Age | Commit message (Collapse) | Author |
|
is used as the srcid, however the srcid type is not specified. Rectify this
by explicitly setting the srcid type to FQDN after successfully retrieving the
hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support
since get_id_type() returned ID_FQDN even when presented with a null pointer.
Issue reported by Mikolaj Kucharski.
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
allocations fails.
looks right deraadt, krw
ok henning
|
|
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.
ok hshoexer@, todd@
|
|
lines later. No functional change.
ok grunk@, hshoexer@
|
|
|
|
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
|
for easier debugging.
ok grunk@, hshoexer@, todd@
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
This avoids warnings about already existing manual flows when
ipsec.conf is reloaded. From Mitja Muzenic <mitja at muzenic dot
net>, thanks!
|
|
Muzenic (mitja at muzenic dot net), many thanks!
|
|
(IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding
"/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other
IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
|
|
|
(aes-192, aes-256) is used; ok hshoexer@
|
|
the -n switch. This triggers malloc related bugs during the regress
tests.
ok hshoexer
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
of all possible addresses from DNS and not only the first one. So
during expansion, the right address family can be chosen and
regression test ike56 passes again. There localhost resolves to
127.0.0.1 and ::1.
ok hshoexer
|
|
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer
|
|
No functional change yet.
ok hshoexer
|
|
tested and ok hshoexer, grunk
|
|
pointed out by Prabhu Gurumurthy
ok deraadt@
|
|
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
|
|
text from ipsecadm(8), hshoexer, and myself
|
|
not accept the trailing '/32'.
Diff from Mitja Muzenic <mitja@muzenic.net>, thanks!
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
ok deraadt@
|
|
Requested and OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
of the SA matching return traffic; it was already there for spi but
not authkey/enckey (all 3 are required).
assistance and ok from jmc@
|
|
handle this in the parser. better range checks.
with and ok deraadt@
|
|
|
|
|
|
ok hshoexer, mpf
|
|
|
|
<ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
|
static flows have the correct ID, too. ok hshoexer, reyk
|
|
ok jmc@
|
|
ok hshoexer@ and markus@
|
|
|
|
|
|
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!
ok markus@
|
|
specified.
ok markus@
|
|
asked for by deraadt@
|
|
Thanks to sthen <at> symphytum DOT spacehopper DOT org
|
|
Prabhu Gurumurthy <pgurumu () gmail ! com>
(http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2),
thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
|
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address.
ok itojun@, hshoexer@
|
|
|
|
|