| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2001-05-05 | Check that SAs also match on the credentials and the IDs. This means | Angelos D. Keromytis | |
| that flows with different source/destination ID requirements will cause different SAs to be established by IKE (or whatever other protocol). Also, use the new data types for allocated memory. | |||
| 2001-05-01 | Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE | Federico G. Schwindt | |
| option is used. Note that this does not work. | |||
| 2001-05-01 | get rid of dtom(), okay itojun@ angelos@ mickey@ millert@ | Niels Provos | |
| 2001-05-01 | Typo in comment. | Aaron Campbell | |
| 2001-04-23 | Missing splx in error handling. | Artur Grabowski | |
| 2001-04-22 | Fix spl handling in ipfilter ioctl interface. Work by aaron@ and me. | Grigoriy Orlov | |
| Problem was reported by DK <obsd@snti.com> as kernel panic loading ipa - "WARNING: SPL NOT LOWERED ON SYSCALL EXIT". deraadt@ ok. | |||
| 2001-04-14 | Minor changes, preparing for real socket-attached TDBs; also, more | Angelos D. Keromytis | |
| information will be stored in the TDB. ok ho@ provos@ | |||
| 2001-04-10 | allow host-to-host negotiations if no gateway has been specified. | Niels Provos | |
| from angelos@ | |||
| 2001-04-08 | Typo. __IP_FIL_H__ -> __IP_FRAG_H__ | smart | |
| 2001-04-07 | Partial update to IPF 3.4.17; this fixes the *VERY* serious fragment | Federico G. Schwindt | |
| caching bug recently discussed in the ipfilter list. People using IPF is urged to sync with these changes. | |||
| 2001-04-06 | Move offsetof define into sys/param.h | Constantine Sapuntzakis | |
| 2001-04-04 | do not check ip_mtudisc on IPv6 TCP. | Jun-ichiro itojun Hagino | |
| with IPv6 TCP PMTUD is mandatory, compute mss size accordingly. sync with kame | |||
| 2001-03-30 | Protect the IF_XXX macros in the callback routines with splimp(). Doh! | Angelos D. Keromytis | |
| Thanks to erik@ipunplugged.com | |||
| 2001-03-28 | tdb_inp -> (tdb_inp_in, tdb_inp_out) | Angelos D. Keromytis | |
| 2001-03-28 | Allow tdbi's to appear in mbufs throughout the stack; this allows | Angelos D. Keromytis | |
| security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs. | |||
| 2001-03-27 | Fix a problem with how TDB timeouts were used in pfkeyv2. | Artur Grabowski | |
| When we allocated a tdb we did a timeout_add before a timeout_set. This was a problem in itself, but it shouldn't hurt too much. What did hurt was that we did a timeout_set after the timeout_add, timeout_set marked the timeout as not being on the timeout list and if we did a timeout_del (or timeout_add) later (before the timeout fired) we ended up with a chunk of freed memory on the timeout queue or maybe even dangling pointers (or a circular list). This should probably cure the timeout queue corruption some people were seeing lately. | |||
| 2001-03-25 | Protect KFREES by splnet and rearrange pointers. This fix interrupt | Grigoriy Orlov | |
| race between ipllog() and ipflog_read() which caused a memory leak and "Data modified on freelist" error. fgsch@ ok. | |||
| 2001-03-25 | A couple minor fixes to prevent use after free. Thanks to dawson and team ↵ | Constantine Sapuntzakis | |
| for finding these. Ok angelos@ | |||
| 2001-03-23 | Fix slow mbuf leak. | Angelos D. Keromytis | |
| 2001-03-18 | enable pmtu by default | Niels Provos | |
| 2001-03-17 | Handle ftp services that don't ask for a password, only a username. | Bob Beck | |
| This appears to be allowed by RFC and is apparently used by some banks in the netherlands (shudder). Patch courtesy Ramses de Beer <rbdebeer@yahoo.com>. | |||
| 2001-03-15 | include <machine/cpu.h>, since schednetisr needs to do a splsoftnet | Brandon Creighton | |
| 2001-03-15 | convert SA expirations to the new timeouts. | Michael Shalayeff | |
| simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok | |||
| 2001-03-14 | provide a random start for tcp timestamps; niels@ ok | Michael Shalayeff | |
| 2001-03-13 | Force a new search for an SA if the latched one is deleted. | Angelos D. Keromytis | |
| 2001-03-07 | More careful spl usage for the IPSEC case in ip_output(); from angelos@ | Aaron Campbell | |
| 2001-03-07 | Remove a bogus rtfree(); PR 1706 | brian | |
| 2001-03-07 | Missing SPL_X(); deraadt@ ok | Aaron Campbell | |
| 2001-03-06 | Move the test for bogus packet length in udp_output() closer to the top of | Aaron Campbell | |
| the function. Previously it was possible for us to get stuck in splsoftnet() under certain situations. Bug reported by hunter@dg.net.ua, fix by me ok'd by deraadt@, provos@, angelos@. | |||
| 2001-03-04 | Store peer's credentials in TDB. | Angelos D. Keromytis | |
| 2001-03-03 | on parse error of timestamp option, set parameter error offset correctly. | Jun-ichiro itojun Hagino | |
| 2001-03-03 | drop packets with 127.0.0.0/8 in header field, if the packet is from outside. | Jun-ichiro itojun Hagino | |
| under RFC1122 sender rule 127.0.0.8 must not appear on the wire. count incidents by ipstat.ips_badaddr. sync with kame | |||
| 2001-02-28 | Pretty. | Angelos D. Keromytis | |
| 2001-02-28 | Handle failures more gracefully. | Angelos D. Keromytis | |
| 2001-02-28 | Keep the last packet sent or received that matched an SPD entry, and | Angelos D. Keromytis | |
| retransmit if we eventually have an SA setup for that policy. | |||
| 2001-02-28 | If net.inet.ipip.allow is set to 2, don't check for loopback address | Angelos D. Keromytis | |
| spoofing of encapsulated packets (useful for single-machinet testing of isakmpd) | |||
| 2001-02-27 | Remove superfluous printf in Angelos last commit | Niklas Hallqvist | |
| 2001-02-20 | tighten IPv4 option header processing (we may want to do more). | Jun-ichiro itojun Hagino | |
| reviewed by angelos. | |||
| 2001-02-16 | remove IPv6 case from udp_output. now we have separate udp6_output. | Jun-ichiro itojun Hagino | |
| 2001-02-16 | pull in new pcb notification code from kame. better handling of scope address. | Jun-ichiro itojun Hagino | |
| 2001-02-16 | amove in6_{embed,recover}scope prototypes to in6_var.h (kernel only). | Jun-ichiro itojun Hagino | |
| add in6_clearscope. sync better with kame | |||
| 2001-02-16 | sync whitespace/comment with kame. to help merge tasks | Jun-ichiro itojun Hagino | |
| 2001-02-12 | putting #error into an include file is totally wrong | Theo de Raadt | |
| 2001-02-11 | If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok | Federico G. Schwindt | |
| 2001-02-09 | Fix BPF support. | Angelos D. Keromytis | |
| 2001-02-08 | witch raw ip6 socket code from NRL to kame. | Jun-ichiro itojun Hagino | |
| makes upgrades/code sharing much easier. | |||
| 2001-02-07 | allow gif-less compile | Michael Shalayeff | |
| 2001-02-07 | by default, don't bark on inbound ND messages, as outsider may be able to | Jun-ichiro itojun Hagino | |
| fill up /var with bogus packets. setting net.inet6.icmp6.nd6_debug will re-enable kernel messages on invalid ND packet and other occasions. improve icmp6 stats. | |||
| 2001-02-06 | ipf/ipnat check the securelevel in the original code, so don't do it twice. | Federico G. Schwindt | |
| Also remove uneeded definition of ICMP_UNREACH_FILTER_PROHIB; this isn't needed. Why keep adding things to make diffs harder? | |||
| 2001-02-06 | - bridge_input() expects to be called at splnet(), not splsoftnet() | Jason Wright | |
| - add a bit more debugging (controlled by ENCDEBUG and encdebug) - turn off several more m_flags that may have been set by the higher layers (so any sharing of mbuf's in the return direction doesn't confuse the upper layers) | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |