Age | Commit message (Collapse) | Author |
|
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.
|
|
IPv6 symbols were there rather than in netinet/in.h, and now not only is
unnecessary but also could create problems (see PR library/781).
|
|
|
|
|
|
|
|
|
|
|
|
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.
|
|
|
|
|
|
DEFBADDYNAMICPORTS_TCP and DEFBADDYNAMICPORTS_UDP to be
overridden from the kernel. It's not really too useful
since there is a nice sysctl interface for this stuff.
|
|
overridden via kernel config file.
|
|
a bitmask configurable via sysctl([38]). The default values
have not changed. If one wants to change the list it should
be done early on in /etc/rc.
|
|
|
|
"... Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call. The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).
The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.* [net.inet.ip.portfirst, net.inet.ip.portlast,
net.inet.ip.porthifirst, and net.inet.ip.porthilast currently in OpenBSD.]
This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.
The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it."
|
|
|
|
|