summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2020-02-21Add transport mode for child SAs. This is useful for GRE over IPsec andtobhe
similar settings to prevent double encapsulation. ok kn@
2020-02-18Add IPv6 support to umb(4).Gerhard Roth
ok job@ bluhm@ claudio@ job@ tested with 'telnet -6 towel.blinkenlights.nl' on Fibocom L831-EAU on IIJ MIO's network (Japan), with 'inet6 autoconf' in /etc/hostname.umb0.
2020-02-17Do not look for an FFS1 file system at SBLOCK_UFS2. Doing so willOtto Moerbeek
find the wrong super-block for file systems with 64k block size. ok visa@
2020-02-17Do not look for an FFS1 file system at SBLOCK_UFS2. Doing so willOtto Moerbeek
find the wrong super-block for file systems with 64k block size. ok visa@
2020-02-16Quote variables in pf tag stringskn
Macros are expanded by the parser at parse time, whereas variables are read as ordinary strings and left unmodified; hence, quoted `"$domain"' gets passed to the daemon as is, which substitutes proper values before passing it to the kernel. `$domain' without quotes never makes it to the daemon, that is with `domain = foo' somewhere else "foo" is being eventually passed unmodified to the kernel. jmc prompted for a proper explanation and provided the final wording. OK tobhe jmc
2020-02-14Switch from EVP_SignInit_ex() to the newer EVP_DigestSignInit()tobhe
which allows us to support additional signing options like PSS padding in the future. ok patrick@ markus@
2020-02-13Constify "buf" argument in print_hex and print_hexval.tobhe
ok patrick@
2020-02-11Simplify and unify wording for the -I sourceaddr option in various places.Theo de Raadt
This is somewhat related to the "-b bind_addr" option some programs have, which should get some cleanup also... input florian claudio jmc
2020-02-11Initialize rejecttype to appease static analyzersJeremie Courreges-Anglas
-t has already been checked in main() and can only be "blk" or "noblk", but static analyzers like scan-build fail to spot this. From miod@
2020-02-10briefly mention /etc/examples/ in the FILES section of all theIngo Schwarze
manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
2020-02-08minor formatting tweak: remove incorrect .Ar and garbage collect .TnIngo Schwarze
2020-02-08ncheck was in v6Jonathan Gray
tweaks from and ok schwarze@
2020-02-07Extend the ipsecctl(8) parser to set the udpencap flag and portAlexander Bluhm
number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
2020-02-02Tweak dhclient(8) timing defaults depending on SMALL rather than usingKenneth R Westerback
/dev/stdin to fake a dhclient.conf file during install. Simplifies and shortens install.sub code. Allows further restrictions to be applied to '-c' specified files.
2020-01-28We are not correctly upgrading from "UNKNOWN" to "VALIDATING"Florian Obser
resulting in a "fatal in resolver: wrong unified cache set on resolver". I believe this happens because we are using an UNKNOWN resolving strategy to resolve queries. Disable the upgrade logic for now and always construct a fresh resolver context and set the unified context on it before any cache gets allocated. This causes a bit of memory churn on startup and when changing networks, but better than a crashing unwind. First observed by deraadt
2020-01-28Sync with table in editor.c; from Martin <openbsd at academicsolutions dot ch>Otto Moerbeek
2020-01-28sbin/unwind: replace TAILQ concatenation loop with TAILQ_CONCATbket
OK florian@. reads ok benno@
2020-01-28sbin/pfctl: replace TAILQ concatenation loop with TAILQ_CONCATbket
OK kn@, sashan@, florian@
2020-01-26Don't validate '-c' with S_ISREG(). The install script uses /dev/stdin.Kenneth R Westerback
Noticed by sebastia@
2020-01-24simplify, no need to make a copy of the filename, pointer is fineMarc Espie
okay millert@ schwarze@
2020-01-24Fix isakmpd monitor process to use the exit status of main processYASUOKA Masahiko
when exiting. "make sense" deraadt
2020-01-24Allow carp(4) interfaces to be configured via dhcp.Kenneth R Westerback
Original diff & testing from dtucker@ ok beck@ dtucker@
2020-01-23Separate command line syntax parsing from semantic validation ofKenneth R Westerback
command line contents. Display usage() when syntax is incorrect and relevant error messages when semantic checks fail. More akin to the way other commands handle the syntax/semantic split. Idea taken from a larger diff by kn@. ok kn@
2020-01-22delete wasteful ;;Theo de Raadt
ok tedu
2020-01-22remove semicolons not needed after } statements. ok deraadtTed Unangst
2020-01-21use an underscore for -p's argument, rather than hyphen: matches SYNOPSISJason McIntyre
and usage();
2020-01-20Move warning about DHO_STATIC_ROUTES (option 33) to debug.Kenneth R Westerback
Continued emittance noticed by mlarkin@ ok florian@
2020-01-20We can not share a cache between validating and resolving strategies.Florian Obser
The resolving only strategies mess up the negative cache by claiming DNSSEC related records do not exist which confuses the validating strategies. Found the hard way by kn@ and analysed by otto@ OK kn@
2020-01-19add some explicit tagging macros; OK kn@ on a previous versionIngo Schwarze
2020-01-16Add '-p' command line option which allows to configuretobhe
the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited. ok sthen@
2020-01-16Usually, -width Fl (which is 10n) is too wide and hence ugly.Ingo Schwarze
Change several instances, most of them to the usual -width Ds.
2020-01-16Fail on missing anchorkn
There is no reason to continue on anchor specific paths if the given anchor does not exist. OK sashan
2020-01-15Do the actual pfr_strerror() to pf_strerror() renamekn
Missed in previous
2020-01-15Unify error message for nonexisting anchorskn
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if the specified anchor does not exist. Extend and rename {pfr -> pf}_strerror() to make error message more consistent. There are other occasions as well but those need additional tweaks; that's stuff for another diff. OK and rename from sashan
2020-01-15Support multiple x509 extensions and extensions with multipletobhe
subjectAltName fields. The new parser code is inspired by tls_check_subject_altname() from libssl. ok markus@
2020-01-15s/deprecated/ignored/ in the warning message if -6 is used; the optionStuart Henderson
is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
2020-01-15If we don't find a certificate signed by a trusted CAtobhe
with subjectAltName matching srcid, try certificate with only matching subjectAltName. ok patrick@
2020-01-15Refine error messagekn
While code in pf/pfctl confusingly uses either anchor or ruleset depending on the context, pfctl(8) (both manual and user interface) should be consistent. For users there are basically anchors only, so do not imply any difference between the two terminologies. OK sashan
2020-01-15Merge radix_perror() into simpler warnx()/errx() usagekn
Less nesting for clearer code. OK sashan
2020-01-15Further document recursive flush behaviourkn
OK sashan
2020-01-15Print the main ruleset/anchor as "/" not "<root>" for consistencykn
OK sashan
2020-01-15Recent change to pfctl(8) prompts for a minor update of manpage.Alexandr Nedvedicky
OK kn@
2020-01-15Enable pfctl(8) to recursively flush rules and tables from PF driver. TheAlexandr Nedvedicky
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush everything from PF driver. The idea was discussed with many on tech@ in spring 2019. OK kn@
2020-01-15Replace duplicate error message with gai_strerror(3)kn
getaddrinfo(3) may fail for multiple reasons, but error message should be unique in general. OK bluhm
2020-01-14Remove IPsec flow blocking unencrypted IPv6 traffic which wastobhe
meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning. ok kn@ bluhm@ phessler@
2020-01-08Unify duplicate NOTIFY payload construction code in ikev2_add_notify andtobhe
remove unused arguments from ikev2_add_* functions. ok bluhm@
2020-01-07Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-builttobhe
solution for multi-SA flows. As a result we only need a single outgoing IPCOMP flow and can get rid of the two extra transport mode flows for ESP. ok bluhm@
2020-01-04ping(8): improve "-i wait" parsing and error-checking codecheloha
- Never accept negative values. - Cap the interval at UINT_MAX seconds to avoid strange rounding behavior at the end of the input range. - Use error messages that resemble other parts of the tree where we are able to use strtonum(3). - Leverage modf(3) for cleaner code. - Call it "-i interval" to avoid accidental visual similarity to "-w maxwait". With input from cjeker@, kettenis@, kn@. ok kn@
2019-12-28Refactor child SA cleanup.tobhe
ok bluhm@
2019-12-27Fix ifconfig WPA key installation with max allowed length SSIDs.Stefan Sperling
ok claudio phessler deraadt sthen