On Thu, 16 Feb 2017, Oleg Rosowiecki wrote:
Libreswan man pages state that dpddelay= has a default value of 30 and dpdtimeout= defaults to 120 seconds. This is different from the current behavior, i.e. if you try to leave out either of the settings (or both), both values are ignored and default to zeroes. Also, dpdaction= is ignored and defaults to "hold", as a consequence.
You are correct. While fixing the man page would be the quick fix, I wonder what the best fix would be. If we'd start from scratch, I would say dpdaction= defines whether or not DPD/liveness is enabled, and dpddelay/dpdtimeout then become options with default values. The question is, can we make that change now without breaking backwards compatibility. We might have people who defined dpdtimeout= and dpddelay= and using the default action, who would no longer see any DPD happening. We could also change it and add a bool dpd, so that specifying _any_ of the 3 options enables DPD. Although that might also change people's connection if they before had specified a delay without a timeout, but arguably those people had a bad configuration to begin with that did not do what they thought it would do. So what preference do people have? Option 1: require dpddelay= and dpdtimeout= and pick default dpdaction=hold [current behaviour] Option 2: require dpdaction= and fill in delay/timeout defaults (implies dpdaction=none as default) Option 3: Any dpddelay/dpdaction/dpdtimeout enables DPD and fills in defaults Option 4: Require dpddelay or dpdtimeout and pickup default of the other option Option 5: As Option 2, but specifying delay+timeout means implicit dpdaction=hold I think I personally prefer Option 2. Most people will have specified a dpdaction= I hope, especially on the server side where clear is not the default and must be specified. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
