DBG2(DBG_CFG, " copy_df = %u", !has_opt(OPT_NO_COPY_DF));
DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(OPT_NO_COPY_ECN));
DBG2(DBG_CFG, " copy_dscp = %N", dscp_copy_names, cfg->copy_dscp);
+ DBG2(DBG_CFG, " icmp = %u", has_opt(OPT_FORWARD_ICMP));
}
/**
return FALSE;
}
+/**
+ * Parse OTP_FORWARD_ICMP option
+ */
+CALLBACK(parse_opt_icmp, bool,
+ child_cfg_option_t *out, chunk_t v)
+{
+ return parse_option(out, OPT_FORWARD_ICMP, v, TRUE);
+}
+
/**
* Parse an action_t
*/
{ "copy_df", parse_opt_copy_df, &child->cfg.options },
{ "copy_ecn", parse_opt_copy_ecn, &child->cfg.options },
{ "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp },
+ { "icmp", parse_opt_icmp, &child->cfg.options },
{ "if_id_in", parse_if_id, &child->cfg.if_id_in },
{ "if_id_out", parse_if_id, &child->cfg.if_id_out },
};
receiver, which is why the default is _out_. Controlling this behavior is
not supported by all kernel interfaces.
+connections.<conn>.children.<child>.icmp = no
+ Whether to forward certain ICMP error messages even if the source IP doesn't
+ match policies.
+
+ Whether to forward certain ICMP error messages, such as Destination
+ Unreachable or Time Exceeded, that could be generated by hosts whose IP
+ address isn't included in the negotiated traffic selector and therefore
+ won't match the policies. For these, the kernel will do a reverse lookup
+ with the IP header of the original messsage that's included in the ICMP
+ message.
+
connections.<conn>.children.<child>.start_action = none
Action to perform after loading the configuration (_none_, _trap_, _start_).
projects / thirdparty / strongswan.git / commitdiff
