From e0e280b7669435b991b7e457abd8aa450930b3e8 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 24 Sep 2018 15:11:14 +0200 Subject: New upstream version 5.7.0 --- conf/strongswan.conf.5.main | 95 +++++++++++++++++++++++++++++++-------------- 1 file changed, 65 insertions(+), 30 deletions(-) (limited to 'conf/strongswan.conf.5.main') diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index f83211805..486ee5af9 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -85,7 +85,7 @@ Buffer size used for crypto benchmark. .TP .BR charon.crypto_test.bench_time " [50]" -Number of iterations to test each algorithm. +Time in ms during which crypto algorithm performance is measured. .TP .BR charon.crypto_test.on_add " [no]" @@ -155,41 +155,49 @@ Section to define file loggers, see LOGGER CONFIGURATION in .TP -.B charon.filelog. +.B charon.filelog. .br - is the full path to the log file. + may be the full path to the log file if it only contains characters +permitted in section names. Is ignored if +.RI "" "path" "" +is specified. .TP -.BR charon.filelog.. " []" +.BR charon.filelog.. " []" Loglevel for a specific subsystem. .TP -.BR charon.filelog..append " [yes]" +.BR charon.filelog..append " [yes]" If this option is enabled log entries are appended to the existing file. .TP -.BR charon.filelog..default " [1]" +.BR charon.filelog..default " [1]" Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined. .TP -.BR charon.filelog..flush_line " [no]" +.BR charon.filelog..flush_line " [no]" Enabling this option disables block buffering and enables line buffering. .TP -.BR charon.filelog..ike_name " [no]" +.BR charon.filelog..ike_name " [no]" Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. .TP -.BR charon.filelog..time_add_ms " [no]" +.BR charon.filelog..path " []" +Optional path to the log file. Overrides the section name. Must be used if the +path contains characters that aren't allowed in section names. + +.TP +.BR charon.filelog..time_add_ms " [no]" Adds the milliseconds within the current second after the timestamp (separated by a dot, so .RI "" "time_format" "" should end with %S or %T). .TP -.BR charon.filelog..time_format " []" +.BR charon.filelog..time_format " []" Prefix each log entry with a timestamp. The option accepts a format string as passed to .RB "" "strftime" "(3)." @@ -555,6 +563,18 @@ DHCP server. .BR charon.plugins.dhcp.server " [255.255.255.255]" DHCP server unicast or broadcast IP address. +.TP +.BR charon.plugins.dhcp.use_server_port " [no]" +Use the DHCP server port (67) as source port, instead of the DHCP client port +(68), when a unicast server address is configured and the plugin acts as relay +agent. When replying in this mode the DHCP server will always send packets to +the DHCP server port and if no process binds that port an ICMP port unreachables +will be sent back, which might be problematic for some DHCP servers. To avoid +that, enabling this option will cause the plugin to bind the DHCP server port to +send its requests when acting as relay agent. This is not necessary if a DHCP +server is already running on the same host and might even cause conflicts (and +since the server port is already bound, ICMPs should not be an issue). + .TP .BR charon.plugins.dnscert.enable " [no]" Enable fetching of CERT RRs via DNS. @@ -777,6 +797,11 @@ and .BR charon.plugins.eap-radius.sockets " [1]" Number of sockets (ports) to use, increase for high load. +.TP +.BR charon.plugins.eap-radius.station_id_with_port " [yes]" +Whether to include the UDP port in the Called\- and Calling\-Station\-Id RADIUS +attributes. + .TP .B charon.plugins.eap-radius.xauth .br @@ -1659,6 +1684,32 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set. .BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]" Send a PB\-TNC batch with a modified PB\-TNC version. +.TP +.BR charon.plugins.tpm.tcti.name " [device|tabrmd]" +Name of TPM 2.0 TCTI library. Valid values: +.RI "" "tabrmd" "," +.RI "" "device" "" +or +.RI "" "mssim" "." +Defaults are +.RI "" "device" "" +if the +.RI "" "/dev/tpmrm0" "" +in\-kernel TPM 2.0 resource manager +device exists, and +.RI "" "tabrmd" "" +otherwise, requiring the d\-bus based TPM 2.0 access +broker and resource manager to be available. + +.TP +.BR charon.plugins.tpm.tcti.opts " [/dev/tpmrm0|]" +Options for the TPM 2.0 TCTI library. Defaults are +.RI "" "/dev/tpmrm0" "" +if the TCTI +library name is +.RI "" "device" "" +and no options otherwise. + .TP .BR charon.plugins.tpm.use_rng " [no]" Whether the TPM should be used as RNG. @@ -2190,23 +2241,15 @@ Send operating system info without being prompted. .BR libimcv.plugins.imc-scanner.push_info " [yes]" Send open listening ports without being prompted. -.TP -.BR libimcv.plugins.imc-swid.swid_directory " [${prefix}/share]" -Directory where SWID tags are located. - -.TP -.BR libimcv.plugins.imc-swid.swid_full " [no]" -Include file information in the XML\-encoded SWID tags. - -.TP -.BR libimcv.plugins.imc-swid.swid_pretty " [no]" -Generate XML\-encoded SWID tags with pretty indentation. - .TP .BR libimcv.plugins.imc-swima.eid_epoch " [0x11223344]" Set 32 bit epoch value for event IDs manually if software collector database is not available. +.TP +.BR libimcv.plugins.imc-swima.subscriptions " [no]" +Accept SW Inventory or SW Events subscriptions. + .TP .BR libimcv.plugins.imc-swima.swid_database " []" URI to software collector database containing event timestamps, software @@ -2273,14 +2316,6 @@ URI pointing to operating system remediation instructions. .BR libimcv.plugins.imv-scanner.remediation_uri " []" URI pointing to scanner remediation instructions. -.TP -.BR libimcv.plugins.imv-swid.rest_api_timeout " [120]" -Timeout of SWID REST API HTTP POST transaction. - -.TP -.BR libimcv.plugins.imv-swid.rest_api_uri " []" -HTTP URI of the SWID REST API. - .TP .BR libimcv.plugins.imv-swima.rest_api.timeout " [120]" Timeout of SWID REST API HTTP POST transaction. -- cgit v1.2.3