| Age | Commit message (Collapse) | Author |
|---|
|
|
|
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
|
Change several instances, most of them to the usual -width Ds.
|
|
There is no reason to continue on anchor specific paths if the given
anchor does not exist.
OK sashan
|
|
Missed in previous
|
|
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
|
|
subjectAltName fields. The new parser code is inspired by
tls_check_subject_altname() from libssl.
ok markus@
|
|
is ignored (the behaviour previously behind -6 is now the default so if
this flag was used, it can happily be removed.
|
|
with subjectAltName matching srcid, try certificate with
only matching subjectAltName.
ok patrick@
|
|
While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.
For users there are basically anchors only, so do not imply any
difference between the two terminologies.
OK sashan
|
|
Less nesting for clearer code.
OK sashan
|
|
OK sashan
|
|
OK sashan
|
|
OK kn@
|
|
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
|
getaddrinfo(3) may fail for multiple reasons, but error message should be
unique in general.
OK bluhm
|
|
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
|
remove unused arguments from ikev2_add_* functions.
ok bluhm@
|
|
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.
ok bluhm@
|
|
- Never accept negative values.
- Cap the interval at UINT_MAX seconds to avoid strange rounding
behavior at the end of the input range.
- Use error messages that resemble other parts of the tree where we
are able to use strtonum(3).
- Leverage modf(3) for cleaner code.
- Call it "-i interval" to avoid accidental visual similarity to
"-w maxwait".
With input from cjeker@, kettenis@, kn@.
ok kn@
|
|
ok bluhm@
|
|
ok claudio phessler deraadt sthen
|
|
This flag is set whenever a timeout is put on the wheel and cleared upon
(a) running, (b) deletion, and (c) readdition. It serves two purposes:
1. Facilitate distinguishing scheduled and rescheduled timeouts. When a
timeout is put on the wheel it is "scheduled" for a later softclock().
If this happens two or more times it is also said to be "rescheduled".
The tos_rescheduled value thus indicates how many distant timeouts
have been cascaded into a lower wheel level.
2. Eliminate false late timeouts. A timeout is not late if it is due
before softclock() has had a chance to schedule it. To track this we
need additional state, hence a new flag.
rprocter@ raises some interesting questions. Some answers:
- This interface is not stable and name changes are possible at a
later date.
- Although rescheduling timeouts is a side effect of the underlying
implementation, I don't forsee us using anything but a timeout wheel
in the future. Other data structures are too slow in practice, so
I doubt that the concept of a rescheduled timeout will be irrelevant
any time soon.
- I think the development utility of gathering these sorts of statistics
is high. Watching the distribution of timeouts under a given workflow
is informative.
ok visa@
|
|
msgbuf. Use the same size algorithm in kernel and userland.
OK cheloha@ guenther@ deraadt@
|
|
ub_event_pluggable.c instead of ub_event.c.
( https://github.com/NLnetLabs/unbound/issues/99 )
We have been the odd one out, so switch to ub_event_pluggable, too.
|
|
The bind might fail if another daemon is running while the
control socket opening will succeed.
Then we end up with an overwritten control socket, unwind exiting
and no control socket to the already running unwind.
Found the hard way by deraadt
OK deraadt, mestre, kn, pamela
|
|
the path sanitizer in the privsep parent. Bring back the checks
in a way that works with new realpath(3).
tested and OK hshoexer@
|
|
ok jmc@
|
|
https://github.com/NLnetLabs/unbound/issues/99
ub_ctx_delete would free the passed in event_base leading to
use-after-free since libunbound never allocated the memory and
unwind expects to continue using the event_base.
|
|
Heavy lifting by sthen with updating in-tree unbound(8).
|
|
testing by otto & pamela as part of a larger diff
|
|
testing by otto & pamela as part of a larger diff
|
|
unwind can share caches between strategies.
testing by otto & pamela as part of a larger diff
|
|
Fixes a bug on file systems using the rev1 inode structure where
the size of the in-memory and on-disk dinode differ.
From Chris Waddey; OK deraadt@
|
|
provided. Restores behaviour previously provided by the default
dhclient.conf.
|
|
|
|
ipv6 address, but was actually oversize (a large union). correct access
to the right subfield.
ok florian semarie
|
|
recursor. Also change strategy to not fetch addresses of nameservers
pro-actively, it does not help a lot in typical unwind setups and
consumes resources we would like to spend on actual resolving user
queries. ok florian@
|
|
|
|
- check if this is an answer to a still running query up front,
if not there is nothing more to do
- get rid of the retry case, we can now just inline it
- reduce indent by always calculating elapsed time for DOUBT_NXDOMAIN_SEC
Triggered by, input and OK otto
|
|
|
|
|
|
|
|
|
|
Also add some consistentcy checking to detect logic errors. ok @florian
|
|
All optimizations work on actual rules; if there are none, return early.
While here, tell which ruleset/anchor is being optimized to make the debug
message actually useful.
OK mikeb
|
|
Unfortunately this required a fair amount of deck chair shuffling.
Input & OK otto
|
|
|
|
ENOENT. In this case, try to open(2) the path. Then a non-existing
file will be created, but a missing directory component still causes
an error. This fixes isakmpd(8) IKE pcap file creation.
from hshoexer@
|
|
Remove references when deleting the SA, otherwise we trigger a
use-after-free.
ok markus@
|
