| Age | Commit message (Collapse) | Author |
|---|
|
instead return "unknown".
OK beck@
|
|
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
|
|
Our tree is now 1.1G big.
ok florian@, sure deraadt@
|
|
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Convert the pfctl(8) rule parser to divert types, kernel cleanup
will be the next step.
OK sashan@
|
|
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.
ok sthen@
tweaks from jmc@
tested by a handful
|
|
and lease_[expiry|rebind|renewal]() functions.
|
|
renewal value.
|
|
lease_expiry() and lease_renewal(). Simplifies logic and upcoming
changes.
|
|
[ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ]
OK bluhm@
|
|
OK bluhm@
|
|
OK bluhm@
|
|
calculate the value when required for a particular lease.
|
|
also some minor tweaks while here...
|
|
wall clock time, not length of lease time.
|
|
use, always recalculate offer expiry time based on the information in
the original offer.
|
|
Makes it easier to check live status of complex setups.
ok hshoexer@
|
|
dhclient.leases and the 'offered' lease generated by -L. i.e. the
times contained in the actual offer, and not the 'effective' times
that reflect changes imposed by dhclient.conf or -i.
|
|
ok bluhm@
|
|
'[1 - 0] [1]' can no longer return '1'.
Issue reported by Alexi Malinin via bugs@. Thanks!
|
|
able to disable OCSP without restarting iked.
ok beck@ sthen@
|
|
bug reported and fix tested by Leonardo Guardati
OK bluhm@
|
|
by such misconfigured DHCP servers.
Original diff from and ok krw@, ok sthen@
|
|
Issue reported by Alexi Malinin via bugs@. Thanks!
|
|
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb
|
|
|
|
|
|
renew/rebind/expiry. Treat renew/rebind/expiry statements in leases as
comments for human consumption.
|
|
termination issue that can arise when parsing IP options.
The bug was found by Hrvoje Popovski with ping -R.
Fix tested by Hrvoje, OK millert@
|
|
From Klemens Nanni.
ok markus@
|
|
Instead of the full point, only the X point is included.
The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.
Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.
Prompted by and ok mpi@
|
|
tunneled packets, otherwise every packet between the gateways will
be sent into the tunnel (e.g. ICMP, too).
ok markus@
|
|
received. Set it in packet_to_lease() and preserve it in
apply_defaults(). Otherwise not used, documented or printed in lease
database yet.
|
|
integers.
|
|
remove it
ok phessler@ beck@
|
|
something is seriously wrong.
|
|
duplicate offers for other addresses, so that the fastest
responding and presumably 'closest' DHCP server is used.
|
|
Install the default route with mpath flag.
OK mpi
|
|
fopen()'ing the the file with a mode of "a" (so watchers don't detect
changes until the file is re-written as part of interface
configuration) but using rewind() to start writing from the beginning
of the file.
Use ftruncate() and overwrite the date as intended, rather than
appending new data.
Problem reported and diffs tested by Mike via tech@. Thanks!
|
|
from Jesper Wallin.
|
|
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.
ok markus@
|
|
|
|
ok jmc@ tb@
|
|
is none or until we find one that matches.
ok markus@
|
|
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.
ok markus@
|
|
ok visa@, markus@
|
|
ok mpi@
|
|
"do {} while (1)".
|
|
emitted when other unsigned 32-bit values are parsed. i.e.
"expecting integer between 0 and 4294967295". No need to
make people google what "unsigned 32-bit decimal value" means.
|
|
declarations and placing 'lease' declarations inside
'interface' declarations.
Document and enforce requirement that all 'lease'
declarations must specify the interface to which they
apply.
Ignore static leases that apply to other interfaces rather
than complaining the interface name is wrong and using the
lease anyway.
|
|
into the 0/1 for success world.
|
