| Age | Commit message (Collapse) | Author |
|---|
|
There is a massive issue with broadcast addrs because ifa_ifwithaddr()
handles them differently then in_iawithaddr().
|
|
|
|
of a connection originator. this allows one to query the source rdomain
with a SO_RTABLE socket option. figured out with reyk, ok claudio.
|
|
endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy;
it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@;
feedback and ok matthew@, deraadt@, djm@, claudio@
|
|
ok dlg fondue-kinda-ok claudio
|
|
testing tcp flags.
ok henning@ claudio@
|
|
ok claudio krw
|
|
ok henning@ claudio@
|
|
on amd64
ok claudio@
|
|
in order to skip most of the reassembly logic and try to flush
available tcp segments to the socket, just split it off into its
own function and use it where appropriate.
ok claudio@ henning@
|
|
This fixes the NFS problems reported on the mailing list
and ensures that accepted sockets have correct socketbuffer
setting. OK blambert@, henning@
|
|
we don't need 7 f***ing copies of the same code to do the protocol checksums
(or not, depending on hw capabilities). claudio ok
|
|
the system is a multicast forwarder so move the code into that block
and save a few unneeded m_pullups. Found by dlg a long time ago.
OK dlg@
|
|
Same logic is already implemented in netinet6
OK henning@ deraadt@
|
|
and broadcast packets will be caught too; also we need to increment
the incoming packet counter as reminded by claudio. ok claudio mpf
|
|
ok sthen claudio dlg
|
|
no change in .o md5
"ok gcc" claudio@
|
|
classful broadcast so we can still netboot sparc and the like.
compat hack untested, i will deal with the fallout if there is any later
at the same time stop exporting in_iawithaddr, everything but ip_input
should (and now does) use ifa_ifwithaddr directly
ok dlg sthen and agreement from many
|
|
the latter is now much faster and the former becomes a wrapper + compat hacks
around the latter in a bit.
ok dlg sthen and "ah hai" from various in various bars here
|
|
was done earlier for routing sockets.
ok claudio@
|
|
|
|
work as you think it does, and the same can easily be achieved using pf
ok claudio dlg sthen theo
|
|
ok claudio@
|
|
Updating the HMAC from the carp_ioctl call does not see the newly
set IP address in the if_addrlist. The only chance for carp to see
the new address is via the address-hook callback. This change moves
the detection of address changes entirely into carp_addr_updated.
Furthermore, only call carp_hmac_prepare for the SIOCSVH case. This
second bug was the reason why the first one went unnoticed for such
a long time.
Problem found and debugging help by camield@.
OK camield@
|
|
and make it void.
ok henning@, markus@, mcbride@
|
|
of m_free(). The was no leak before as m_copym() and m_pullup()
are always called with the same length. But it is better to use
the correct function anyway.
ok henning@ mpf@ markus@
|
|
No binary change. OK otto@
|
|
explicit_bzero() where required
ok markus mikeb
|
|
The data received on the source socket will automatically be sent
on the drain socket. This allows to write relay daemons with zero
data copy.
ok markus@
|
|
|
|
With and OK phessler@
|
|
|
|
for dohooks() since it makes no sense to call the if_addrhooks when the
address assignment failed. Additionally only call ifa_add() in
in_ifinit() when no error happend. Fixes a carp(4) panic seen by dhill
and dlg. OK henning@, dlg@
|
|
ok mcbide@ claudio@ henning@
|
|
is new or an already existing one. for existing ones, call ifa_del first
tested by many as part of a larger diff, ok claudio dlg krw sthen
|
|
in_ifinit
tested by many as part of a larger diff, ok claudio dlg krw sthen
|
|
structure is fully set up
tested by many as part of a larger diff, ok claudio dlg sthen krw
|
|
in the mbuf my be improperly aligned. Whenever a function is
reinjecting packets from low level output functions into high level
output functions (like ip_output) it must be guaranteed that the
mbuf data is properliy aligned.
OK blambert@, deraadt@
|
|
hiding everything but the TCP_* options unless __BSD_VISIBLE. While
we're here, change the structure to use u_int32_t instead of u_int
to cut-off the types discussion.
ok tedu@, mikeb@
|
|
No binary change.
ok claudio@ henning@
|
|
of the variable nmax from int to u_long as the socket buffer sizes
it operates on are also u_long.
ok claudio@
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
currently have, let the call succeede.
Mirrors the same behaviour as setrtable()
OK claudio@
|
|
socket from the information we have in the syncache. Also bzero() the
tcpcb that is passed to tcp_dooptions() just to be sure.
|
|
A session must stick to the rscale factor sent out in the SYN packet.
Remove the bogus tcp_rscale() call which is done after a full established
session is returned from the syncache.
|
|
reason to reduce the amount of ACKs sent and delayed ACKs have a very bad
interaction with the large MTU of lo(4) and the fairly small socketbuffer
size. In collaboration with andre@freebsd.
OK deraadt@
|
|
Reminded by naddy@
|
|
OK djm@ claudio@ dlg@
|
|
|
|
We can use IPv6 address as outer header of L2TP.
Kernel ABI is changed. You must update npppd.
OK @claudio, yasuoka@, dlg@
|
