| Age | Commit message (Collapse) | Author |
|---|
|
passed all checks.
ok patrick@
|
|
This NOTIFY payload is not encryted, remove check.
ok patrick@
|
|
ok patrick@
|
|
Found by csszep <csszep (at) gmail (dot) com>
ok patrick@
|
|
by socket(2). They also receive all ICMP packets on the system, for
example from parallel running ping(8)s.
After creating the raw socket ping(8) sets various socket options with
setsockopt(2) and assumes that they apply to all packets it later
processes.
For example ping6(8) uses setsockopt(IPV6_RECVHOPLIMIT) to print the
IPv6 hop count. Packets received between the socket(2) and
setsockopt(2) call however do not have the hoplimit information and
ping6(8) prints a wrong and missleading warning.
To avoid this we have to drain our socket of packets we received
before we were fully setup.
Problem reported and testing by martijn
Input deraadt
OK benno
|
|
ok markus@
|
|
in fact modify the string buffer.
ok kn@ sashan@
cVS: ----------------------------------------------------------------------
|
|
|
|
|
|
OK kn@, input from claudio@
|
|
|
|
|
|
make sure there is enough space for the non truncated hash output.
|
|
Reply to INFORMATIONAL messages with AUTHENTICATION_FAILED before deleting
the SA.
ok markus@
|
|
and move the logic closer to the other INFORMATIONAL payloads.
Add some more sanity checks while we're at it.
ok patrick@
|
|
an AUTH payload and the policy does not use EAP authentication.
ok patrick@
|
|
freeing it is a no-op.
Leak detected by my experimental malloc leak detector. ok florian@
|
|
ok patrick@
|
|
|
|
Unlike "... rtable N", pf.conf(5)'s "on rdomain N" does not alter packet
state and will always work no matter if rdomain N currently exists or not,
i.e. the rule "pass on rdomain 42" will simply match (and pass) packets if
rdomain 42 exists, and it will simply not match (neither pass nor block)
packets if 42 does not exist.
There's no need to reload the ruleset whenever routing domains are created
or deleted, which can already be observed now by creating an rdomain,
loading rules referencing it and deleting the same rdomain immediately
afterwards: pf will continue to work as expected.
Relax both pfctl(8)'s parser check as well as pf(4)'s copyin routine to
accept any valid routing domain ID without expecting it to exist at the time
of ruleset creation - this lifts the requirement to create rdomains before
referencing them in pf.conf while keeping pf behaviour unchanged.
Prompted by yasuoka's recent pfctl parse.y r1.702 commit requiring an rtable
to exist upon ruleset creation.
Discussed with claudio and bluhm at k2k20.
Feedback sashan
OK sashan yasouka claudio
|
|
filesystems. From FreeBSD. ok millert@
|
|
Fixes duplicate AUTH payload detection.
ok patrick@
|
|
0 is not a valid type and triggers undesired edge cases.
ok patrick@
|
|
ok patrick@
|
|
ok patrick@
|
|
which was reverting a change made into 1.03
bioctl -d is "detaching" and not "deleting" a volume
|
|
|
|
ok markus@
|
|
|
|
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.
ok patrick@
|
|
from the IKE header of fragment #1, not the first received fragment.
ok patrick@
|
|
From <piotr (at) durlej (dot) net>. Thanks!
|
|
ok patrick@
|
|
|
|
filters in userland. But the packet type check was placed at the
wrong place so the hoplimit check was done against every icmpv6 packet
but no all of them have a hoplimit constraint.
tested and ok by me, committed on behalf of florian@
|
|
ok kn
|
|
the replacement.
ok markus@
|
|
ok markus@
|
|
config. work with and diff from kn
ok kn
|
|
cases.
|
|
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.
Tested with iOS, Stronswan and Windows
ok patrick@ sthen@
|
|
request. The locally configured request is used as fallback to find a
certificate or key to send. The local auth method for MSCHAP-V2 should
be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of
raw rsa keys.
Tested with Strongswan, iPhone and Windows
Found by and ok sthen@
ok patrick@
|
|
sufficient space to display v4 addresses cleanly, but which truncate v6
addresses. The -n flag on each already provides additional column width
for IPv6 addresses. Make this formatting the default.
OK phessler kn
|
|
OK kettenis@
|
|
Make setsockopt non-fatal in this case and just ignore the request.
Spotted in a diff by reyk for rad(8); discussed with claudio
|
|
Suggested by claudio and matthieu
Testing matthieu
Putting it in now to get enough testing before release so that there
is enough time to back it out, suggested by deraadt
|
|
resolvers.
OK kn
|
|
|
|
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.
ok patrick@
|
|
|
