| Age | Commit message (Collapse) | Author |
|---|
|
imsgbuf_allow_fdpass where needed.
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
imsgbuf_init, imsgbuf_clear, imsgbuf_read, imsgbuf_write and imsgbuf_flush.
This separates the imsgbuf API from the per-imsg API.
OK tb@
|
|
OK tb@
|
|
imsg_write() is just a thin wrapper around msgbuf_write(). So this is
mostly search and replace.
OK tb@
|
|
It only handles one imsg type these days, so it doesn't need to peek
into struct imsg at all.
pointed out by & OK tb
|
|
While here use i2s helper function for error logging.
OK tb
|
|
Don't ask the kernel to translate an if_index to a name if we are not
running with verbose logging, it's not free.
|
|
|
|
We are using the ifra_dstaddr for this because it will always be
unused with autoconf addresses since they can't be used on P2P links.
OK bluhm
|
|
OK millert@
|
|
From Stefan R. Filipek, thanks!
|
|
Go ahead florian@ OK tb@
|
|
draft-ietf-6man-slaac-renum-05 and implemented by Linux in 2020.
OK florian@
|
|
if_state_name() and proposal_state_name() are only uesd in log_debug()
calls which are NOOPs in SMALL builds.
Seen with -Wunused-function warnings in distrib/special/slaacd.
OK deraadt
|
|
OK kn
|
|
This brings it in line with dhcpleased(8) as well as what we do for
the default route and DNS proposals.
I missed this when I rewrote the state machine to match
dhcpleased(8).
|
|
It is less cluttered, easier to reason about and fixes some bugs in
passing that would have been difficult in the old state machine.
Stale IPv6 addresses, default routes and nameservers are now correctly
removed when moving from one IPv6 enabled network to another IPv6
enabled network.
Default routes and nameservers correctly expire when they are not
refreshed and nameservers are updated when router advertisements
change the nameserver option.
Testing & input caspar@
Putting it in now to get wider testing and shake out bugs, discussed
with deraadt@ at r2k22.
|
|
|
|
use it for.
|
|
|
|
The length field of a DNS label in the DNS search list option is an 8
bit unsigned value. parse_dnssl() treats the search list option as an
array of char, which are signed on most archs. When we read this value
into an int variable it gets sign extended, allowing it to bypass
sanity checks and eventually we pass it as the length to memcpy which
treats it as a huge unsigned value leading to a heap overflow.
An easy fix would be change the signature of parse_dnssl to
parse_dnssl(uint8_t* data, int datalen).
However, the DNS search list option is unused and the function fails
to check if the parsed value is a valid domain name. The function is
also getting in the way of future work so it's best to just delete it.
The problem was found and reported by qualys, thanks!
OK bluhm
|
|
struct sockaddr_in6. Copy the right amount of data so that we don't
overflow the destination and potentially crash when we receive more
than 7 nameservers.
This is going to be 7.0 errata 014.
OK deraadt
|
|
Form an IPv6 address even if the router announcing the prefix isn't a
default router.
Problem reported by mgraves AT brainfat.net on misc
OK denis
|
|
Otherwise resolvd(8) will never learn nameservers and update
/etc/resolv.conf with IPv6 resolvers.
At the moment IPv6 only installations always prompt for nameservers
anyway, but that is its own bug and will be fixed soon.
This enables the upcoming fix to detect learned nameservers in the
first place.
Feedback OK florian
|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
switching from chroot("/var/empty") to unveil("/", "").
This is just an extra pair of suspenders since these processes
pledge(2) to not access the filesystem.
OK deraadt
|
|
with "temporary".
|
|
deprecates a prefix by sending a pltime of 0, this is normal.
Continue warning when the pltime is smaller than 5 as this is almost
certainly a configuration error.
Found the hard way by & OK otto.
|
|
Track autoconf and temporary flag individually to be able to support
this.
OK kn
|
|
distrib/special/slaccd is the actual SMALL user but having it build from here
is useful, too; in fact, it showed some more unused variables under SMALL.
OK florian
|
|
Problem reported by deraadt some time ago.
|
|
This allows us to pass the link state over to engine here instead of
in update_addr which is not available in small.
This gets us more in line dhcpleased.
|
|
already in the interface on the engine side.
|
|
|
|
This was too much code in the imsg handler.
|
|
The desync factor is now tracked per temporary IP and the max value
has been increased to about 9 hours.
While here fix a bug where the minimum acceptable pltime in a router
advertisement should be bigger than PRIV_REGEN_ADVANCE not the desync
factor (which didn't make any sense at all).
From Fernando Gont, thanks!
OK sthen
|
|
|
|
ok florian@
|
|
Follows claudio's lead in ospfd et al.
Problem reported by mortimer.
|
|
Problem reported by mortimer
|
|
lifetime. Use this information to renew pltime / vltime of privacy
addresses for up to 1 day / 2 days as RFC 4941.
This is important when announced pltime / vltime is lower than 1 day /
2 days, privacy addresses would have expired too fast.
Spotted after a remark by Fernando Gont on misc@
|
|
if we are using Semantically Opaque Interface Identifiers (soii)
otherwise we would just create the same address again and DAD will
fail again.
|
|
There is probably nothing wrong with calculating a new random value
everytime we create an address, but we are also not gaining anything.
Makes math in upcomming diffs easier.
|
|
(netinet6/nd6.h) we can remove the ND6 prefix.
While here use a MAX_DESYNC_FACTOR of 10 minutes as the RFC specifies.
We are using arc4random_uniform which avoids modulo bias.
|
|
going to renew them. Avoids redundant check for privacy addresses.
|
|
|
|
|
|
|
