DBG2(DBG_CFG, " copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF));
DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(cfg, OPT_NO_COPY_ECN));
DBG2(DBG_CFG, " copy_dscp = %N", dscp_copy_names, cfg->copy_dscp);
+ DBG2(DBG_CFG, " icmp = %u", has_opt(cfg, OPT_FORWARD_ICMP));
}
/**
return FALSE;
}
+/**
+ * Parse OTP_FORWARD_ICMP option
+ */
+CALLBACK(parse_opt_icmp, bool,
+ child_cfg_option_t *out, chunk_t v)
+{
+ return parse_option(out, OPT_FORWARD_ICMP, v, TRUE);
+}
+
/**
* Parse an action_t
*/
{ "copy_df", parse_opt_copy_df, &child->cfg.options },
{ "copy_ecn", parse_opt_copy_ecn, &child->cfg.options },
{ "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp },
+ { "icmp", parse_opt_icmp, &child->cfg.options },
{ "if_id_in", parse_if_id, &child->cfg.if_id_in },
{ "if_id_out", parse_if_id, &child->cfg.if_id_out },
{ "label", parse_label, &child->cfg.label },
receiver, which is why the default is _out_. Controlling this behavior is
not supported by all kernel interfaces.
+connections.<conn>.children.<child>.icmp = no
+ Whether to forward certain ICMP error messages even if their source IP
+ doesn't match the negotiated IPsec policies.
+
+ ICMP error messages, such as Destination Unreachable, Time Exceeded or
+ Fragmentation Needed, may be generated by a host whose IP address isn't
+ included in the negotiated traffic selectors and therefore doesn't match the
+ IPsec policies. If this option is enabled and the kernel supports it, such
+ packets may still be forwarded. As ICMP errors contain parts of the IP
+ packet that triggered them, the kernel will base its decision on a reverse
+ policy lookup using that IP header.
+
connections.<conn>.children.<child>.start_action = none
Action to perform after loading the configuration (_none_, _trap_, _start_).
projects / thirdparty / strongswan.git / commitdiff
