From a7a3c4a22a993ae22446fe3b5ac1af45adb54e04 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 15 May 2025 12:58:12 +0200 Subject: [PATCH] conf: Document global IP-TFS settings --- conf/Makefile.am | 1 + conf/options/iptfs.opt | 38 ++++++++++++++++++++++++++++++++++++++ configure.ac | 2 +- 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 conf/options/iptfs.opt diff --git a/conf/Makefile.am b/conf/Makefile.am index 3353217407..5b90e00dec 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -16,6 +16,7 @@ options = \ options/charon-systemd.opt \ options/imcv.opt \ options/imv_policy_manager.opt \ + options/iptfs.opt \ options/manager.opt \ options/medsrv.opt \ options/pki.opt \ diff --git a/conf/options/iptfs.opt b/conf/options/iptfs.opt new file mode 100644 index 0000000000..33f4c5088e --- /dev/null +++ b/conf/options/iptfs.opt @@ -0,0 +1,38 @@ +charon.iptfs {} + Global settings for IP-TFS (RFC 9347). The Linux kernel supports this mode + since 6.14. However, it currently only supports aggregation/fragmentation of + tunneled IP packets in ESP/AGGFRAG packets. It doesn't yet support other + IP-TFS features like sending packets at a constant rate or congestion control. + +charon.iptfs.drop_time = 1000000 + Time in microseconds to wait for out-of-order packets when processing + inbound traffic. + +charon.iptfs.reorder_window = 3 + Number of packets that may arrive out of order when processing inbound + traffic. + +charon.iptfs.init_delay = 0 + Time in microseconds to wait for subsequent packets to aggregate together + when sending outbound traffic. Only relevant if no packets are already + queued to be sent. + +charon.iptfs.max_queue_size = 1048576 + Maximum number of bytes allowed to be queued for sending on the tunnel + (default 1 MiB). If the queue is full, packets are dropped. + +charon.iptfs.packet_size = 0 + Maximum outer packet size (layer 3) when sending packets. The default of 0 + will use the PMTU as packet size. Note that the kernel currently doesn't + pad smaller packets. + +charon.iptfs.accept_fragments = yes + Whether fragments of inner packets across multiple AGGFRAG payloads are + accepted. This is an IKEv2 option, so if the peer doesn't adhere to this + request and still sends such fragments, they will be processed by the + kernel. + +charon.iptfs.dont_frag = no + Force disabling fragmenting inner packets across multiple AGGFRAG payloads + when sending outbound traffic (fragmentation is automatically disabled if + the peer indicates that it doesn't support handling such packets). diff --git a/configure.ac b/configure.ac index 220c33ff55..bf054e1e3b 100644 --- a/configure.ac +++ b/configure.ac @@ -1949,7 +1949,7 @@ strongswan_options= AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"]) AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"]) -AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"]) +AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging iptfs"]) AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"]) AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"]) AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv imv_policy_manager"]) -- 2.47.2