| Age | Commit message (Collapse) | Author |
|---|
|
ifconfig <if> inet6 used to print all inet6 addresses, and last not least
the installer relies on that behaviour. so don't. to turn inet6 on again
you have to assign any inet6 address or run rtsol.
nobody happy about this asymmetry, but that is the best we could come up
with for now.
|
|
sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.
this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
|
|
ok claudio@
|
|
|
|
ifconfig em0 -inet6
deletes all v6 addresses including link-local and prevents new ones from
being added.
ifconfig em0 inet6 <addr>
re-enables v6, brings the link local back and adds optional <addr>
ok theo reyk
|
|
ok sthen
|
|
Tested by many, thanks.
Put it in" deraadt@
|
|
add "ifconfig if0 scan" to scan for access points or to list known
stations in Host AP mode.
remove the [-]wmm command while i'm here. QoS is mandatory with
802.11n so there's not much point into making it an option.
fix parsing of the "powersave" command too.
discussed with deraadt@
man page hints from jmc@
display hints from sobrado@
"i like it" cnst@, grange@
|
|
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.
Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.
|
|
and fix typo while here.
ok canacar@
|
|
|
|
OK deraadt@
|
|
|
|
OK brad@
|
|
|
|
initial getinfo(), and remove a few superfluous warnings there.
ok deraadt@
|
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
argument after that command, check if it is a keyword, and if it is,
that means the original command really has no argument. Get it?
Now.. replace -m with media (no options), and -M with chan (no options).
Try 'ifconfig -a media chan' on a wireless & ethernet machine after this.
ok henning, reyk, thanks for the comments from others
|
|
ok mbalmer@
|
|
Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.
OK deraadt@
|
|
Implementation from NetBSD. Ported via FreeBSD's version in trunk^Wlagg(4).
This is still work in progress. Tested with a HP ProCurve 3500.
OK reyk@
|
|
even the unicast address of the remote carp peer. this especially
helps when the multicast carp advertisements are causing problems in
the network (some crappy switches don't do well with multicast), there
are conflicts with VRRP, or the policy of the network does not allow
multicast (most Internet eXchange points didn't allow carped OpenBGP
routers because of the multicast advertisements).
discussed with many
ok mpf@
|
|
as host byte order in userland. ifconfig didn't get this and always printed
the pfsync syncpeer on little endian machines because the check to prevent
printing the default address assumed the wrong byte order.
ok claudio@ rainer@
|
|
in progress and some bits need to be cleaned up but will be in-tree for
convenience.
ok claudio@, norby@
|
|
|
|
handshake protocols (both supplicant and authenticator state
machines) as defined in the IEEE 802.11i standard.
Software implementation of the TKIP (Temporal Key Integrity
Protocol) and CCMP (CTR with CBC-MAC Protocol) protocols.
This diff doesn't implement any of the 802.1X authentication
protocols and thus only PSK authentication (using pre-shared
keys) is currently supported.
In concrete terms, this adds support for WPA-PSK and WPA2-PSK
protocols, both in station and hostap modes.
The following drivers are marked as WPA-capable and should
work: bwi(4), malo(4), ral(4), iwn(4), wpi(4), ural(4),
rum(4), upgt(4), and zyd(4)
The following options have been added to ifconfig(8):
wpa, wpapsk, wpaprotos, wpaakms, wpaciphers, wpagroupcipher
wpa-psk(8) can be used to generate keys from passphrases.
tested by many@
ok deraadt@
|
|
ok mpf@, chl@
"i agree with the diagnosis" oga@
|
|
Instead of using the same IP on multiple interfaces, carp has to be
configured with the new "carpnodes" and "balancing" options.
# ifconfig carp0 carpnodes 1:0,2:100,3:100 balancing ip carpdev sis0 192.168.5.50
Please note, that this is a flag day for anyone using carp balancing.
You'll need to adjust your configuration accordingly.
Addititionally this diff adds IPv6 NDP balancing support.
Tested and OK mcbride@, reyk@.
Manpage help by jmc@.
|
|
ok mpf@
|
|
ok mpf@ henning@
|
|
that is kept in a list per carp interface. This is the huge first
step necessary to make carp load balancing nice and easy. One carp
interface can now contain up to 32 virtual host instances.
This doesn't do anything useful yet, but here is how an ifconfig
for multiple entries now looks like:
# ifconfig carp2 carpnodes 5:0,6:100 192.168.5.88
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:05
carp: carpdev sis0 advbase 1
state MASTER vhid 5 advskew 0
state BACKUP vhid 6 advskew 100
groups: carp
inet 192.168.5.88 netmask 0xffffff00 broadcast 192.168.5.255
OK mcbride@
|
|
Suggestions from mpf@ and canacar@
ok deraadt mpf canacar
|
|
|
|
|
|
|
|
from the interface name, this allows constructs like:
ifconfig vlan15 vlandev smth0
ok reyk@, ``makes sense'' henning@
|
|
ok henning, mbalmer.
|
|
ok henning@
|
|
prefixlen specification when using this form.
man page bits by jmc.
ok henning@, ``looks sane'' djm@.
|
|
which will be used for new interface routes. For example,
ifconfig em0 10.1.1.0 255.255.255.0 rtlabel RING_1
will set the new interface address and attach the route label RING_1 to
the corresponding route.
manpage bits from jmc@
ok claudio@ henning@
|
|
mask in that case. initially from rivo nurges <rix@estpak.ee>, but changed
quite a bit. this has annoyed me so long that I wonder why I hadn't fixed
that earlier... input & ok markus deraadt, manpage also jmc
|
|
|
|
'SGIOCGIFMEDIA'.
Noticed by Stuart Henderson.
|
|
__KAME__ should suffice (__KAME__ should be nuked too?)
|
|
access point. Does the same as nwid "" but since we have -nwkey for nwkey
etc. this is nice for consistency.
ok mbalmer reyk
man stuff also ok jmc
|
|
From Peter Philipp <peter underscore philipp at freenet dot de>.
OK deraadt@.
|
|
counter by more than one. manpage help by jmc, ok mcbride mpf deraadt
|
|
|
|
help from claudio@, and ok claudio@ mickey@ mpf@
|
|
fix that by rearranging spaces in printf format strings
ok claudio@ mpf@ mickey@
|
