| Age | Commit message (Collapse) | Author |
|---|
|
for the maximum route-id instead of a currently incorrect number
ok claudio@
|
|
|
|
|
|
can now simply use ifconfig wpakey password
ok damien
|
|
remainder of the 4.8->4.9 transition, alias wpapsk to wpakey (since
it swings both ways)
ok damien halex tedu
|
|
this is not the real solution to PR 6500; claudio is going to fix that
properly in the kernel
ok claudio
|
|
found by clang
OK claudio@, krw@
|
|
blambert, ok jsg, "seems ok" todd
|
|
prodded by deraadt@
"tweak previous" expected... ;-)
|
|
so, copy a small bit of logic to make DPD interop with FortiGate function
tested by me, ok mikeb@, silence from 'the usual suspects'
|
|
who decided to just do it on their own. henning, mcbride, jsing -- shame
on you -- if you had shown this diff to just 1 other network developer,
the astounding mistake in it would have been noticed. Start practicing
inclusionary development instead of going alone.
ok claudio
|
|
|
|
has gone many times around now (it is smaller now). man page diff
coming soon. Fits onto the media that need it.
ok halex
|
|
by mcbride@.
ok mcbride@ henning@
|
|
bug noticed and fix tested by robert
|
|
telnet portion partially from the latest heimdal.
ok mikeb@
|
|
ok krw@ phessler@
|
|
|
|
pointed out by kettenis@ and deraadt@
|
|
reboots the machine instead just halting or powering down.
diff from Jonathan Matthew
manpage tweaks from jmc@
ok deraadt@
|
|
ok mikeb@
|
|
|
|
|
|
correctly. A zero address field is used to identify divert-reply
rules. If the rule's address family is unspecified, PF_AZERO()
always returns false. So use AF_INET6 as address family, to check
all bits of the address.
ok markus@
|
|
route(8) will default to the process rtableid.
route -T 1 exec route add default 192.168.1.1
route -T 1 exec route -n show
These commands will now operate outmatically on rtable 1 and not on
rtable 0 as it was done before.
OK henning@
|
|
Reminded by jmc@
|
|
ok jmc@
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
|
|
convert a long .Op line into a few lines of .Xo ... .Xc. no "binary" change
with mandoc.
|
|
by numeric ID in combination with the "-s rules" or "-s labels" options.
For example, this allows you to dump the statistics of a specified rule
only (pfctl -sr -v -R 0).
ok henning@
|
|
|
|
to actually parse it.
ok reyk
|
|
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.
kills a bunch of XXX's and an annoying error from openssl.
also, check a result from CipherUpdate while here.
ok reyk
|
|
ikectl(8).
|
|
OK deraadt@
|
|
duid text was supplied by krw
...after much discussion with jsing and krw
ok krw
|
|
rememberingwhich interface dhclient was actually active on.
Requested by deraadt, OK deraadt@, krw@
|
|
both now can be used in both directions. the kernel allowed that ever since
we did the great NAT rewrite.
still enforce that a direction is given, a rule with rdr-to and/or nat-to
and no direction is pretty certainly an error (which it would work,
technically)
ok ryan claudio dlg
|
|
the : and uid components out -- otherwise these two programs will work
poorly.
|
|
|
|
a disklabel UID. Based on a diff from josh@elsasser.org. Resolves PR6471.
ok krw@
|
|
uid_print() function.
ok krw@
|
|
prompted by reyk
|
|
OK reyk
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
|
the initiator chose wrong D-H group. in this case we throw away our
SA and start over with a proper group.
makes iked work as an initiator with strongswan/charon without any
specific "ikesa" (phase 1) configuration.
ok reyk
|
|
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
implementation time ~1 min bikeshedding about the keyword longish.
i voted for "matches" since i like to play with matches
idea was theo's, actually
|
|
|
