Age | Commit message (Collapse) | Author |
|
ok claudio@, henning@
|
|
- in ipsec_delete_spi_list() a log_verbose is added, when a remote peer
sends us a delete message for an SA. However, to avoid spamming the log
when SAs are deleted during re-keying, I only log_verbose, when the soft
timeout of the SA is not expired yet. Thus only deletion of live SAs
gets logged.
- in ipsec_decode_ids() I remove the additonal printing of IP-Adresses in
hex as the addresses are already printed in CIDR.
- while there, apply some KNF
ok todd@, mpf@, bluhm@
|
|
|
|
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
|
|
not valid during phase 2.
From Dirk Mast <condor2k at googlemail dot com>, thanks!
ok markus@
|
|
detached addresses. bind(2) will not allow this. ok hshoexer, fries
|
|
|
|
|
|
return NULL. This happens if isakmpd is configured for the other
address family. Add a NULL pointer check and initialize rv.
ok hshoexer
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
short for IPv6. Increase the buffer size from 80 to 200 where
appropriate. For the M command a buffer for 10 bytes is sufficient.
ok hshoexer@ mpf@ grunk@
|
|
instead of IPV6_ADDR_SUBNET where appropriate. Then isakmpd has
the same behaviour for IPv6 and IPv4.
ok markus@
|
|
option parsing. Found out the hard way by jdixon on ifstated.
ok sobrado@, jdixon@, millert@
|
|
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis
|
|
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer
|
|
an extensive discussion with otto, kettenis, millert, and hshoexer
|
|
ok deraadt
|
|
<mitja at muzenic dot net>, diff provided already quite some time ago,
many many thanks. This should have gone in months ago but I was slacking,
sorry for that.
|
|
From Igor Zinovik <zinovik@cs.karelia.ru>
ok hshoexer@
|
|
|
|
|
|
|
|
|
|
glitch introduced by previous commit.
ok markus@
|
|
is not passed over NFS (unless readdir+ is used). fixes pr 5557
with and ok hshoexer@
|
|
Cisco IOS and other initiators that only send their certs in response
to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several
others who did lots of testing - thanks to all.
ok hshoexer@
|
|
zinovik@cs.karelia.ru. Thanks!
|
|
ok millert
|
|
have to expose the node to the outside.
Without this, conf_trans_node() created a node, linked it into the
conf_trans queue and returned it to the caller. If something failed
in one of the callers, the half-initialized node would still be
linked in the queue and could get accessed later on.
ok hshoexer@
|
|
|
|
|
|
ok and prodding @jmc
|
|
level 30. This was a huge cause of log spam at level 30 and below, and is
really not that useful.
|
|
mismatch without any log message stating so. This diff makes sure that
all phase 1 negotiation failures due to proposal attribute mismatch are
logged. Also change these messages from LOG_NEGOTIATION debug level 70 to
always be logged (not just with debug).
General idea OK hshoexer, tested here in production.
|
|
ok jmc@ mpf@
|
|
both meaningless and harmless. ("nat_t_check_vendor_payload: bad size")
ok todd
|
|
so we do not leak memory.
ok hshoexer@
|
|
Otherwise we leak memory.
ok ho@
|
|
since free(NULL) is just fine.
ok hshoexer@
|
|
NAT-T is used. Solves problems with cisco and openswan.
Tested by todd@ (cisco interop), ok ho@
Original fix with Stefan Roth (stefan dot roth at siemens dot com),
thanks!
|
|
ok hshoexer@
|
|
which already adds the errno string.
o Avoid closing fd, if it's -1.
o Don't replace illegal pathes with /dev/null in
m_priv_local_sanitize_path(). All callers skip it
anyways, in the failure case.
ok hshoexer@
|
|
since it will be automatically be appended.
ok hshoexer@
|
|
with signal 1, since there's no signal 0.
ok hshoexer@
|
|
if INSECURE_RAND is defined.
ok hshoexer@
|
|
|
|
just specifies the values to be used. However, the specifications
are called "LIFE_MAIN_MODE" and "LIFE_QUICK_MODE".
ok ho@ jmc@
|
|
key_from_printable() are not fooled into using it
afterwards.
OK hshoexer@
|