Age | Commit message (Collapse) | Author | |
---|---|---|---|
2009-04-06 | more scrub scrubbing | Henning Brauer | |
2009-04-06 | scrub gone | Henning Brauer | |
2009-01-30 | If the "peer" address is not specified or derived from "to" for | Alexander Bluhm | |
"ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@ | |||
2009-01-29 | Remove ikefail10 ipsecctl regression test as it always fails. It | Alexander Bluhm | |
was expecting a certain parser error message. Accepting the ikefail10 config file is not considered to be a bug anymore. ok hshoexer@ | |||
2009-01-28 | Allow to specify ike and flow explicitly without peer. The any | Alexander Bluhm | |
keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@ | |||
2009-01-20 | Regression tests for source flow NAT support. | Marco Pfatschbacher | |
OK hshoexer@, markus@. | |||
2009-01-19 | Do not use "egress" keyword as it expands to an actual interface, | Hans-Joerg Hoexer | |
which might be different on different machines. Use some fixed addresses instead. pointed out and ok david@ | |||
2008-12-22 | add regression test for aes-{128,192,256} being used with main and quick | Hans-Joerg Hoexer | |
mode. | |||
2008-12-22 | Adopt to recent change: /32 now is treated as a network address. | Hans-Joerg Hoexer | |
prodded by david@ | |||
2008-10-19 | The optional table counters added a field to the verbose | Marco Pfatschbacher | |
table output. Adopt. | |||
2008-10-19 | vmstat(8) now reports "InUse" instead of "Releases". | Marco Pfatschbacher | |
Adopt for ktable/kentry usage/leakage tests. Also run vmstat verbose, to avoid matching failures if the pools haven't been used yet. | |||
2008-07-01 | Isakmpd acquire mode did not work with a config generated from | Alexander Bluhm | |
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd | |||
2008-07-01 | If multiple to addresses but no peer are given in an ike or flow | Alexander Bluhm | |
rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer | |||
2008-06-16 | fix regress after scrub TOS and tagging additions; "commit it" henning@ | David Krause | |
2008-05-09 | convert port byte order in the production; add port keyword; ok deraadt@ | Markus Friedl | |
2008-05-09 | divert packets to local socket without modifying the ip header; | Markus Friedl | |
makes transparent proxies much easier; ok beck@, feedback claudio@ | |||
2008-05-08 | Add/Fix regression tests for sequences of numbers and stacked | Marco Pfatschbacher | |
assignments of variables. OK deraadt@ | |||
2008-05-07 | scrub packets based on tags; ok henning | Markus Friedl | |
2008-05-07 | allow setting TOS with scrub; ok mcbride, claudio | Markus Friedl | |
2008-04-21 | Test for blank lines and comments between and inline anchor and its rules. | Ryan Thomas McBride | |
2008-02-01 | Add regress test for anchors matching on filter_opts. | Ryan Thomas McBride | |
2008-01-04 | Add a regression test for handling addresses with trailing '/32' and address | Hans-Joerg Hoexer | |
type IPV4_ADDR. | |||
2007-11-25 | more existant -> existent, from Martynas Venckus; | Jason McIntyre | |
pfctl changes: ok henning ssh changes: ok deraadt | |||
2007-10-15 | Add new "reached end of file while parsing quoted string" as expected | Hans-Joerg Hoexer | |
error message. | |||
2007-10-14 | regression test for include directive (if anyone has a better way to do | Theo de Raadt | |
this messy include file copy, let me know) | |||
2007-10-13 | we decided numbers used as strings is wrong | Theo de Raadt | |
2007-09-23 | Allow numbers to be used as unquoted strings again. | Marco Pfatschbacher | |
While there, also restrict the use of concatenated, unquoted strings for variable assignments only. Eyeballed by markus@, OK henning@ | |||
2007-09-19 | Fix and re-enable tests for interface->address translation. | Marco Pfatschbacher | |
OK henning | |||
2007-09-19 | Add a few "flags any" and "no state" to have the rulesets | Marco Pfatschbacher | |
match against the old checksums again. | |||
2007-09-19 | pfctl seems to report errors when accessing empty tables, | Marco Pfatschbacher | |
in a different manner now. Use "-T show" now. OK henning | |||
2007-09-19 | "flags S/SA keep state" is the default now | Marco Pfatschbacher | |
OK henning | |||
2007-09-19 | Adopt 14 altq tests to the change of the queue output format. | Marco Pfatschbacher | |
OK henning | |||
2007-09-19 | This got broken when a second pool (pfrkentry2) was added | Marco Pfatschbacher | |
for source-tracking support about 3 years ago. OK henning | |||
2007-09-19 | Remove "localhost" from the table test, since the result is dependent | Marco Pfatschbacher | |
on the resolver. In some enviroments you'll get an AAAA for it, in others you won't. Testing the resolver isn't really the intention of this test anyway. OK henning | |||
2007-08-30 | regress test address ranges | Daniel Hartmeier | |
2007-07-03 | both 'proto 50' and 'proto esp' must work in flow specifications | Markus Friedl | |
2007-06-20 | Allow "log" for nat rules without "pass". | Marco Pfatschbacher | |
OK henning@, ``passt scho'' markus@ | |||
2007-05-19 | detect if newfs fails and add an extra test (amd64 floppy) | Otto Moerbeek | |
2007-05-10 | Do not crash when lists include the "any" keyword. Reported by | Hans-Joerg Hoexer | |
<ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@ | |||
2007-05-02 | now that optimization is on by default, fix the regress tests by | David Krause | |
disabling optimization for the non-optimized tests, ok henning@ | |||
2007-04-18 | some newfs checks, not hooked in, because it needs certain disktab | Otto Moerbeek | |
entries which are not available on all platforms | |||
2007-03-16 | move autodetection of the ID type to the parser. this way the | Markus Friedl | |
static flows have the correct ID, too. ok hshoexer, reyk | |||
2007-03-14 | We switched to aes cbc quite some time ago, so also use the correct | Hans-Joerg Hoexer | |
key sizes here, too. We now have to use 128 bit key instead of 160. Noticed by david@ | |||
2007-02-19 | add a test for null encryption | Hans-Joerg Hoexer | |
2007-02-19 | we have to use '-k' now to show keys. | Hans-Joerg Hoexer | |
2007-02-19 | previous commit to parse.y was undone. adopt these two regression tests. | Hans-Joerg Hoexer | |
2007-02-16 | Adopt to recent change in parse.y (do not accept '\n' in quoted | Hans-Joerg Hoexer | |
strings). The syntax error is now reported at the correct line. | |||
2007-01-10 | allow rule if there is at least _one_ matching address family combination. | Markus Friedl | |
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@ | |||
2007-01-04 | don't pass -1 as a netmask; report vicviq at gmail.com | Markus Friedl | |
2006-11-30 | wrong rid for protocol | Markus Friedl | |