On Sat, 23 Aug 2014 00:34:11 +0300 Timo Teräs <[email protected]> wrote:
> If a transport mode wildcard policy is installed, separate per > child-sa with expanded dynamic entries is not needed. This has > great performance benefits as policy database modification is > a heavy operation, and lookups to policy database with lot of > entries is slow. In additionally less memory is used. > > Signed-off-by: Timo Teräs <[email protected]> > --- > Alternative would be to instead make the child-sa install the original > configuration specified policy, and thus the reference counting > mechanism in policy manager would avoid duplicates. However, in case > it makes sense to install per instance policies if trap policy is not > desired. Forgot to mention that this is on top of trap-sa branch. I also have now trap-sa patches rebased on top of git master + the previously sent source/remote hint patch. I should probably send the my whole set as a patchset, or pull request. (Any preference on which?) Or perhaps you have some feedback on the patches if they need changing? The only thing I'm missing is the variant of notifications that send the remote certificate along. After that I think I have all the new core functionality I need (the CFG_REQUEST/CFG_SET vici stuff is also still missing but I don't need it for the first iteration). I also figured that I might as well use swanctl to load the connection entry I need, and specify the IKE profile by name on the quagga/dmvpn code. This will simplify the first implementation considerably also. Some minor perf tuning and fixing can be still of course done. E.g. to generate the event messages only if there's event listeners. Oh, and there's bug in "swanctl --log" (and also the new --monitor) that if the daemon exists, swanctl never exists or reconnects. Thanks, Timo _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
