Age | Commit message (Collapse) | Author |
|
similar settings to prevent double encapsulation.
ok kn@
|
|
ok job@ bluhm@ claudio@
job@ tested with 'telnet -6 towel.blinkenlights.nl' on Fibocom L831-EAU on
IIJ MIO's network (Japan), with 'inet6 autoconf' in /etc/hostname.umb0.
|
|
find the wrong super-block for file systems with 64k block size.
ok visa@
|
|
find the wrong super-block for file systems with 64k block size.
ok visa@
|
|
Macros are expanded by the parser at parse time, whereas variables are
read as ordinary strings and left unmodified; hence, quoted `"$domain"'
gets passed to the daemon as is, which substitutes proper values before
passing it to the kernel. `$domain' without quotes never makes it to
the daemon, that is with `domain = foo' somewhere else "foo" is being
eventually passed unmodified to the kernel.
jmc prompted for a proper explanation and provided the final wording.
OK tobhe jmc
|
|
which allows us to support additional signing options like PSS
padding in the future.
ok patrick@ markus@
|
|
ok patrick@
|
|
This is somewhat related to the "-b bind_addr" option some programs have,
which should get some cleanup also...
input florian claudio jmc
|
|
-t has already been checked in main() and can only be "blk" or "noblk",
but static analyzers like scan-build fail to spot this. From miod@
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
|
|
tweaks from and ok schwarze@
|
|
number of an SA. This will be useful to test IPsec with NAT-T.
OK sthen@ tobhe@
|
|
/dev/stdin to fake a dhclient.conf file during install. Simplifies and
shortens install.sub code. Allows further restrictions to be applied
to '-c' specified files.
|
|
resulting in a "fatal in resolver: wrong unified cache set on
resolver".
I believe this happens because we are using an UNKNOWN resolving
strategy to resolve queries.
Disable the upgrade logic for now and always construct a fresh
resolver context and set the unified context on it before any cache
gets allocated. This causes a bit of memory churn on startup and when
changing networks, but better than a crashing unwind.
First observed by deraadt
|
|
|
|
OK florian@. reads ok benno@
|
|
OK kn@, sashan@, florian@
|
|
Noticed by sebastia@
|
|
okay millert@ schwarze@
|
|
when exiting.
"make sense" deraadt
|
|
Original diff & testing from dtucker@
ok beck@ dtucker@
|
|
command line contents. Display usage() when syntax is incorrect and
relevant error messages when semantic checks fail.
More akin to the way other commands handle the syntax/semantic split.
Idea taken from a larger diff by kn@.
ok kn@
|
|
ok tedu
|
|
|
|
and usage();
|
|
Continued emittance noticed by mlarkin@
ok florian@
|
|
The resolving only strategies mess up the negative cache by claiming
DNSSEC related records do not exist which confuses the validating
strategies.
Found the hard way by kn@ and analysed by otto@
OK kn@
|
|
|
|
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
|
Change several instances, most of them to the usual -width Ds.
|
|
There is no reason to continue on anchor specific paths if the given
anchor does not exist.
OK sashan
|
|
Missed in previous
|
|
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
|
|
subjectAltName fields. The new parser code is inspired by
tls_check_subject_altname() from libssl.
ok markus@
|
|
is ignored (the behaviour previously behind -6 is now the default so if
this flag was used, it can happily be removed.
|
|
with subjectAltName matching srcid, try certificate with
only matching subjectAltName.
ok patrick@
|
|
While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.
For users there are basically anchors only, so do not imply any
difference between the two terminologies.
OK sashan
|
|
Less nesting for clearer code.
OK sashan
|
|
OK sashan
|
|
OK sashan
|
|
OK kn@
|
|
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
|
getaddrinfo(3) may fail for multiple reasons, but error message should be
unique in general.
OK bluhm
|
|
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
|
remove unused arguments from ikev2_add_* functions.
ok bluhm@
|
|
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.
ok bluhm@
|
|
- Never accept negative values.
- Cap the interval at UINT_MAX seconds to avoid strange rounding
behavior at the end of the input range.
- Use error messages that resemble other parts of the tree where we
are able to use strtonum(3).
- Leverage modf(3) for cleaner code.
- Call it "-i interval" to avoid accidental visual similarity to
"-w maxwait".
With input from cjeker@, kettenis@, kn@.
ok kn@
|
|
ok bluhm@
|
|
ok claudio phessler deraadt sthen
|