Re: [Swan-dev] regarding: testing: adding missing : ==== end ==== to nicinit

[Andrew Cagney]

Now that 4.0 is out ...

I've removed the  end  from final.sh BUT **/NOT/** nicinit.sh
(which is what this discussion was about).

On Wed, 29 Jan 2020 at 04:28, Paul Wouters  wrote:
>
> On Wed, 29 Jan 2020, Antony Antony wrote:
>
> >> I'm happy to do this after the 3.30 release.
> >>
> >> Just to be very sure, is there anything needing the initdone markers
> >> still? A grep in testing/utils/* shows nothing. If no one can think of
> >> anything, I will also take those out when I do this work.
> >
> > I am confused. Are you proposing remove markers now?
>
> I'm not doing anything until we have released 3.30.
>
> > currently the markers are in use about 280 tests in nicinit.sh.
> > Please don't remove those yet. they will all need "hostname nic" hack in the
> > final.sh. That does not seems like a good idea to me! Once the testrunners
> > stop running final.sh on nic we can re-visit removing the marker. Until then
> > I hope you don't remvoe the marker! If you testruns likely to be unstable.
> >
> > The 18 or so thests whithout the markers I suggest we add marker
> > until runner is updated. Then we are consistnt.
>
> I wasn't planning on changing any tests right now - the hostname method
> works fine for now, as it works with kvm and namespaces.
>
> > I think the current issue is we copy tests and then tests without mkarkers
> > multiply.
>
> since the markers dont seem to do anything anymore, I at least tend to
> clean them out when trying to keep tests as simple as possible.
>
> Anyway, don't worry. I'm not doing anything right now.
>
> Paul
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] use @IPSECBASEVERSION@ when going to 4.x dev cycle.

[Paul Wouters]

On Thu, 15 Oct 2020, Antony Antony wrote:


I am glad to see 4.0 is out.
Looking at the commit that bump to 4.0 I notice a drift.

Use of IPSECBASEVERSION as oppesed to @IPSECBASEVERSION@ are popping up

When changing to 4.x cycle would be a good time to drift towards
@IPSECBASEVERSION@ again.

Here is a previous discusions and concencus for @IPSECBASEVERSION@
https://lists.libreswan.org/pipermail/swan-dev/2018-April/002348.html


There were thoughts about removing IPSECBASEVERSION alltogether, and
setting it now to something like "4.1dev".

While still merging the git short commit hash into that to know the
exact commit of the dev tree the build was on.

Paul
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

[Swan-dev] use @IPSECBASEVERSION@ when going to 4.x dev cycle.

[Antony Antony]

I am glad to see 4.0 is out.
Looking at the commit that bump to 4.0 I notice a drift.

Use of IPSECBASEVERSION as oppesed to @IPSECBASEVERSION@ are popping up

When changing to 4.x cycle would be a good time to drift towards  
@IPSECBASEVERSION@ again.

Here is a previous discusions and concencus for @IPSECBASEVERSION@
https://lists.libreswan.org/pipermail/swan-dev/2018-April/002348.html

regards,
-antony
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

[Swan-dev] [Swan-announce] libreswan-4.0 released

[The Libreswan Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

The Libreswan Project has released libreswan-4.0

This is a major feature and cleanup release.

The major release number was increased to signify some major changes.
Please ensure you extensively test libreswan 4.0 before upgrading
production systems.

Compatibility issues:

* The KLIPS IPsec stack has been removed - please switch to XFRMi to
  use ipsecX devices.
* Obsolete algorithms removed/disabled (Serpent, Twofish, CAST,
  MD5/SHA1, DH2, DH22-24, RIPEMD.
* Some compatibility keywords have been removed (mostly ones with "_")
* Some whack options have been removed and renamed
* ipsec status and ipsec trafficstatus output changes
* The default NSS database files (*.db) moved from /etc/ipsec.d to
  /var/lib/ipsec/nss
* BUILD variables changed/renamed (see mk/config.mk)
* New BUILD variables (eg USE_NSS_KDF, USE_OLD_SELINUX)
* Removed BUILD variables SINGLE_CONF_DIR, EMIT_ISAKMP_SPI,
  USE_KEYRR, TEST_INDECENT_PROPOSAL and ALLOW_MICROSOFT_BAD_PROPOSAL 
* Renamed INC_* config variables

* Updates to _updown scripts (eg renamed _updown.xfrm)
* NETKEY options now called XFRM
* ipsec newhostkey no longer supports or requires --output
* Global ikeport/natport options removed for per conn port options

New features:

* Support for RFC 8229 IKE and ESP over TCP (requires Linux >= 5.8)
* Support for INTERMEDIATE exchange (draft-ietf-ipsecme-ikev2-intermediate)
* Support for NetBSD
* Improved support for OCP/clouds by supporting custom ikeports
* Failover and loadbalancing support for IKEv2 REDIRECT
* Improved certificate reloading support (ipsec whack --rereadcerts)
* ipsec.secrets no longer needed for RSA keys ( :RSA section is now ignored)

Bug fixes:

* Improved NAT/port switching
* Fix labeled IPsec (selinux) for IKEv1
* Improved ipsecX device support
* Fix traffic counters for updown script
* Work around for some Linux kernel versions with ACQUIRE bug
* Windows 10 rekey interoperability fix


We are really happy to see that this release contains contributions from over
30 individual developers. Please let us know if there is anything we can
do to help you with contributing to libreswan.

This latest version of libreswan can be downloaded from:

https://download.libreswan.org/libreswan-4.0.tar.gz
https://download.libreswan.org/libreswan-4.0.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES

Please report bugs either via one of the mailinglists or at our bug
tracker:

https://lists.libreswan.org/
https://bugs.libreswan.org/

Binary packages for RHEL/CentOS can be found at:
https://download.libreswan.org/binaries/

Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.

See also https://libreswan.org/

v4.0 (October 14, 2020)
* KLIPS: Support for KLIPS completely removed [Paul]
* pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul]
* IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew]
 New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no, 
tcp-remoteport=
 Requires: Linux kernel >= 5.8
* IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul]
* IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC]
 New keyword: intermediate=yes
* FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul]
* pluto: Support for rereading configured certificates from NSS [Myungjin Lee]
* pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew]
* pluto: find_pluto_xfrmi_interface() would only check first interface [Paul]
* pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah]
* pluto: Fix leased IP address leak [Andrew/Paul]
* pluto: Fix displaying PLUTO_BYTES_ counters [Paul]
* pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto]
* pluto: Update selinux calls for Labeled IPsec support [Richard Haines]
* pluto: Memory leak fixes [Hugh]
* pluto: Remove unused per peer logging [Andrew]
* pluto: Cleanup logging code for minimal logging support [Andrew]
* pluto: Cleanup netlink / XFRM code [Hugh]
* pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang]
* pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul]
* pluto: Fix logging some IKE messages to proper IKE SA state [Andrew]
* pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul]
* pluto: Connections now have serial numbers which are logged [Paul/Andrew]
* pluto: No longer require :RSA sections in ipsec.secrets [Andrew]
* pluto: pluto chooses wrong raw RSA key (github#352) [Andrew]
* seccomp: Update syscall allowlist for pluto and addconn [Paul]
* whack: Support for ipsec whack --rereadcerts [Paul]
* whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul]
* whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul]
* show: Fixup for python3 version of ipaddress module