summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2006-10-10fgets(3) returns NULL on error, not 0. No functional change, but it makesChad Loder
the code easier to read. OK deraadt
2006-10-06Print 'flags any' correctly and handle anchors.Ryan Thomas McBride
2006-10-06'no state' should only be printed on pass rules, though.Ryan Thomas McBride
2006-10-06Print out 'no state' when the rule is not stateful.Ryan Thomas McBride
2006-10-06Oops, flags S/SA doesn't work on fragments.Ryan Thomas McBride
2006-10-06Make 'flags S/SA keep state' the implicit for filter rules, based onRyan Thomas McBride
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options to disable flag matching and stateful filtering respectively. IMPORTANT NOTE: Current rulesets will continue to load, but the behaviour may be slightly changed as these defaults are more restrictive. If you are purposefully filtering statelessly ('no state') or have a requirement to create states on intermediate packets ('flags any') you should update your ruleset to make use of the new keywords to explicitly request the behaviour. Note that creation of states from intermediate packets in a connection is not recommended, and will increasingly cause problems as more OSs enable window scaling and increase buffer sizes by default. ok dhartmei@ deraadt@ henning@
2006-10-05Reword sentence to fix grammar nit.Tom Cosgrove
ok jmc@
2006-10-04sort the smartoffline subcommands;Jason McIntyre
2006-10-04DIAGNOSTICS -> CAVEATS because:Jason McIntyre
1) this section discusses caveats, not diagnostics 2) DIAGNOSTICS is not standard for section 1 ok grange
2006-10-03move the advice about smart, readattr, and sec* to before the commandJason McIntyre
list, since it doesn;t make sense to put these in any one single command description (nor indeed to repeat them for every command); ok grange
2006-10-03provide a summary of the available commands, since there's a ton ofJason McIntyre
them;
2006-10-03put the command list into some semblance of order;Jason McIntyre
2006-10-02various tweaks to smarten this page up a bit;Jason McIntyre
2006-10-02standard EXAMPLES;Jason McIntyre
2006-10-02simplify SYNOPSIS and sync usage();Jason McIntyre
2006-09-30Don't use uninitialized variable.Ray Lai
From Peter Philipp <peter underscore philipp at freenet dot de>. OK deraadt@.
2006-09-30Clear errno before calling the strtol functions.Ray Lai
From Paul Stoeber <x0001 at x dot de1 dot cc>. OK deraadt@.
2006-09-29add a new section header, since DESCRIPTION is getting so large...Jason McIntyre
2006-09-29make it clearer what needs to be run, and how; push manual keying downJason McIntyre
the list; move the rc stuff from ipsecctl to ipsec.conf; ok hshoexer
2006-09-27Oops. Missed a line. Fix so disklabel(8) compiles again.Kenneth R Westerback
2006-09-26Zap D_REMOVABLE flag from disklabel. If you didn't already know thatKenneth R Westerback
floppies and cd's were removable, displaying that fact in disklabel output was unlikely to help. And the display in disklabel was the only use of D_REMOVABLE in the tree. ok marco@
2006-09-26a better description of what our automatic keying example is up to;Jason McIntyre
ok hshoexer
2006-09-24Eliminate D_CHAIN, D_ECC and D_RAMDISK flags from disklabel. They wereKenneth R Westerback
not being used in the tree for anything obviously useful. Get it done early so we can find if there are non-obvious uses out there. ok deraadt@ beck@
2006-09-24No point in checking for a NULL ifi after we've used it. Plus ifi isKenneth R Westerback
set once in main() and used everywhere without further checks. From Matthew R. Dempsky via tech@
2006-09-22Remove lfs_cleanerd and mount_lfsPedro Martelletto
2006-09-22- document which parts need to be packet filtered, and whyJason McIntyre
- move example ruleset into a more logical order - correct the if-bound example (spotted by hshoexer) help/ok markus hshoexer
2006-09-22typo in err(); from bret.lambert@gmail.com, thanks!Hans-Joerg Hoexer
2006-09-21Those were supposed to go away...Pedro Martelletto
2006-09-21Remove newlfs, okay weingart@ deraadt@Pedro Martelletto
2006-09-20remove references to bad144(8) man page;Jason McIntyre
2006-09-20-.Xr dumplfs 8 ,Jason McIntyre
2006-09-20Remove dumplfs, okay millert@ miod@Pedro Martelletto
2006-09-19sort SAs by spi; ok hshoexerMarkus Friedl
2006-09-19Use S_IS* macros insted of masking with S_IF* flags. The latter mayOtto Moerbeek
have multiple bits set, which leads to surprising results. Spotted by/partly from Paul Stoeber, more to come. ok ho@ miod@ hshoexer@
2006-09-18KNF and clean some trailing white spaces, no binary change.Hans-Joerg Hoexer
2006-09-17correct mode for open().Marc Balmer
2006-09-15reorganise the sections to make more sense;Jason McIntyre
ok hshoexer ho
2006-09-15clarification;Jason McIntyre
2006-09-15add in filtering rules to allow keying daemons to talk;Jason McIntyre
help/ok markus
2006-09-15Remove "Delete-SAs" config option. This was needed for interactionHans-Joerg Hoexer
with sasyncd(8). Now sasyncd(8) controls isakmpd(8) regarding SA deletion so this option is obsolete. ok mpf jmc
2006-09-14simplify an example. ok jmc@Hans-Joerg Hoexer
2006-09-13use "proto ipencap" for the gateway filter rules;Jason McIntyre
pointed out by msf; explained by markus
2006-09-12note that enc traffic is unecrypted; from mpfJason McIntyre
2006-09-12no need to Xr isakmpd.conf.5;Jason McIntyre
2006-09-12add a section on packet filtering ipsec traffic;Jason McIntyre
input henning markus mcbride ok mcbride hshoexer
2006-09-11improvememnts for `local', `peer', and `psk'; ok hshoexerJason McIntyre
2006-09-11- document how to set ipsec stuff running at bootJason McIntyre
- remove hazy tcp md5 blurb ok hshoexer
2006-09-11- sort optionsJason McIntyre
- no need for .Pp between list items
2006-09-09point people towards ipsec.conf.5; after some discussion w/ reykJason McIntyre
ok hshoexer reyk
2006-09-07note that we can filter ipsec traffic on the enc interface;Jason McIntyre
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-17 11:35:14 +0000