src - OpenBSD base system

Age	Commit message (Collapse)	Author
2001-03-28	Allow tdbi's to appear in mbufs throughout the stack; this allows	Angelos D. Keromytis
	security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
2001-03-25	A couple minor fixes to prevent use after free. Thanks to dawson and team ↵	Constantine Sapuntzakis
	for finding these. Ok angelos@
2001-03-18	enable pmtu by default	Niels Provos

2001-03-03	on parse error of timestamp option, set parameter error offset correctly.	Jun-ichiro itojun Hagino

2001-03-03	drop packets with 127.0.0.0/8 in header field, if the packet is from outside.	Jun-ichiro itojun Hagino
	under RFC1122 sender rule 127.0.0.8 must not appear on the wire. count incidents by ipstat.ips_badaddr. sync with kame
2000-12-03	Fix fastroute-related panic, fixes PR 1541 (cas@trans-nt.com)	Angelos D. Keromytis

2000-10-13	make sure we don't share external mbuf between m and mcopy, in ip_forward().	Jun-ichiro itojun Hagino
	NetBSD PR 11201.
2000-09-22	fix my bug dating back to february the 14th of 1998,	Michael Shalayeff
	when those wildcard interfaces came up, which were usefull at the times. on the other hand here it is, one cannot bind to the broadcast address, and angelos says ok.
2000-09-19	Lots and lots of changes.	Angelos D. Keromytis

2000-09-18	Path MTU discovery based on NetBSD but with the decision to use the DF	Niels Provos
	flag delayed to ip_output(). That halves the code and reduces most of the route lookups. okay deraadt@
2000-05-15	parse IPv4 options more carefully. make boundary checks against every	Jun-ichiro itojun Hagino
	steps (including option type/length field - there were no checks, seems to me 4.4BSD bug)
2000-05-10	make sure ip_timestamp is aligned correctly	Jason Wright

2000-05-06	avoid underflow on unsigned value arithmetic (when optlen < 4).	Jun-ichiro itojun Hagino
	2nd half of NetBSD Security Advisory 2000-002.
2000-05-06	avoid unaligned access in timestamp; ↵	Theo de Raadt
	http://www.newhackcity.net/advisories/20000504a_0.txt; checked by provos and itojun
2000-04-09	Pass ip_off and ip_len in the correct byte order to icmp_error(); this	Angelos D. Keromytis
	should fix the crash problems with isic, reported last week.
2000-04-04	Verbiage fix.	Angelos D. Keromytis

2000-03-27	As I threatened a while ago, ingress IPsec ACL-checking is turned on	Angelos D. Keromytis
	by default. Read the ipsecadm(8) man page for more details on how to specify ingress filters with manual keying. isakmpd has been doing this for a while now.
2000-03-03	remove WIDE's experimental ip reass code, mistakingly merged in partially.	Jun-ichiro itojun Hagino
	NetBSD PR: 9412 Fix from: ho@crt.se
2000-01-10	Add 10 new ipsec-related sysctl variables...they are currently under	Angelos D. Keromytis
	net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such.
2000-01-10	Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the	Angelos D. Keromytis
	amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management).
2000-01-09	Rename newly-introduced variable to better reflect use.	Angelos D. Keromytis

2000-01-09	Add a sysctl for IPsec ingress access control (better explanation on a	Angelos D. Keromytis
	follow-up commit).
1999-12-08	bring in KAME IPv6 code, dated 19991208.	Jun-ichiro itojun Hagino
	replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support. see sys/netinet6/{TODO,IMPLEMENTATION} for more details. GENERIC configuration should work fine as before. GENERIC.v6 works fine as well, but you'll need KAME userland tools to play with IPv6 (will be bringed into soon).
1999-11-29	Make sure M_BCAST is set for IP broadcasts, even if the packet came in as	Hakan Olsson
	an ethernet unicast. (cmetz@, niklas@ ok.)
1999-09-25	line not needed	Theo de Raadt

1999-09-23	fix same-interface-out-as-in and packet gets corrupted bug noted by	Theo de Raadt
	james@oaktree.co.uk by re-working icmp embedded-packet code so that ip_forward() m_copy()-aliased packet can be forwarded to ip_output and icmp_error() safely, because no packet tweaking is needed before calling icmp_error()
1999-04-23	dont accept packets with the destination address of a down interface;	Niels Provos
	proff@netbsd.org.
1999-04-12	move encdebug to a useful place	Theo de Raadt

1999-04-11	Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.	Niklas Hallqvist
	If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
1999-02-21	split ipintr() to create new ipv4_input() for tunnels; NRL	Theo de Raadt

1999-02-19	ipq locking	Theo de Raadt

1999-02-17	add fragment flood protection; configureable using sysctl ip.maxqueue	Theo de Raadt

1998-12-28	ensure the ip packet embedded inside an icmp packet has correct ip_len,	Theo de Raadt
	ip_off, ip_id. for udp, also correct uh_sum. ip_sum is still set to 0; (all this debugged using nmap)
1998-12-26	make ip_id random but ensure that ids dont repeat for some period.	Niels Provos

1998-11-13	Recompute ip header length after packet has been reassembled, and also	Niels Provos
	use the actual header length for m_pullup, pointed out by jdb@es2.net and guido@freebsd.org.
1998-05-18	first step to the setsockopt/getsockopt interface as described in	Niels Provos
	draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
1998-02-14	wildcard ifaces; finally, after HE said it's ok	Michael Shalayeff

1998-02-03	bail out for sourcerouted packets earlier, also do not forward	Theo de Raadt
	sourcerouted packets ever if ipforwarding is off; tqbf@secnet.com
1998-02-01	undo wildcard loopback stuff; it was not checked by other developers	Theo de Raadt

1998-02-01	support wildcard loopbacks. that is, setting up lo1 like:	Michael Shalayeff
	ifconfig lo1 inet 192.168.1.1 netmask 255.255.255.0 link1 would force it to act like all the addresses from net 192.168.1 were added to the interface. todo: man lo
1997-08-09	The list of tcp/udp ports not to allocate dynamically is now	Todd C. Miller
	a bitmask configurable via sysctl([38]). The default values have not changed. If one wants to change the list it should be done early on in /etc/rc.
1997-02-28	IPsec socket API hooks are in.	Angelos D. Keromytis

1997-02-22	Fixed problem in ip_weadvertise().	Angelos D. Keromytis

1997-02-22	ICMP redirects will not be sent if we do proxy arp pointing to ourselves.	Angelos D. Keromytis

1997-02-13	off-by-one-slot for IP timestamp option data inserts, PR#103, ↵	Theo de Raadt
	andreas.gunnarsson@emw.ericsson.se
1997-02-11	ensure ipt->ipt_ptr is right; pr#96, andreas.gunnarsson@emw.ericsson.se	Theo de Raadt

1997-01-26	Make ip_len and ip_off unsigned values; don't transmit or accept packets	Thorsten Lockert
	larger than the maximum IP packet size. From NetBSD.
1996-10-27	record route is not a problem; thanks bitblt	Theo de Raadt

1996-10-18	Do not run IP defragmentation routines unneccecarily; NetBSD PR# 2772	Thorsten Lockert

1996-09-02	Don't drain the protocol queues at interrupt level.	dm