From: Tobias Brunner Date: Thu, 20 May 2021 08:12:30 +0000 (+0200) Subject: vici: Make per-CPU CHILD_SAs configurable X-Git-Tag: 6.0.2dr1~5^2~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbfae44dd161056e38e283784898c25a223e6d60;p=thirdparty%2Fstrongswan.git vici: Make per-CPU CHILD_SAs configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 9050c64194..146c07db0c 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -583,6 +583,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " proposals = %#P", data->proposals); DBG2(DBG_CFG, " local_ts = %#R", data->local_ts); DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts); + DBG2(DBG_CFG, " per_cpu_sas = %u", has_opt(cfg, OPT_PER_CPU_SAS)); DBG2(DBG_CFG, " hw_offload = %N", hw_offload_names, cfg->hw_offload); DBG2(DBG_CFG, " sha256_96 = %u", has_opt(cfg, OPT_SHA256_96)); DBG2(DBG_CFG, " copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF)); @@ -1060,6 +1061,15 @@ CALLBACK(parse_opt_copy_ecn, bool, return parse_option(out, OPT_NO_COPY_ECN, v, FALSE); } +/** + * Parse OPT_PER_CPU_SAS option + */ +CALLBACK(parse_opt_cpus, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_PER_CPU_SAS, v, TRUE); +} + /** * Parse a dscp_copy_t */ @@ -1934,6 +1944,7 @@ CALLBACK(child_kv, bool, { "if_id_out", parse_if_id, &child->cfg.if_id_out }, { "label", parse_label, &child->cfg.label }, { "label_mode", parse_label_mode, &child->cfg.label_mode }, + { "per_cpu_sas", parse_opt_cpus, &child->cfg.options }, }; return parse_rules(rules, countof(rules), name, value, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index a3c1c8b806..4c60c0d0b2 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -1125,6 +1125,9 @@ connections..children..replay_window = 32 default of 32 are supported using the Netlink backend only, a value of 0 disables IPsec replay protection. +connections..children..per_cpu_sas = no + Enable per-CPU CHILD_SAs. Requires _trap_ in **start_action**. + connections..children..hw_offload = no Enable hardware offload for this CHILD_SA, if supported by the IPsec implementation.