| Age | Commit message (Collapse) | Author |
|---|
|
(aes-192, aes-256) is used; ok hshoexer@
|
|
the -n switch. This triggers malloc related bugs during the regress
tests.
ok hshoexer
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
of all possible addresses from DNS and not only the first one. So
during expansion, the right address family can be chosen and
regression test ike56 passes again. There localhost resolves to
127.0.0.1 and ::1.
ok hshoexer
|
|
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer
|
|
No functional change yet.
ok hshoexer
|
|
tested and ok hshoexer, grunk
|
|
pointed out by Prabhu Gurumurthy
ok deraadt@
|
|
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
|
|
text from ipsecadm(8), hshoexer, and myself
|
|
not accept the trailing '/32'.
Diff from Mitja Muzenic <mitja@muzenic.net>, thanks!
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
ok deraadt@
|
|
Requested and OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
of the SA matching return traffic; it was already there for spi but
not authkey/enckey (all 3 are required).
assistance and ok from jmc@
|
|
handle this in the parser. better range checks.
with and ok deraadt@
|
|
|
|
|
|
ok hshoexer, mpf
|
|
|
|
<ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
|
static flows have the correct ID, too. ok hshoexer, reyk
|
|
ok jmc@
|
|
ok hshoexer@ and markus@
|
|
|
|
|
|
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!
ok markus@
|
|
specified.
ok markus@
|
|
asked for by deraadt@
|
|
Thanks to sthen <at> symphytum DOT spacehopper DOT org
|
|
Prabhu Gurumurthy <pgurumu () gmail ! com>
(http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2),
thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
|
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address.
ok itojun@, hshoexer@
|
|
|
|
|
|
|
|
hostname/prefixlen works only for IPv4-only hostname.
markus ok (regress tested)
|
|
ok hshoexer@
|
|
had; more can go in here, so feel free...
many thanks to ho for feedback, and angelos and cedric who i harangued
endlessly to explain nat/ipsec to me;
the ipsec.conf.5 change just moves some stuff more appropriate to enc.4;
ok hshoexer
|
|
|
|
|
|
|
|
store IKE connection string and phase2 IDs in the ipsec rule;
cleanup internal API: pass rules around instead of rule members;
report Brian Candler; fix with hshoexer, msf; ok hshoexer
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
|
|
however, this workaround might leak config entries in isakmpd;
ok (for now) hshoexer
|
|
consistently in the rest of the page;
help/ok hshoexer
|
|
|
