conf: Document global IP-TFS settings

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 3353217407a438631e575166de54ba967c9e74d7..5b90e00dec85bb1771f13634b591b8222001a851 100644 (file)
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -16,6 +16,7 @@ options = \
        options/charon-systemd.opt \
        options/imcv.opt \
        options/imv_policy_manager.opt \
+       options/iptfs.opt \
        options/manager.opt \
        options/medsrv.opt \
        options/pki.opt \

diff --git a/conf/options/iptfs.opt b/conf/options/iptfs.opt
new file mode 100644 (file)
index 0000000..33f4c50
--- /dev/null
+++ b/conf/options/iptfs.opt
@@ -0,0 +1,38 @@
+charon.iptfs {}
+       Global settings for IP-TFS (RFC 9347). The Linux kernel supports this mode
+       since 6.14. However, it currently only supports aggregation/fragmentation of
+       tunneled IP packets in ESP/AGGFRAG packets. It doesn't yet support other
+       IP-TFS features like sending packets at a constant rate or congestion control.
+
+charon.iptfs.drop_time = 1000000
+       Time in microseconds to wait for out-of-order packets when processing
+       inbound traffic.
+
+charon.iptfs.reorder_window = 3
+       Number of packets that may arrive out of order when processing inbound
+       traffic.
+
+charon.iptfs.init_delay = 0
+       Time in microseconds to wait for subsequent packets to aggregate together
+       when sending outbound traffic. Only relevant if no packets are already
+       queued to be sent.
+
+charon.iptfs.max_queue_size = 1048576
+       Maximum number of bytes allowed to be queued for sending on the tunnel
+       (default 1 MiB). If the queue is full, packets are dropped.
+
+charon.iptfs.packet_size = 0
+       Maximum outer packet size (layer 3) when sending packets. The default of 0
+       will use the PMTU as packet size. Note that the kernel currently doesn't
+       pad smaller packets.
+
+charon.iptfs.accept_fragments = yes
+       Whether fragments of inner packets across multiple AGGFRAG payloads are
+       accepted. This is an IKEv2 option, so if the peer doesn't adhere to this
+       request and still sends such fragments, they will be processed by the
+       kernel.
+
+charon.iptfs.dont_frag = no
+       Force disabling fragmenting inner packets across multiple AGGFRAG payloads
+       when sending outbound traffic (fragmentation is automatically disabled if
+       the peer indicates that it doesn't support handling such packets).

diff --git a/configure.ac b/configure.ac
index 220c33ff550061a9aa8425b6a65debeca7087b2a..bf054e1e3bdba05a357cc825f1a6ae24fe388b11 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1949,7 +1949,7 @@ strongswan_options=
 
 AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
 AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
-AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
+AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging iptfs"])
 AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
 AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"])
 AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv imv_policy_manager"])