| Age | Commit message (Collapse) | Author |
|---|
|
(need DaemonPortOptions line to listen to AF_INET6 socket)
default address family handling is from 8.11.0beta3.
|
|
- if the source IP address if unset (INADDR_ANY)
- if higher level protocol has cached the SA to use, and the SA specifies
the source address, use that
- otherwise, do a routing lookup to determine our outgoing interface
and fix the source address
- do an SPD lookup (which is why we needed the source address)
- if no IPsec is needed, proceed to multicast processing (if necessary),
IPF, etc. -- transmit the packet as usual; use the routing information
from before (if routing lookup was performed), or do a routing lookup
at this point.
- if IPsec is needed, do multicast processing (if needed), then do
IPsec processing, then call ip_output() recursively. Currently,
the second invocation does not do another SPD lookup (it will be
changed to do so in the near future, to support independent nested
tunnels without infinite loops).
Note that if the inner packet (the one that will have IPsec applied to) is
multicast or broadcast, the interface flags are not checked (since it's not
clear what their meaning is in this case). If the IPsec destination address
is multicast/broadcast, the interface flags are checked of course.
It is no longer necessary to have routing entries for private networks on
IPsec gateways (or default routing entries if they're not needed, for that
matter).
Finally, this patch solves a problem with ever-increasing reference counts
on routing entries when doing IPsec processing.
|
|
|
|
|
|
|
|
|
|
|
|
okay itojun@ deraadt@
|
|
|
|
|
|
with soft-updates, but will leak free blocks. On non-softupdates filesystems
this option is strongly unrecommended. It also allows downgrades to readonly
by revoking files opened for writing. If the filesystem have mmap'ed files
writeable this is dangerous. Thus, we do *not* recommend its use!
|
|
|
|
|
|
OK millert
|
|
>From NetBSD.
|
|
Fix interrupt printing. Hi from OpenBSD crypto 2K
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- replaces Lst_Duplicate with Lst_Clone, which does not allocate storage
- split Lst_Concat into Lst_Concat/Lst_ConcatDestroy
Thus, all the LstValid checks are gone, since we always invoke list
functions with valid pointers.
Note that dynamic list allocation accounted for roughly 20% of all calls
to malloc. The extraneous calls to malloc left are now mostly in parse.c,
which makes some wasteful usage of temporary buffers.
With those few patches, the code is sturdier, and easier to maintain.
Reviewed by millert@
|
|
- in Dir_Expand, path is a misnomer. Use a temp variable instead...
Reformat code for readability.
- Change Parse_MainName/Targ_FindList so that they fill arguments instead
of allocating new lists.
- nuke Targ_FindList(TG_NOCREATE), as this is never used.
- close a small memory hole (forgot to free sysMkPath if CLEANUP).
Reviewed by millert@
|
|
Lst_Init (constructor) and Lst_New (allocation + construction)
Lst_Destroy (destructor) and Lst_Delete (deallocation + destruction),
and uses that to turn most dynamic allocation of lists (Lst pointers)
into static structures (LIST).
Most of this is mundane, except for allGNs in targ.c, where the code must
be checked to verify that Targ_Init is called soon enough.
Lst_New is a temporary addition. All lists will soon be static.
Reviewed by millert@, like the previous patch.
|
|
C is not well-suited for opaque data structures.
Then it proceeds by removing a lot of non-sensical casts and white space.
There are two motivations behind this change:
* small functions like Lst_First can now be redefined as macros safely
(otherwise, the cast would mean that you might write Lst_First(5) and
find out about it rather late)
* the size of the Lst data structure is exposed to user code. This will
be used to allocate lists statically, instead of malloc/free them like
crazy.
|
|
|
|
|
|
|
|
|
|
debugging it for you
|
|
memcmp() will be added to libkern.
|
|
update man-page to be compatible with the code.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
export more about cpu type.
prorotype for `disable sid hashing', returning cpu version as a side effect
define virtual pages coherency parameters.
|
|
|
|
Sept 21. Note: This means you shouldn't really be running -current
for anything in the United States. Either wait for Sept 21, or for the
next release, or move to the free world :)
|
|
|
|
|
|
|
