0xffffffff
> explicitly).
>
> Therefore, I don't really see the need to change the default or make
> this configurable via ipsec.conf.
>
> Actually, for somebody to use a recent enough version to get bothered by
> this change a switch to swanclt/vici should be in order anyway. And
> since the behavior was changed with 5.5.2, which also brought
> swanctl/vici basically on par with starter/stroke (see the changelog
> [1]), there should really be no reason to prefer the old interface.
Hi Tobias,
OK, I surrender ;-)
> There are some control features, like `down-srcip`, `purgeike` or
> `list|resetcounters`, that are not implemented (yet). But they may
> still be used, if necessary (ideally users would notify us of features
> they still need),
I started using the vici API for monitoring and stats, and I must
admit it is far better suited than stroke to interface with an
external application.
I precisely missed the equivalent for `listcounters` in the vici
interface, so I take the opportunity to notify you officially that its
support would be appreciated :)
Regards,
Christophe
More information about the Dev
mailing list