| Age | Commit message (Collapse) | Author |
|---|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
the control socket instead of fatal().
OK deraadt
|
|
switching from chroot("/var/empty") to unveil("/", "").
This is just an extra pair of suspenders since these processes
pledge(2) to not access the filesystem.
OK deraadt
|
|
with "temporary".
|
|
deprecates a prefix by sending a pltime of 0, this is normal.
Continue warning when the pltime is smaller than 5 as this is almost
certainly a configuration error.
Found the hard way by & OK otto.
|
|
Track autoconf and temporary flag individually to be able to support
this.
OK kn
|
|
distrib/special/slaccd is the actual SMALL user but having it build from here
is useful, too; in fact, it showed some more unused variables under SMALL.
OK florian
|
|
"privacy extensions" to "temporary address extensions"
Change ifconfig(8) to output temporary after temporary addresses and
add "temporary" option which is an alias for autoconfprivacy for now.
Also make AUTOCONF6TEMP a positiv flag that is set by default.
Previously the negative flag "INET6_NOPRIVACY" was set when privacy
addresses were disabled. This makes the flags output less ugly and
will allow us to disable autoconf addresses while having temporary
addresses enabled in the future.
More work is needed in slaacd.
input benno, jmc, deraadt
previous verison OK benno
OK jmc, kn
|
|
Problem reported by deraadt some time ago.
|
|
This allows us to pass the link state over to engine here instead of
in update_addr which is not available in small.
This gets us more in line dhcpleased.
|
|
already in the interface on the engine side.
|
|
|
|
This was too much code in the imsg handler.
|
|
The desync factor is now tracked per temporary IP and the max value
has been increased to about 9 hours.
While here fix a bug where the minimum acceptable pltime in a router
advertisement should be bigger than PRIV_REGEN_ADVANCE not the desync
factor (which didn't make any sense at all).
From Fernando Gont, thanks!
OK sthen
|
|
|
|
ok florian@
|
|
pointed out by deraadt
|
|
ok florian@
|
|
Follows claudio's lead in ospfd et al.
Problem reported by mortimer.
|
|
elsewhere and unbreaks -fno-common.
Inspired by claudio
Problem reported by mortimer
|
|
Problem reported by mortimer
|
|
find it again if and when we no longer need it. No object change.
|
|
We only want to recover the scope id if it hasn't already been
recovered.
But we want to always copy the link-local address.
|
|
initialized. If it is set assume the scope was already recovered.
OK bluhm, claudio
|
|
before accessing anything in ifa_addr. florian@ mentioned this might
be a problem in slaacd(8) and rad(8) after claudio@ fixed it in bgpd,
so i went looking...
|
|
cast in front of a strlcpy(3).
tb@ had pointed out that the use in rad(8) was not consistent.
I consider the void cast a useless annotation, either the strl*
functions must have the canonical trucation check or it must be
obvious that truncation cannot happen or is not a problem.
While at it remove a bunch more casts that snuck in over time.
|
|
otherwise we are referencing the wrong one when the rdomain changes.
Sorry for not spotting it earlier.
|
|
code gets copied around; ok florian@
|
|
waited for a FD. It's not a fatal condition if it arrives late.
OK tb
|
|
OK tb
|
|
To avoide code duplication have get_icmp6ev_by_rdomain() either
return an existing icmp6ev in the correct rdomain or allocate one.
OK tb
|
|
lifetime. Use this information to renew pltime / vltime of privacy
addresses for up to 1 day / 2 days as RFC 4941.
This is important when announced pltime / vltime is lower than 1 day /
2 days, privacy addresses would have expired too fast.
Spotted after a remark by Fernando Gont on misc@
|
|
if we are using Semantically Opaque Interface Identifiers (soii)
otherwise we would just create the same address again and DAD will
fail again.
|
|
There is probably nothing wrong with calculating a new random value
everytime we create an address, but we are also not gaining anything.
Makes math in upcomming diffs easier.
|
|
(netinet6/nd6.h) we can remove the ND6 prefix.
While here use a MAX_DESYNC_FACTOR of 10 minutes as the RFC specifies.
We are using arc4random_uniform which avoids modulo bias.
|
|
going to renew them. Avoids redundant check for privacy addresses.
|
|
|
|
|
|
|
|
filters in userland. But the packet type check was placed at the
wrong place so the hoplimit check was done against every icmpv6 packet
but no all of them have a hoplimit constraint.
tested and ok by me, committed on behalf of florian@
|
|
Make setsockopt non-fatal in this case and just ignore the request.
Spotted in a diff by reyk for rad(8); discussed with claudio
|
|
Suggested by claudio and matthieu
Testing matthieu
Putting it in now to get enough testing before release so that there
is enough time to back it out, suggested by deraadt
|
|
the outgoing interface in the source link-layer address ICMPv6 option
instead of the address of the last configured autoconf interface.
It is not the most efficient way to first transform an if_index into
and interface name and then iterate over all addresses but this is
also not in the hot path. Under normal operations slaacd will send
one solicitation when an interface is set to autoconf and then
never again because it will see unsolicitated router advertisements
before addresses expire.
OK kn
|
|
This is the name the other BSDs use for this, there is no reason to
be different, the IPv6 RFCs call these addresses temporary, and some
software in ports wants to use this as well.
Most recently pointed out for firefox by landry.
OK claudio, sthen
|
|
slaacd and unwind start very early in the boot process and syslog is
not fully available yet so these messages tend to get lost.
But they are also not particularly useful.
Prompted by a report by Jason Mader on bugs@
OK deraadt, claudio, bluhm
Note that this code has been copied around to all our privsep daemons
and also lives in usr.sbin. Leave it alone there because multiple people
said they find it useful for those daemons.
|
|
OK tohe
|
|
That way, when slaacd gets started in a different rdomain with
route exec things just work, no need to provide an alternative
control socket.
Pointed out by claudio
Original diff by benno, but I like my bikeshed purple.
OK benno, claudio
|
|
sends router solicitations and receives router advertisements only
from interfaces that are in its own rdomain.
It also only sees interfaces arriving, or departing in its own
rdomain.
However, for the default route there is rdomain cross-talk because
slaacd configures the default route in the default rdomain (and
fails).
Make slaacd honour the rdomain it's running in as well.
OK denis, phessler, benno
|
|
they are used. Nobody in the wider eco system uses these.
While here reduce temporary address valid lifetime to 2 days as per
draft-ietf-6man-rfc4941bis. This should considerably reduce the amount
of addresses configured on an interface - a common complaint.
Original diff from Fernando Gont (fernando AT gont.com.ar), thanks!
Ports tree scanning by sthen@
|
|
ipv6 address, but was actually oversize (a large union). correct access
to the right subfield.
ok florian semarie
|
