2017-08-24 10:43 GMT+02:00 Tobias Brunner <[email protected]>: > Hi Christophe, > >> I had a look in the mark-inbound-sa branch, I think there are other >> methods where the SA mark must be set: child_sa_t.update, >> child_sa_t.destroy. > > You're right, thanks!
you're welcome > (You missed the one in update_usebytes() btw.) Darn! :) > While I appreciate your creating that stroke patch, I probably won't > apply it. We need to stop adding new features to starter/stroke. Maybe > that will get people to abandon the legacy interface and switch to > swanctl/vici already. I completely understand your will to get rid of the legacy ipsec.conf/stroke API. However in this specific case, it is not exactly a new feature. It is the restauration of the former (legacy) behavior. Then maybe the behavior when using the legacy API should be the old behavior: if using stroke/ipsec.conf, the inbound SAs are marked as they used to be (OPT_MARK_IN_SA). If using the new swanctl API, you benefit from the new behavior by default (inbound SAs are not marked, but you may alter this behavior via configuration). This would avoid to add new features in stroke/ipsec.conf, while not breaking existing deployments based on stroke. Christophe
