| Age | Commit message (Collapse) | Author |
|---|
|
Largely following the commit by mckusick in FreeBSD.
ok naddy@
|
|
to make sure the negotiated SA matches the selected policy.
ok patrick@
|
|
Follows claudio's lead in ospfd et al.
Problem reported by mortimer.
|
|
elsewhere and unbreaks -fno-common.
Inspired by claudio
Problem reported by mortimer
|
|
Problem reported by mortimer.
|
|
Problem reported by mortimer.
|
|
Problem reported by mortimer
|
|
Follows claudio's lead in ospfd et al.
Problem reported by mortimer.
|
|
elsewhere and unbreaks -fno-common.
Inspired by claudio
Problem reported by mortimer
|
|
Problem reported by mortimer
|
|
|
|
|
|
ok deraadt
|
|
find it again if and when we no longer need it. No object change.
|
|
We only want to recover the scope id if it hasn't already been
recovered.
But we want to always copy the link-local address.
|
|
initialized. If it is set assume the scope was already recovered.
OK bluhm, claudio
|
|
both with and without embedded scope.
OK bluhm@ florian@
|
|
not initalized. If it is set assume that the scope was already recovered.
This is required to get rid of all this scope madness in the long run.
OK bluhm@ florian@
|
|
The global "tickadj" variable is a remnant of the old NTP adjustment
code we used in the kernel before the current timecounter subsystem
was imported from FreeBSD circa 2004 or 2005.
Fifteen years hence it is completely vestigial and we can remove it.
We probably should have removed it long ago but I guess it slipped
through the cracks. FreeBSD removed it in 2002:
https://cgit.freebsd.org/src/commit/?id=e1d970f1811e5e1e9c912c032acdcec6521b2a6d
NetBSD and DragonflyBSD can probably remove it, too.
We export tickadj via the kern.clockrate sysctl(2), so update sysctl.2
and sysctl(8) accordingly. Hypothetically this change could break
someone's sysctl(8) parsing script. I don't think that's very likely.
ok mvs@
|
|
Lifetimes are extended from router advertisements within these limits.
From weerd@
|
|
Since we are only serving localhost we could get away with doing
serving over UDP only because we have a huge MTU on lo0, it's still
not correct behavior.
This also enables sending truncated answers with TC set if the answer
does not fit into the edns announced udp size.
Testing at least by matthieu, jca, otto, phessler
OK phessler
|
|
functions.
With this we can filter out DNSSEC RRsets if the client did not ask
for them. We will also be able to send truncated answers to indicate
to the client to switch to tcp. This will be enabled in the next
commit.
Testing at least by matthieu, jca, otto, phessler
OK phessler
|
|
the rule did not specify it. Check the option again for the log
rule in case another rule has triggered a socket lookup. Remove
logopt group, it is not documented and cannot work as struct pfloghdr
does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER
to express what it does. The lookup involved is only an implemntation
detail.
OK kn@ sashan@ mvs@
|
|
ok florian@
|
|
and move punctuation out of two that are already there
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
before accessing anything in ifa_addr. florian@ mentioned this might
be a problem in slaacd(8) and rad(8) after claudio@ fixed it in bgpd,
so i went looking...
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
answers we would exit after receiving the first answer and claiming a
(huge) packet loss.
OK benno
|
|
after recent fixes.
|
|
ok mpi@
|
|
For traffic selectors with a keyword on either 'from' or 'to' side,
install flow with address family of the opposite side. If both source
and destination address are keywords, install flows for both address
families.
The 'dynamic' keyword is special as it will only install flows
for the address family of the dynamically assigned address
(specified with the 'config address' option).
ok patrick@
|
|
OK florian
|
|
Log the query and answer SERVFAIL instead of exiting fataly.
That way we can at least figure out where libunbound goes off the
rail.
OK otto
|
|
|
|
'ikectl reload'. This prevents initiation of new additional SAs
for each policy every time the config is reloaded.
ok patrick@
|
|
ok patrick@
|
|
|
|
ok bluhm@
|
|
This makes pfctl(8) detect bogus ranges (with and without `-n') before
loading the ruleset and completes the previous commit.
OK sashan sthen
|
|
Ranges where the left boundary is bigger than the right one are always bogus
as they work like `port any' (`port 34<>12' means "all ports") or in way
that inverts the rule's action (`pass ... port 34:12' means "pass no port at
all").
Add checks for all ranges and invalidate those that yield no or all ports.
For this to work on redirections, make pfctl(8) pass the range's type,
otherwise boundary including ranges are not detected as such; that is to
say, `struct pf_pool's `port_op' member was unused in the kernel so far.
`rdr-to' rules with invalid ranges could panic the kernel when hit.
Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com
OK sashan
|
|
|
|
ok patrick@
|
|
To match all traffic use 0.0.0.0/0 or ::/0.
ok patrick@
|
|
OK kn some time ago
|
|
has the downside to always copy the maximum IMSG size (about 16k)
between the resolver and frontend process for DNS answers because
we had to keep it as simple as possible.
We can now rearange things in -current to be less wasteful. This copies
only the usually small DNS answer.
In the unusual case that a DNS answer is larger than the maximum IMSG size
fragment the message and send multiple IMSGs.
|
|
upstream.
|
|
upstream.
|
|
Support for channel reuse of TCP and TLS (DoT) streams should improve
latency when the DoT strategy is used in unwind.
|
|
manually mounting a device which is not present in fstab(5) so that
the `-s' flag can be used in this case as well.
ok millert@, deraadt@
|
