src - OpenBSD base system

Age	Commit message (Collapse)	Author
2000-05-15	parse IPv4 options more carefully. make boundary checks against every	Jun-ichiro itojun Hagino
	steps (including option type/length field - there were no checks, seems to me 4.4BSD bug)
2000-05-10	make sure ip_timestamp is aligned correctly	Jason Wright

2000-05-06	avoid underflow on unsigned value arithmetic (when optlen < 4).	Jun-ichiro itojun Hagino
	2nd half of NetBSD Security Advisory 2000-002.
2000-05-06	avoid unaligned access in timestamp; ↵	Theo de Raadt
	http://www.newhackcity.net/advisories/20000504a_0.txt; checked by provos and itojun
2000-04-09	Pass ip_off and ip_len in the correct byte order to icmp_error(); this	Angelos D. Keromytis
	should fix the crash problems with isic, reported last week.
2000-04-04	Verbiage fix.	Angelos D. Keromytis

2000-03-27	As I threatened a while ago, ingress IPsec ACL-checking is turned on	Angelos D. Keromytis
	by default. Read the ipsecadm(8) man page for more details on how to specify ingress filters with manual keying. isakmpd has been doing this for a while now.
2000-03-03	remove WIDE's experimental ip reass code, mistakingly merged in partially.	Jun-ichiro itojun Hagino
	NetBSD PR: 9412 Fix from: ho@crt.se
2000-01-10	Add 10 new ipsec-related sysctl variables...they are currently under	Angelos D. Keromytis
	net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such.
2000-01-10	Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the	Angelos D. Keromytis
	amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management).
2000-01-09	Rename newly-introduced variable to better reflect use.	Angelos D. Keromytis

2000-01-09	Add a sysctl for IPsec ingress access control (better explanation on a	Angelos D. Keromytis
	follow-up commit).
1999-12-08	bring in KAME IPv6 code, dated 19991208.	Jun-ichiro itojun Hagino
	replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support. see sys/netinet6/{TODO,IMPLEMENTATION} for more details. GENERIC configuration should work fine as before. GENERIC.v6 works fine as well, but you'll need KAME userland tools to play with IPv6 (will be bringed into soon).
1999-11-29	Make sure M_BCAST is set for IP broadcasts, even if the packet came in as	Hakan Olsson
	an ethernet unicast. (cmetz@, niklas@ ok.)
1999-09-25	line not needed	Theo de Raadt

1999-09-23	fix same-interface-out-as-in and packet gets corrupted bug noted by	Theo de Raadt
	james@oaktree.co.uk by re-working icmp embedded-packet code so that ip_forward() m_copy()-aliased packet can be forwarded to ip_output and icmp_error() safely, because no packet tweaking is needed before calling icmp_error()
1999-04-23	dont accept packets with the destination address of a down interface;	Niels Provos
	proff@netbsd.org.
1999-04-12	move encdebug to a useful place	Theo de Raadt

1999-04-11	Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.	Niklas Hallqvist
	If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
1999-02-21	split ipintr() to create new ipv4_input() for tunnels; NRL	Theo de Raadt

1999-02-19	ipq locking	Theo de Raadt

1999-02-17	add fragment flood protection; configureable using sysctl ip.maxqueue	Theo de Raadt

1998-12-28	ensure the ip packet embedded inside an icmp packet has correct ip_len,	Theo de Raadt
	ip_off, ip_id. for udp, also correct uh_sum. ip_sum is still set to 0; (all this debugged using nmap)
1998-12-26	make ip_id random but ensure that ids dont repeat for some period.	Niels Provos

1998-11-13	Recompute ip header length after packet has been reassembled, and also	Niels Provos
	use the actual header length for m_pullup, pointed out by jdb@es2.net and guido@freebsd.org.
1998-05-18	first step to the setsockopt/getsockopt interface as described in	Niels Provos
	draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
1998-02-14	wildcard ifaces; finally, after HE said it's ok	Michael Shalayeff

1998-02-03	bail out for sourcerouted packets earlier, also do not forward	Theo de Raadt
	sourcerouted packets ever if ipforwarding is off; tqbf@secnet.com
1998-02-01	undo wildcard loopback stuff; it was not checked by other developers	Theo de Raadt

1998-02-01	support wildcard loopbacks. that is, setting up lo1 like:	Michael Shalayeff
	ifconfig lo1 inet 192.168.1.1 netmask 255.255.255.0 link1 would force it to act like all the addresses from net 192.168.1 were added to the interface. todo: man lo
1997-08-09	The list of tcp/udp ports not to allocate dynamically is now	Todd C. Miller
	a bitmask configurable via sysctl([38]). The default values have not changed. If one wants to change the list it should be done early on in /etc/rc.
1997-02-28	IPsec socket API hooks are in.	Angelos D. Keromytis

1997-02-22	Fixed problem in ip_weadvertise().	Angelos D. Keromytis

1997-02-22	ICMP redirects will not be sent if we do proxy arp pointing to ourselves.	Angelos D. Keromytis

1997-02-13	off-by-one-slot for IP timestamp option data inserts, PR#103, ↵	Theo de Raadt
	andreas.gunnarsson@emw.ericsson.se
1997-02-11	ensure ipt->ipt_ptr is right; pr#96, andreas.gunnarsson@emw.ericsson.se	Theo de Raadt

1997-01-26	Make ip_len and ip_off unsigned values; don't transmit or accept packets	Thorsten Lockert
	larger than the maximum IP packet size. From NetBSD.
1996-10-27	record route is not a problem; thanks bitblt	Theo de Raadt

1996-10-18	Do not run IP defragmentation routines unneccecarily; NetBSD PR# 2772	Thorsten Lockert

1996-09-02	Don't drain the protocol queues at interrupt level.	dm

1996-08-14	ipaddrs are int; like many other things found after spotting a similar ↵	Theo de Raadt
	netbsd commit...
1996-08-02	Allow viewing of net.inet.ip.sourceroute in secure mode	Thorsten Lockert

1996-07-29	From FreeBSD (with slightly different sysctl names):	Jason Downs
	"... Allow the user to nominate one of three ranges of port numbers as candidates for selecting a local address to replace a zero port number. The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg) call. The three ranges are: default, high (to bypass firewalls) and low (to get a port below 1024). The default and high port ranges are sysctl settable under sysctl net.inet.ip.portrange.* [net.inet.ip.portfirst, net.inet.ip.portlast, net.inet.ip.porthifirst, and net.inet.ip.porthilast currently in OpenBSD.] This code also fixes a potential deadlock if the system accidently ran out of local port addresses. It'd drop into an infinite while loop. The secure port selection (for root) should reduce overheads and increase reliability of rlogin/rlogind/rsh/rshd if they are modified to take advantage of it."
1996-07-18	ipfilter 3.1.0	dm

1996-05-07	from NetBSD PR#2296:	Michael Shalayeff
	Laine Stump: some icmp destination unreachable packets contain garbage.
1996-04-21	partial sync with netbsd 960418, more to come	Theo de Raadt

1996-03-09	restored IP filtering	dm

1996-03-03	From NetBSD: 960217 merge	Niklas Hallqvist

1996-01-25	IP filter 3.0.1	dm

1996-01-07	from beurton@fnet.fr: Darren Reed's IP filter	dm