| Age | Commit message (Collapse) | Author |
|---|
|
duid text was supplied by krw
...after much discussion with jsing and krw
ok krw
|
|
rememberingwhich interface dhclient was actually active on.
Requested by deraadt, OK deraadt@, krw@
|
|
both now can be used in both directions. the kernel allowed that ever since
we did the great NAT rewrite.
still enforce that a direction is given, a rule with rdr-to and/or nat-to
and no direction is pretty certainly an error (which it would work,
technically)
ok ryan claudio dlg
|
|
the : and uid components out -- otherwise these two programs will work
poorly.
|
|
|
|
a disklabel UID. Based on a diff from josh@elsasser.org. Resolves PR6471.
ok krw@
|
|
uid_print() function.
ok krw@
|
|
prompted by reyk
|
|
OK reyk
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
|
the initiator chose wrong D-H group. in this case we throw away our
SA and start over with a proper group.
makes iked work as an initiator with strongswan/charon without any
specific "ikesa" (phase 1) configuration.
ok reyk
|
|
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
implementation time ~1 min bikeshedding about the keyword longish.
i voted for "matches" since i like to play with matches
idea was theo's, actually
|
|
|
|
given label. No change to existing functionality.
ok henning@ claudio@
|
|
|
|
|
|
ok reyk
|
|
While here, remove .Xo macros that were ugly workarounds
to deal with groff-1.15 bugs, but are required neither by modern groff
nor by mandoc nor by any documentation we are aware of.
Problem originally noticed by jmc@ running mandoc -Tlint;
patch ok by jmc@.
|
|
|
|
worded. i think what is there now is clear enough.
|
|
- note that -f replaces the current ruleset
based on a diff from Anders Langworthy, but altered by mcbride and henning;
ok henning
|
|
NULL before dereferencing. fixes an annoying crash.
ok reyk
|
|
ok marco
|
|
|
|
encryption;
- add additional nonce length field, use that for the ciphers that
require additional keying material;
- setup right flow direction depending on the mode: fixes up iked
working as an initiator against charon.
tested by me and jsg.
ok reyk
|
|
correctly; changing keywords.sh still requires manual intervention.
pointed out by sthen@
|
|
(more people should know about how to properly use libc-provided tools)
make keywords.h depend upon keywords.sh, so that it gets automatically
rebuilt when keywords.sh is edited
ok claudio@
|
|
|
|
(verified by both sthen@ and me).
ok sthen@; "just commit it" claudio@
|
|
written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!
ok henning@
|
|
|
|
|
|
- zap trailing whitespace
|
|
ok millert@
|
|
OK jmc
|
|
simplify the code and apply some style(9).
Discussed with and ok miod@
|
|
machdep.console_device that's only implemented on a few architectures.
ok deraadt@, miod@
|
|
|
|
when fsck is run against a disklabel UID. This allows a user to determine
which device is really being scanned.
ok krw@
|
|
for ccd size, though.
|
|
to recursively print anchors with wildcards when not
requested via the command line but in practice only
applied to automatically generated inline anchors
(which don't have wildcards) or when recursion
was requested.
Found by the clang static analyser and behaviour explained
by mcbride@
ok henning@ mcbride@
|
|
Semantically equivalent version ok beck@ millert@ and tested ckeuthe@.
"just commit" deraadt@
|
|
from otto
|
|
|
|
a more useful error message for invalid ones. ok deraadt
|
|
"I like this" marco@, "Sure" deraadt@
|
|
from mikeb
|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
"total sectors" to "boundstart" and "boundend" in the list of fields
that are left alone during a RESTORE operation.
ok deraadt@
|
