| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Since only leaf queues can have packets assigned to them,
H-FSC requires the user specified root queue to have a
parent. To simplify userland tools and the configuration
interface, the kernel can be leveraged to set it up.
ok henning
|
|
with the no-longer-available address over and over and over, requiring
iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule
SA deletion so a new one is set up shortly thereafter. ok reyk mikeb
|
|
checking, make somaxconn and sominconn unsigned.
Issue reported by orge on freenode, thanks!
Input, patient explanations and ok deraadt, millert.
|
|
Public key authentication uses public key files that are stored in the
/etc/iked/pubkeys/ directory where the IKE IDs are encoded as filenames.
This does not simply work with ASN1_DNs where the IDs include slashes
and other special characters. Instead of breaking and failing when an
ASN1_DN is configured, simply skip the public key lookup but allow
to use it with certificates or PSKs.
Reported and fix tested by Igor V. Gubenko - Thanks.
|
|
sync usage() with SYNOPSIS;
|
|
and do not try to do all the documenting in SYNOPSIS/usage();
ok deraadt
|
|
the key of the state.
ok sasha
|
|
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
causes confusion.
OK hshoexer@
|
|
around for two releases, it should be safe to do so.
ok bluhm deraadt sthen tb yasuoka
|
|
ok otto
|
|
remove condition for static linking; ok tb@
|
|
sanity improvements reyk@ recently put into dhcrelay to ensure no more than
the captured packet is processed.
|
|
had it correct. Don't BPF_WORDALIGN() the value for the number of
bytes read() into the buffer. This could theoretically cause the
processing of 1 - 3 more bytes than were read.
|
|
|
|
Remove -Werror to give code a greater chance of building.
ok deraadt@ florian@
|
|
flow which the first SA matched by the flow type. This behaviour
was mostly undocumented and unexpected. Make SA bundles explicit
in ipsec.conf(5). Only group SAs that have the same src and dst
and also the same bundle identifier.
OK hshoexer@
|
|
|
|
See RFC 5996, section 2.23, NAT Traversal:
In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it
means that the system receiving the NAT_DETECTION_DESTINATION_IP
payload is behind a NAT and that system SHOULD start sending
keepalive packets as defined in [UDPENCAPS].
With markus@, ok reyk@
|
|
scanning the used inode map. The code as written assumes inosused
is signed but this is no longer the case. OK deraadt@
|
|
|
|
|
|
group related functions in kroute.c together and comment them a bit.
No intentional functional change.
|
|
priv_write_resolv_conf() and move the latter into kroute.c
with all its priv_ friends.
No intentional functional change.
|
|
i.e. open FILE during program set up and use the FILE created for
the rest of the program lifetime after dropping privilege and
pledge()'ing. No need for passing messages to the priv process.
Tweak lease file handling a bit in passing.
Monitoring the -L file with external programs like sysutils/entr
still works.
Looks good to sthen@.
|
|
ok mikeb
|
|
unsigned.
While there, fix a whitespace issue.
OK deraadt@
|
|
win.
No intentional functional change.
|
|
'int' -> 'unsigned int' (and visa versa) where obvious.
Steal a couple of 'unsigned' -> u_int32_t from reyk@'s dhcrelay
tweaks.
No intentional functional change.
|
|
strlcat(). Shorter, clearer, fewer signed vs unsigned questions.
Use an 8K static buffer for pretty_print_classless() and use it
rather scribbling intermediate values into the final destination.
No intentional functional change.
|
|
strlcat(). Shorter, clearer, fewer signed vs unsigned questions.
Shrink static buffer for the string version of an option value from
32K to 8K. Since the string version of the entire lease is constructed
in a 8K buffer, bigger option values are pointless.
Use 8K of the saved space for a static buffer for pretty_print_string()
and use it rather scribbling intermediate values into the final
destination.
No intentional functional change.
|
|
change.
|
|
changes needed (yet).
|
|
|
|
usage every time we think of a new way to use this;
-= bits from anton lindqvist
ok tb tom
|
|
|
|
i've omitted hunk 3 of his diff, as what's there now is correct;
ok mikeb
|
|
Replaces forcing interface link state down and up to generate
RTM_IFINFO messages.
|
|
are. Track and use the actual lengths and use memcpy()/memcmp()
instead of strcmp()/strdup().
|
|
OK deraadt@, millert@
|
|
be used to return the final size of the parsed (i.e. un-vis'ed)
string. Use same, plus memcpy() to ensure entire final string is
copied to intended destination even if there are embedded NULs.
|
|
Push the un-vising up to parse_string(). This allows both the actual
string and the un-vised version to be available as desired. Use
memcpy() instead of strdup() to copy un-vised string since it may
legitimately contain NUL.
|
|
some logic.
|
|
|
|
Started by, and ok, deraadt@
|
|
"expecting a string". Things other than filenames are parsed here.
|
|
to make sure we do not run ikev2_msg_cleanup() on an unitialized stack
variable.
ok deraadt@ reyk@
|
|
This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.
OK claudio@ deraadt@
|
|
This lets us configure explicit old-style RSA again.
OK mikeb@
|
|
iked starts sending keepalive messages after authentication and after
successfully completing the handshake. Other implementations, like
we've seen on Microsoft Azure, start sending keepalive messages right
after receiving the first SA_INIT message when they set up the key
material, even before we received the SA_INIT response to complete the
DH exchange. The solution is to ignore early keepalive messages
before we're ready to encrypt our response, in the transition between
SA_INIT and AUTH. The peer should still accept one or more missed
keepalives.
OK mikeb@
|
