summaryrefslogtreecommitdiff
path: root/src/swanctl/swanctl.conf.5.main
diff options
context:
space:
mode:
Diffstat (limited to 'src/swanctl/swanctl.conf.5.main')
-rw-r--r--src/swanctl/swanctl.conf.5.main117
1 files changed, 117 insertions, 0 deletions
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 1f7e3a2cc..1f8900959 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -217,6 +217,14 @@ causes certificate payloads to be sent unconditionally
whenever certificate authentication is used.
.TP
+.BR connections.<conn>.ppk_id " []"
+String identifying the Postquantum Preshared Key (PPK) to be used.
+
+.TP
+.BR connections.<conn>.ppk_required " [no]"
+Whether a Postquantum Preshared Key (PPK) is required for this connection.
+
+.TP
.BR connections.<conn>.keyingtries " [1]"
Number of retransmission sequences to perform during initial connect. Instead of
giving up initiation after the first retransmission sequence with the default
@@ -1127,6 +1135,52 @@ The default
mask if omitted is 0xffffffff.
.TP
+.BR connections.<conn>.children.<child>.set_mark_in " [0/0x00000000]"
+Netfilter mark applied to packets after the inbound IPsec SA processed them.
+This way it's not necessary to mark packets via Netfilter before decryption or
+right afterwards to match policies or process them differently (e.g. via policy
+routing).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
+mask if omitted is 0xffffffff. The special value
+.RI "" "%same" ""
+uses the value (but not
+the mask) from
+.RB "" "mark_in" ""
+as mark value, which can be fixed,
+.RI "" "%unique" ""
+or
+.RI "" "%unique\-dir" "."
+
+
+Setting marks in XFRM input requires Linux 4.19 or higher.
+
+.TP
+.BR connections.<conn>.children.<child>.set_mark_out " [0/0x00000000]"
+Netfilter mark applied to packets after the outbound IPsec SA processed them.
+This allows processing ESP packets differently than the original traffic (e.g.
+via policy routing).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
+mask if omitted is 0xffffffff. The special value
+.RI "" "%same" ""
+uses the value (but not
+the mask) from
+.RB "" "mark_out" ""
+as mark value, which can be fixed,
+.RI "" "%unique" ""
+or
+.RI "" "%unique\-dir" "."
+
+
+Setting marks in XFRM output is supported since Linux 4.14. Setting a mask
+requires at least Linux 4.19.
+
+.TP
.BR connections.<conn>.children.<child>.tfc_padding " [0]"
Pads ESP packets with additional data to have a consistent ESP packet size for
improved Traffic Flow Confidentiality. The padding defines the minimum size of
@@ -1155,6 +1209,44 @@ enables offloading, if it's supported, but the installation does not fail
otherwise.
.TP
+.BR connections.<conn>.children.<child>.copy_df " [yes]"
+Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This
+effectively disables Path MTU discovery (PMTUD). Controlling this behavior is
+not supported by all kernel interfaces.
+
+.TP
+.BR connections.<conn>.children.<child>.copy_ecn " [yes]"
+Whether to copy the ECN (Explicit Congestion Notification) header field to/from
+the outer IP header in tunnel mode. Controlling this behavior is not supported
+by all kernel interfaces.
+
+.TP
+.BR connections.<conn>.children.<child>.copy_dscp " [out]"
+Whether to copy the DSCP (Differentiated Services Field Codepoint) header field
+to/from the outer IP header in tunnel mode. The value
+.RI "" "out" ""
+only copies the
+field from the inner to the outer header, the value
+.RI "" "in" ""
+does the opposite and
+only copies the field from the outer to the inner header when decapsulating, the
+value
+.RI "" "yes" ""
+copies the field in both directions, and the value
+.RI "" "no" ""
+disables
+copying the field altogether. Setting this to
+.RI "" "yes" ""
+or
+.RI "" "in" ""
+could allow an
+attacker to adversely affect other traffic at the receiver, which is why the
+default is
+.RI "" "out" "."
+Controlling this behavior is not supported by all kernel
+interfaces.
+
+.TP
.BR connections.<conn>.children.<child>.start_action " [none]"
Action to perform after loading the configuration. The default of
.RI "" "none" ""
@@ -1297,6 +1389,31 @@ prefix, if a secret is shared between multiple
peers.
.TP
+.B secrets.ppk<suffix>
+.br
+Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is
+defined in a unique section having the
+.RI "" "ppk" ""
+prefix.
+
+.TP
+.BR secrets.ppk<suffix>.secret " []"
+Value of the PPK. It may either be an ASCII string, a hex encoded string if
+it has a
+.RI "" "0x" ""
+prefix or a Base64 encoded string if it has a
+.RI "" "0s" ""
+prefix in its
+value. Should have at least 256 bits of entropy for 128\-bit security.
+
+.TP
+.BR secrets.ppk<suffix>.id<suffix> " []"
+PPK identity the PPK belongs to. Multiple unique identities may be specified,
+each having an
+.RI "" "id" ""
+prefix, if a secret is shared between multiple peers.
+
+.TP
.B secrets.private<suffix>
.br
Private key decryption passphrase for a key in the
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-01 08:29:04 +0000