summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2003-05-18Forgot to remove a couple of debug messagesHakan Olsson
2003-05-18struct sockaddr is not large enough in itself to contain the addressHakan Olsson
value. Switching to sockaddr_storage makes interface rescanning work properly. niklas@ ok.
2003-05-18More isakmpd privsep work. X509 private keys are now kept in the privilegedHakan Olsson
process only. Various cleanup and bugfixes. markus@ ok
2003-05-18Sysdep for native Linux IPSec, 2.5 and later. From Thomas Walpuski, withHakan Olsson
various tweaks by me. niklas@ ok.
2003-05-17Better return codes from mm_send_fd and mm_receive_fdHakan Olsson
2003-05-17Use log_error(), not log_fatal().Hakan Olsson
Style.
2003-05-17tweak;Jason McIntyre
ok ho@
2003-05-17Fix proxy related output.Daniel Hartmeier
2003-05-17A little bugfix. We want pfioc_states, not pfioc_state.Ryan Thomas McBride
ok henning@
2003-05-17support inverse matching on tags likeHenning Brauer
block in ! tagged sometag ok dhartmei@ pb@
2003-05-16If the "Renegotiate-on-HUP" tag is defined in the [General] section, aHakan Olsson
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs, i.e all connections. ok niklas@, tested and ok kjell@.
2003-05-16TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can useDaniel Hartmeier
'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
2003-05-15make getifaddrs(3) a default, as all BSD has it by nowJun-ichiro itojun Hagino
2003-05-15properly complain about too long tagsHenning Brauer
2003-05-15Correct a two year old typo, which might actually makeHakan Olsson
setsockopt(..., IP_IPSEC_LOCAL_AUTH, ...) start working.
2003-05-15Cleanup. Do not store the private key in either the exchange or sa structs.Hakan Olsson
2003-05-15Work around some OpenSSL BIO "features" to read the key correctly.Hakan Olsson
2003-05-15Proper exit of the monitor process.Hakan Olsson
2003-05-15wait() for the child processHakan Olsson
2003-05-15Start of privilege separation for isakmpd.Hakan Olsson
There are some kinks left, so keep it default disabled for now. markus@ says ok to commit.
2003-05-15(c)Hakan Olsson
2003-05-14add scrub modifier "reassemble tcp" to turn on stateful TCP normalizationsMike Frantzen
ok henning@ dhartmei@
2003-05-14properly terminate debug string (levels >=40)Kjell Wooding
Use "%.*s" as suggested by Niklas. ok ho@. Lost by kjell. oked ho@. lost by kjell again. oked ho@
2003-05-14Remove the .if/.endif stuff that gmake does not understand.Hakan Olsson
Replace with a comment about needing keynote for policy.
2003-05-14tagging on binatHenning Brauer
2003-05-14enabled tagging on rdr rulesHenning Brauer
2003-05-14Call the FreeS/WAN sysdep 'freeswan'. The 'linux' sysdep will be native ↵Hakan Olsson
Linux IPSec.
2003-05-14Default public key directory definition sanity.Hakan Olsson
2003-05-14Policy file default defined twice, kill the local copy.Hakan Olsson
2003-05-14Fix a typo (in unused code).Hakan Olsson
2003-05-14I did not test this enough. Unbreak.Hakan Olsson
2003-05-14pflogd now uses the new pflog link type. Trying to append to an existingCan Erkin Acar
old-style logfile will fail. Move away old log files. ok henning@ dhartmei@ frantzen@
2003-05-14Minor format string correctness.Chad Loder
OK deraadt, ian darwin
2003-05-14The ramdac's hater club is proud to present new yet another SBus frameMiod Vallat
bufer driver, this time for the Southland Media Systems (now Quantum 3D) MGX and MGXPlus cards. Not complete, but a good start.
2003-05-14with tag/tagged given, only whine about missing keep state on pass rulesHenning Brauer
2003-05-14allow SCRUB rules to specify protocol again. broken sometime in the past.Mike Frantzen
okie dhartmei@, yay pb@
2003-05-14tags on nat rules:Henning Brauer
nat on $ext_if all tag humppa -> $ext_if pass out tagged hummpa keep state
2003-05-14gotta xref boot_hppa from hereMichael Shalayeff
2003-05-14move ETHERTYPE_xx declarations to <net/ethertypes.h>. meets netbsd practice.Jun-ichiro itojun Hagino
deraadt ok
2003-05-14Add the -q flag to suppress all output when setting a variableJean-Francois Brousseau
with -w ok jsyn@, millert@
2003-05-14print the redirection target for nat/rdr/binat slighly later.Henning Brauer
no functional difference (yet)
2003-05-13make sure tagging is only ever used with stateful filter rulesHenning Brauer
2003-05-13correct rule printingHenning Brauer
2003-05-13userland part for tagging.Henning Brauer
it's now possible to tag packets with an arbitary tag and filter based on that tag later on other interfaces: pass in quick on fxp0 keep state tag blah pass out quick on wi0 keep state with tag blah can be used to express trust between interfaces, to distinguish between NATed connections and connection originating from teh firewall itself and much more ok dhartmei@ frantzen@ pb@ mcbride@
2003-05-12update for mount args changeTed Unangst
2003-05-12update for mount args changesTed Unangst
2003-05-12Update with some data for NAT-T specific payload types, IKEv2Hakan Olsson
notifications, ISAKMP EAP code and types, plus fix an old typo.
2003-05-12AES -> AES_128_CBCHakan Olsson
2003-05-12Add two more encapsulation types (UDP encap, potential future NAT-T)Hakan Olsson
Add BLOCK_SIZE attribute Rename IPSEC_ESP_AES -> IPSEC_ESP_AES_128_CBC.
2003-05-12Adaptive timeout value scaling. Allows to reduce timeout values as theDaniel Hartmeier
number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-04 04:37:59 +0000