| Age | Commit message (Collapse) | Author |
|---|
|
find the wrong super-block for file systems with 64k block size.
ok visa@
|
|
find the wrong super-block for file systems with 64k block size.
ok visa@
|
|
Macros are expanded by the parser at parse time, whereas variables are
read as ordinary strings and left unmodified; hence, quoted `"$domain"'
gets passed to the daemon as is, which substitutes proper values before
passing it to the kernel. `$domain' without quotes never makes it to
the daemon, that is with `domain = foo' somewhere else "foo" is being
eventually passed unmodified to the kernel.
jmc prompted for a proper explanation and provided the final wording.
OK tobhe jmc
|
|
which allows us to support additional signing options like PSS
padding in the future.
ok patrick@ markus@
|
|
ok patrick@
|
|
This is somewhat related to the "-b bind_addr" option some programs have,
which should get some cleanup also...
input florian claudio jmc
|
|
-t has already been checked in main() and can only be "blk" or "noblk",
but static analyzers like scan-build fail to spot this. From miod@
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
|
|
tweaks from and ok schwarze@
|
|
number of an SA. This will be useful to test IPsec with NAT-T.
OK sthen@ tobhe@
|
|
/dev/stdin to fake a dhclient.conf file during install. Simplifies and
shortens install.sub code. Allows further restrictions to be applied
to '-c' specified files.
|
|
resulting in a "fatal in resolver: wrong unified cache set on
resolver".
I believe this happens because we are using an UNKNOWN resolving
strategy to resolve queries.
Disable the upgrade logic for now and always construct a fresh
resolver context and set the unified context on it before any cache
gets allocated. This causes a bit of memory churn on startup and when
changing networks, but better than a crashing unwind.
First observed by deraadt
|
|
|
|
OK florian@. reads ok benno@
|
|
OK kn@, sashan@, florian@
|
|
Noticed by sebastia@
|
|
okay millert@ schwarze@
|
|
when exiting.
"make sense" deraadt
|
|
Original diff & testing from dtucker@
ok beck@ dtucker@
|
|
command line contents. Display usage() when syntax is incorrect and
relevant error messages when semantic checks fail.
More akin to the way other commands handle the syntax/semantic split.
Idea taken from a larger diff by kn@.
ok kn@
|
|
ok tedu
|
|
|
|
and usage();
|
|
Continued emittance noticed by mlarkin@
ok florian@
|
|
The resolving only strategies mess up the negative cache by claiming
DNSSEC related records do not exist which confuses the validating
strategies.
Found the hard way by kn@ and analysed by otto@
OK kn@
|
|
|
|
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
|
Change several instances, most of them to the usual -width Ds.
|
|
There is no reason to continue on anchor specific paths if the given
anchor does not exist.
OK sashan
|
|
Missed in previous
|
|
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
|
|
subjectAltName fields. The new parser code is inspired by
tls_check_subject_altname() from libssl.
ok markus@
|
|
is ignored (the behaviour previously behind -6 is now the default so if
this flag was used, it can happily be removed.
|
|
with subjectAltName matching srcid, try certificate with
only matching subjectAltName.
ok patrick@
|
|
While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.
For users there are basically anchors only, so do not imply any
difference between the two terminologies.
OK sashan
|
|
Less nesting for clearer code.
OK sashan
|
|
OK sashan
|
|
OK sashan
|
|
OK kn@
|
|
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
|
getaddrinfo(3) may fail for multiple reasons, but error message should be
unique in general.
OK bluhm
|
|
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
|
remove unused arguments from ikev2_add_* functions.
ok bluhm@
|
|
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.
ok bluhm@
|
|
- Never accept negative values.
- Cap the interval at UINT_MAX seconds to avoid strange rounding
behavior at the end of the input range.
- Use error messages that resemble other parts of the tree where we
are able to use strtonum(3).
- Leverage modf(3) for cleaner code.
- Call it "-i interval" to avoid accidental visual similarity to
"-w maxwait".
With input from cjeker@, kettenis@, kn@.
ok kn@
|
|
ok bluhm@
|
|
ok claudio phessler deraadt sthen
|
|
This flag is set whenever a timeout is put on the wheel and cleared upon
(a) running, (b) deletion, and (c) readdition. It serves two purposes:
1. Facilitate distinguishing scheduled and rescheduled timeouts. When a
timeout is put on the wheel it is "scheduled" for a later softclock().
If this happens two or more times it is also said to be "rescheduled".
The tos_rescheduled value thus indicates how many distant timeouts
have been cascaded into a lower wheel level.
2. Eliminate false late timeouts. A timeout is not late if it is due
before softclock() has had a chance to schedule it. To track this we
need additional state, hence a new flag.
rprocter@ raises some interesting questions. Some answers:
- This interface is not stable and name changes are possible at a
later date.
- Although rescheduling timeouts is a side effect of the underlying
implementation, I don't forsee us using anything but a timeout wheel
in the future. Other data structures are too slow in practice, so
I doubt that the concept of a rescheduled timeout will be irrelevant
any time soon.
- I think the development utility of gathering these sorts of statistics
is high. Watching the distribution of timeouts under a given workflow
is informative.
ok visa@
|
|
msgbuf. Use the same size algorithm in kernel and userland.
OK cheloha@ guenther@ deraadt@
|
