2017-08-24 13:50 GMT+02:00 Tobias Brunner <[email protected]>: > Hi Christophe, > >> This would avoid >> to add new features in stroke/ipsec.conf, while not breaking existing >> deployments based on stroke. > > Except for your special use case it should not have an effect on > existing deployments. With or without VTI devices marking packets > before decryption, as was necessary before, should still work the same > even if the SA has no mark set anymore (unless the SA is marked, the > kernel just ignores the marks on packets, so it doesn't match only > unmarked packets, to do so requires setting a mark of 0/0xffffffff > explicitly). > > Therefore, I don't really see the need to change the default or make > this configurable via ipsec.conf. > > Actually, for somebody to use a recent enough version to get bothered by > this change a switch to swanclt/vici should be in order anyway. And > since the behavior was changed with 5.5.2, which also brought > swanctl/vici basically on par with starter/stroke (see the changelog > [1]), there should really be no reason to prefer the old interface.
Hi Tobias, OK, I surrender ;-) > There are some control features, like `down-srcip`, `purgeike` or > `list|resetcounters`, that are not implemented (yet). But they may > still be used, if necessary (ideally users would notify us of features > they still need), I started using the vici API for monitoring and stats, and I must admit it is far better suited than stroke to interface with an external application. I precisely missed the equivalent for `listcounters` in the vici interface, so I take the opportunity to notify you officially that its support would be appreciated :) Regards, Christophe
