Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
use the the presence of this tag to reverse the match order in
in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double
bind, binding to both * and localhost in order to differentiate local
from non-local connections, and potentially granting more privilege to
local ones. This change ensures that redirected connections to localhost
do not appear local to such a daemon.
Bulk of changes from dhartmei@, some changes markus@
ok dhartmei@ deraadt@
|
|
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen();
in_pcblookup is now only used by bind(2); speeds up pcb lookup for
listening sockets; from Claudio Jeker
|
|
from >1000K cpu cycles to 20-30K for 18000 sockets on i386;
test+feedback by Claudio Jeker; ok itojun@;
[make sure you rebuild netstat/systat, too]
|
|
rescinded 22 July 1999. Proofed by myself and Theo.
|
|
|
|
|
|
behavior changes:
- two iocts used by ndp(8) are now obsolete (backward compat provided).
use sysctl path instead.
- lo0 does not get ::1 automatically. it will get ::1 when lo0 comes up.
|
|
needed on socket tear-down.
|
|
|
|
|
|
|
|
are not taken into consideration in anything just yet.
|
|
|
|
|
|
can cheaply keep copies of them at the PCB. ok deraadt@
|
|
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.
Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.
|
|
|
|
add in6_clearscope. sync better with kame
|
|
makes upgrades/code sharing much easier.
|
|
we don't support IPv4 mapped address,
and there are inconsistent bit manipulation code so it's safer to nuke them.
|
|
|
|
fragment message when doing path mtu discovery. okay angelos@
|
|
flag delayed to ip_output(). That halves the code and reduces most of
the route lookups. okay deraadt@
|
|
IPv4/v6 so the separation should make more sense.
TODO: remove IPv6 case from udp_output()
TODO: remove/comment out/#if 0 IPv4 mapped address cases
|
|
|
|
dynamically in order to reserve it for sendmail.
|
|
|
|
|
|
this would ease us implement future COMPAT_*BSD.
(sync with kame tree)
|
|
|
|
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.
GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).
|
|
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.
|
|
IPv6 symbols were there rather than in netinet/in.h, and now not only is
unnecessary but also could create problems (see PR library/781).
|
|
|
|
|
|
|
|
|
|
|
|
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.
|
|
|
|
|
|
DEFBADDYNAMICPORTS_TCP and DEFBADDYNAMICPORTS_UDP to be
overridden from the kernel. It's not really too useful
since there is a nice sysctl interface for this stuff.
|
|
overridden via kernel config file.
|
|
a bitmask configurable via sysctl([38]). The default values
have not changed. If one wants to change the list it should
be done early on in /etc/rc.
|
|
|
|
"... Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call. The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).
The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.* [net.inet.ip.portfirst, net.inet.ip.portlast,
net.inet.ip.porthifirst, and net.inet.ip.porthilast currently in OpenBSD.]
This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.
The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it."
|
|
|