| Age | Commit message (Collapse) | Author |
|---|
|
ok florian@
|
|
and move punctuation out of two that are already there
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
before accessing anything in ifa_addr. florian@ mentioned this might
be a problem in slaacd(8) and rad(8) after claudio@ fixed it in bgpd,
so i went looking...
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
answers we would exit after receiving the first answer and claiming a
(huge) packet loss.
OK benno
|
|
after recent fixes.
|
|
ok mpi@
|
|
For traffic selectors with a keyword on either 'from' or 'to' side,
install flow with address family of the opposite side. If both source
and destination address are keywords, install flows for both address
families.
The 'dynamic' keyword is special as it will only install flows
for the address family of the dynamically assigned address
(specified with the 'config address' option).
ok patrick@
|
|
OK florian
|
|
Log the query and answer SERVFAIL instead of exiting fataly.
That way we can at least figure out where libunbound goes off the
rail.
OK otto
|
|
|
|
'ikectl reload'. This prevents initiation of new additional SAs
for each policy every time the config is reloaded.
ok patrick@
|
|
ok patrick@
|
|
|
|
ok bluhm@
|
|
This makes pfctl(8) detect bogus ranges (with and without `-n') before
loading the ruleset and completes the previous commit.
OK sashan sthen
|
|
Ranges where the left boundary is bigger than the right one are always bogus
as they work like `port any' (`port 34<>12' means "all ports") or in way
that inverts the rule's action (`pass ... port 34:12' means "pass no port at
all").
Add checks for all ranges and invalidate those that yield no or all ports.
For this to work on redirections, make pfctl(8) pass the range's type,
otherwise boundary including ranges are not detected as such; that is to
say, `struct pf_pool's `port_op' member was unused in the kernel so far.
`rdr-to' rules with invalid ranges could panic the kernel when hit.
Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com
OK sashan
|
|
|
|
ok patrick@
|
|
To match all traffic use 0.0.0.0/0 or ::/0.
ok patrick@
|
|
OK kn some time ago
|
|
has the downside to always copy the maximum IMSG size (about 16k)
between the resolver and frontend process for DNS answers because
we had to keep it as simple as possible.
We can now rearange things in -current to be less wasteful. This copies
only the usually small DNS answer.
In the unusual case that a DNS answer is larger than the maximum IMSG size
fragment the message and send multiple IMSGs.
|
|
upstream.
|
|
upstream.
|
|
Support for channel reuse of TCP and TLS (DoT) streams should improve
latency when the DoT strategy is used in unwind.
|
|
manually mounting a device which is not present in fstab(5) so that
the `-s' flag can be used in this case as well.
ok millert@, deraadt@
|
|
when an invalid option name is encountered.
|
|
transforms are not supported.
ok patrick@
|
|
issue noticed by sthen@. fix discussed with bluhm@ and procter@
OK bluhm@, kn@, procter@
|
|
fatal() immediately whem parsing command line option '-c' reveals a non-existant
file.
Original diff, tweaks & ok kn@
|
|
ok patrick@
|
|
file.
Original diff, tweaks & ok kn@
|
|
ok patrick@
|
|
|
|
ok markus@
|
|
otherwise the wrong rules might me skipped, e.g. if you have
policies with different listen addresses that are not sorted
by address family.
ok patrick@
|
|
|
|
cast in front of a strlcpy(3).
tb@ had pointed out that the use in rad(8) was not consistent.
I consider the void cast a useless annotation, either the strl*
functions must have the canonical trucation check or it must be
obvious that truncation cannot happen or is not a problem.
While at it remove a bunch more casts that snuck in over time.
|
|
get_routefd() and set_user().
|
|
get out of sync with the peer and the peer would keep on using the
expired SA because the lifetime is not negotiated.
ok patrick@
|
|
to assign the same 'config address' when an IKESA is negotiated with the
DSTID of an existing IKESA. The original IKESA will be closed and the
address will be transferred to the new IKESA.
ok patrick@
|
|
otherwise we are referencing the wrong one when the rdomain changes.
Sorry for not spotting it earlier.
|
|
code gets copied around; ok florian@
|
|
specifying multiple pools, make ikev2_cp_setaddr() iterate over
the pools to find a matching address.
ok patrick@
|
|
waited for a FD. It's not a fatal condition if it arrives late.
OK tb
|
|
OK tb
|
|
To avoide code duplication have get_icmp6ev_by_rdomain() either
return an existing icmp6ev in the correct rdomain or allocate one.
OK tb
|
|
|
|
internal structure reflecting the interface into a function that in turn
calls simple helper functions to do the different actions involved.
Simplifies the overly lengthy main(), correctly starts the state machine
with the state of the interface link as DOWN when IFF_UP is 0, tests
more initialization actions when '-n' is used.
|
