| Age | Commit message (Collapse) | Author |
|---|
|
|
|
In effect, this removes the "old" vndX nodes, and renames
the svndX nodes to vndX.
Old svndX nodes will still continue to work though, for now.
Cleanup accordingly.
ok deraadt@, todd@
comments and ok on the man page bits from jmc@
|
|
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
tests for the updated pfctl.
OK henning@, mcbride@
|
|
continue anyways.
|
|
|
|
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).
ok deraadt@
|
|
test. The remaining pieces are all tested in other regress tests.
OK sthen@
|
|
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.
|
|
|
|
- non-pool translation/routing specification
- leftover bits from nat-to/rdr-to/binat-to
|
|
|
|
convert nat/rdr/binat rules to nat-to/rdr-to/binat-to
|
|
rejected before (I'm surprised this worked)
|
|
|
|
edge conditions for disklabel -A are going to be acceptable
ok krw
|
|
loaded output as it doesn't currently appear as it should.
ok henning@
|
|
ok henning@
|
|
ok henning@
|
|
|
|
pfopt5 part from sthen@
ok henning@ sthen@
|
|
syntax will be expanded by the parser to a nat-to+rdr-to combination
to be loaded into the kernel. this simplifies the migration from old
binat rules and is less error-prone.
feedback from many, manpage bits from jmc@
ok henning@
|
|
Thanks to phessler for pointing out that the show command was
buried in '-gvvsn'
ok henning
|
|
ok henning
|
|
ok henning
|
|
Things still need to be changed for route-to/binat/command line
options among other things.
ok henning
|
|
ok hshoexer@
|
|
multiple addresses which causes the test to fail; ok sthen@
|
|
|
|
in the output. this test currently fails; see kernel/6178
|
|
a new test to check it's working correctly. ok deraadt@
|
|
- unbreak, since -r was removed from disklabel(8)
ok otto@
|
|
|
|
|
|
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.
ok hshoexer@, todd@
|
|
was expecting a certain parser error message. Accepting the ikefail10
config file is not considered to be a bug anymore.
ok hshoexer@
|
|
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
|
OK hshoexer@, markus@.
|
|
which might be different on different machines. Use some fixed
addresses instead.
pointed out and ok david@
|
|
mode.
|
|
prodded by david@
|
|
table output. Adopt.
|
|
Adopt for ktable/kentry usage/leakage tests.
Also run vmstat verbose, to avoid matching failures
if the pools haven't been used yet.
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer
|
|
|
|
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
assignments of variables.
OK deraadt@
|
