12 files changed, 122 insertions, 5 deletions
diff --git a/conf/plugins/addrblock.conf b/conf/plugins/addrblock.conf
new file mode 100644
index 000000000..274961341
--- /dev/null
+++ b/conf/plugins/addrblock.conf
@@ -0,0 +1,11 @@
+addrblock {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Whether to strictly require addrblock extension in subject certificates.
+    # strict = yes
+
+}
+
diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt
new file mode 100644
index 000000000..e35e4c5ad
--- /dev/null
+++ b/conf/plugins/addrblock.opt
@@ -0,0 +1,8 @@
+charon.plugins.addrblock.strict = yes
+	Whether to strictly require addrblock extension in subject certificates.
+
+	If set to yes, a subject certificate without an addrblock extension is
+	rejected if the issuer certificate has such an addrblock extension. If set
+	to no, subject certificates issued without the addrblock extension are
+	accepted without any traffic selector checks and no policy is enforced
+	by the plugin.
diff --git a/conf/plugins/bypass-lan.conf b/conf/plugins/bypass-lan.conf
new file mode 100644
index 000000000..ad496db67
--- /dev/null
+++ b/conf/plugins/bypass-lan.conf
@@ -0,0 +1,17 @@
+bypass-lan {
+
+    # A comma-separated list of network interfaces for which connected subnets
+    # should be ignored, if interfaces_use is specified this option has no
+    # effect.
+    # interfaces_ignore =
+
+    # A comma-separated list of network interfaces for which connected subnets
+    # should be considered. All other interfaces are ignored.
+    # interfaces_use =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/bypass-lan.opt b/conf/plugins/bypass-lan.opt
new file mode 100644
index 000000000..8c72facde
--- /dev/null
+++ b/conf/plugins/bypass-lan.opt
@@ -0,0 +1,8 @@
+charon.plugins.bypass-lan.interfaces_ignore
+	A comma-separated list of network interfaces for which connected subnets
+	should be ignored, if **interfaces_use** is specified this option has no
+	effect.
+
+charon.plugins.bypass-lan.interfaces_use
+	A comma-separated list of network interfaces for which connected subnets
+	should be considered. All other interfaces are ignored.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 47f7d58bc..22d94ee38 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -3,6 +3,9 @@ kernel-netlink {
     # Buffer size for received Netlink messages.
     # buflen = <min(PAGE_SIZE, 8192)>
 
+    # Force maximum Netlink receive buffer on Netlink socket.
+    # force_receive_buffer_size = no
+
     # Firewall mark to set on the routing rule that directs traffic to our
     # routing table.
     # fwmark =
@@ -32,6 +35,9 @@ kernel-netlink {
     # Whether to use port or socket based IKE XFRM bypass policies.
     # port_bypass = no
 
+    # Maximum Netlink socket receive buffer in bytes.
+    # receive_buffer_size = 0
+
     # Number of Netlink message retransmissions to send on timeout.
     # retries = 0
 
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 77ba6ea97..1136af1be 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -1,6 +1,14 @@
 charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
 	Buffer size for received Netlink messages.
 
+charon.plugins.kernel-netlink.force_receive_buffer_size = no
+	Force maximum Netlink receive buffer on Netlink socket.
+
+	If the maximum Netlink socket receive buffer in bytes set by
+	_receive_buffer_size_ exceeds the system-wide maximum from
+	/proc/sys/net/core/rmem_max, this option can be used to override the limit.
+	Enabling this option requires special priviliges (CAP_NET_ADMIN).
+
 charon.plugins.kernel-netlink.fwmark =
 	Firewall mark to set on the routing rule that directs traffic to our routing
 	table.
@@ -39,6 +47,15 @@ charon.plugins.kernel-netlink.port_bypass = no
 	port based policies use global XFRM bypass policies for the used IKE UDP
 	ports.
 
+charon.plugins.kernel-netlink.receive_buffer_size = 0
+	Maximum Netlink socket receive buffer in bytes.
+
+	Maximum Netlink socket receive buffer in bytes. This value controls how many
+	bytes of Netlink messages can be received on a Netlink socket. The default
+	value is set by /proc/sys/net/core/rmem_default. The specified value cannot
+	exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
+	_force_receive_buffer_size_	is enabled.
+
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf
index 35248c2ce..c786a9abb 100644
--- a/conf/plugins/pkcs11.conf
+++ b/conf/plugins/pkcs11.conf
@@ -4,9 +4,6 @@ pkcs11 {
     # priority of this plugin.
     load = yes
 
-    # Whether to load certificates from tokens.
-    # load_certs = yes
-
     # Reload certificates from all tokens if charon receives a SIGHUP.
     # reload_certs = no
 
@@ -31,6 +28,19 @@ pkcs11 {
     # List of available PKCS#11 modules.
     modules {
 
+        <name> {
+
+            # Whether to automatically load certificates from tokens.
+            # load_certs = yes
+
+            # Whether OS locking should be enabled for this module.
+            # os_locking = no
+
+            # Full path to the shared object file of this PKCS#11 module.
+            # path =
+
+        }
+
     }
 
 }
diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt
index f5a202844..8f328f087 100644
--- a/conf/plugins/pkcs11.opt
+++ b/conf/plugins/pkcs11.opt
@@ -1,8 +1,14 @@
 charon.plugins.pkcs11.modules {}
 	List of available PKCS#11 modules.
 
-charon.plugins.pkcs11.load_certs = yes
-	Whether to load certificates from tokens.
+charon.plugins.pkcs11.modules.<name>.path =
+	Full path to the shared object file of this PKCS#11 module.
+
+charon.plugins.pkcs11.modules.<name>.os_locking = no
+	Whether OS locking should be enabled for this module.
+
+charon.plugins.pkcs11.modules.<name>.load_certs = yes
+	Whether to automatically load certificates from tokens.
 
 charon.plugins.pkcs11.reload_certs = no
 	Reload certificates from all tokens if charon receives a SIGHUP.
diff --git a/conf/plugins/revocation.conf b/conf/plugins/revocation.conf
new file mode 100644
index 000000000..ca24a640d
--- /dev/null
+++ b/conf/plugins/revocation.conf
@@ -0,0 +1,14 @@
+revocation {
+
+    # Whether CRL validation should be enabled.
+    # enable_crl = yes
+
+    # Whether OCSP validation should be enabled.
+    # enable_ocsp = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt
new file mode 100644
index 000000000..5d2b8c026
--- /dev/null
+++ b/conf/plugins/revocation.opt
@@ -0,0 +1,7 @@
+charon.plugins.revocation.enable_ocsp = yes
+	Whether OCSP validation should be enabled.
+
+charon.plugins.revocation.enable_crl = yes
+	Whether CRL validation should be enabled.
+
+
diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf
new file mode 100644
index 000000000..222bb7b0a
--- /dev/null
+++ b/conf/plugins/tpm.conf
@@ -0,0 +1,11 @@
+tpm {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Whether the TPM should be used as RNG.
+    # use_rng = no
+
+}
+
diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt
new file mode 100644
index 000000000..cd666dde8
--- /dev/null
+++ b/conf/plugins/tpm.opt
@@ -0,0 +1,2 @@
+charon.plugins.tpm.use_rng = no
+	Whether the TPM should be used as RNG.