| Age | Commit message (Collapse) | Author |
|---|
|
Information: http://netweb.usc.edu/pim/
From Pavlin Radoslavov <pavlin@icir.org>
ok deraadt@ brad@
|
|
style as vlan(4). carp interfaces no longer require the physical interface
to be on the same subnet as the carp interface, or even that the physical
interface has an adress at all, so CARP can now be used on /30 networks.
ok deraadt@ henning@
|
|
ok henning@
|
|
|
|
user visible changes:
- you can add multiple routes with same key (route add A B then route add A C)
- you have to specify gateway address if there are multiple entries on the table
(route delete A B, instead of route delete A)
kernel change:
- radix_node_head has an extra entry
- rnh_deladdr takes extra argument
TODO:
- actually take advantage of multipath (rtalloc -> rtalloc_mpath)
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
Allows multiple hosts to share an IP address, providing high availability
and load balancing.
Based on code by mickey@, with additional help from markus@
and Marco_Pfatschbacher@genua.de
ok deraadt@
|
|
rescinded 22 July 1999. Proofed by myself and Theo.
|
|
|
|
adapated from netbsd. okay angelos@
|
|
rediraccept allows one to ignore ICMP_REDIRECT
redirtimeout sets a timeout on the routing entries pretaining to
ICMP_REDIRECT, this timeout is defaulted to 10 minutes. (same as ipv6)
From NetBSD.
millert@ ok
|
|
enable ipcomp via sysctl to use it. deraadt@ ok.
|
|
|
|
against active tdb and store the ipsec header size corrected mtu
|
|
|
|
|
|
licence in a way that makes ipf not free according to the rules we
established over 5 years ago, at www.openbsd.org/goals.html (and those
same basic rules govern the other *BSD projects too). Specifically,
Darren says that modified versions are not permitted. But software
which OpenBSD uses and redistributes must be free to all (be they
people or companies), for any purpose they wish to use it, including
modification, use, peeing on, or even integration into baby mulching
machines or atomic bombs to be dropped on Australia. Furthermore, we
know of a number of companies using ipf with modification like us, who
are now in the same situation, and we hope that some of them will work
with us to fill this gap that now exists in OpenBSD (temporarily, we
hope).
|
|
it is to be friendly with postfix daemon-to-daemon communication
(not 100% sure if which behavior is correct, specwise). patch similar to netbsd.
|
|
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.
Good to be in Canada (land of the free commits).
|
|
affected by net.inet.ipip.allow (the sysctl formerly known as
net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.
|
|
ip4_input().
Requested from: Niels Provos <provos@citi.umich.edu>
|
|
|
|
changes). Also, minor cleanup in in_proto.c
|
|
|
|
|
|
(outer=IPv4 case). tested with (inner=IPv6, outer=IPv4) case.
BUG ALERT: in_gif_output() assumes about ipe4_output()'s behavior too much.
I mean, "tdb" is configured with certain knowledge about ipe4_output()'s
behavior.
|
|
encapsulation.
|
|
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.
GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).
|
|
handling that was re-using ipv4_input() instead of using ip4_input()
from netinet/ip_ip4.c
|
|
Fix a panic case in the MROUTING code too. Drop M_TUNNEL support, nothing
ever uses it.
|
|
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.
|
|
support, when IPSEC is compiled in. The default is disabled. Turn on with:
sysctl -w net.inet.ip4.allow=1
***Only*** do this if you are really knowing what you do!
This control does not control the tunnel modes of ESP and AH.
|
|
pfkeyv2.
|
|
|
|
instead of ipip_input() whenever possible, it seems more stable.
|
|
fix some old code leftovers in ah_new_input (adjust to variable hash length),
avoid double ip encapsulation in tunnel mode. Problems reportd by
Petr Novak <petr@internet.cz>.
|
|
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
|
|
|
|
|
|
|
|
|
|
|
|
