Age | Commit message (Collapse) | Author | |
---|---|---|---|
2000-10-14 | ASKPOLICY message; used by key management to inquire about policy | Angelos D. Keromytis | |
triggering an ACQUIRE. | |||
2000-10-14 | implement net.inet.tcp.rstppslimit. rate-limits outbound TCP RST traffic | Jun-ichiro itojun Hagino | |
to less than N per 1 second. | |||
2000-10-13 | validate mbuf chain length on *_ctlinput. remote node may be able to | Jun-ichiro itojun Hagino | |
transmit a truncated icmp6 packet and panic the system. sync with kame. | |||
2000-10-13 | make sure we don't share external mbuf between m and mcopy, in ip_forward(). | Jun-ichiro itojun Hagino | |
NetBSD PR 11201. | |||
2000-10-11 | nuke inp_flags bits for controlling IPv4 mapped address. | Jun-ichiro itojun Hagino | |
we don't support IPv4 mapped address, and there are inconsistent bit manipulation code so it's safer to nuke them. | |||
2000-10-10 | little bit of sync with kame ($KAME, s/u_char/u_int8_t/) | Jun-ichiro itojun Hagino | |
2000-10-10 | verify payload of the icmp need fragment message at the tcp layer. okay itojun@ | Niels Provos | |
2000-10-10 | bring in icmp rate limitation code. | Jun-ichiro itojun Hagino | |
make icmp6 rate limitation to latest (uses ppsratecheck only). (sync with netbsd) TODO: tcp SYN rate limit? | |||
2000-10-09 | AES support. | Angelos D. Keromytis | |
2000-10-09 | check if we have a tcb connected to the destination quoted in the icmp need | Niels Provos | |
fragment message when doing path mtu discovery. okay angelos@ | |||
2000-10-06 | remove now-obsolete SIOCSIFPHY* handling in in{6,}_control. | Jun-ichiro itojun Hagino | |
sync with kame. | |||
2000-09-29 | Make sure there's enough data on the mbuf for the TCP/UDP ports (if | Angelos D. Keromytis | |
applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com | |||
2000-09-29 | Outgoing packets that hit IPsec will be IPF/IPNAT processed as well on | Angelos D. Keromytis | |
the enc* interface, usually enc0; cedric@wireless-networks.com | |||
2000-09-27 | Fix checking for incoming packets when the remote gateway has been | Angelos D. Keromytis | |
fully specified in the flow. | |||
2000-09-26 | Update to previous fix on ICMP messages coming on unnumbered | Angelos D. Keromytis | |
interfaces: rather than picking *some* non-loopback IP address, do a routing lookup and use as source IP address the address of the outgoing interface. A nice side effect of this is that ICMPs generated as a result of packets received over IPsec will, in the common case, end up going back over IPsec (depends on what the SPD looks like of course). Thanks to fcusack@fcusack.com for testing and commenting on this. | |||
2000-09-25 | on expiry of pmtu route, retry higher mtu. okay angelos@ | Niels Provos | |
2000-09-23 | Angelos you forgot this one !! | Chris Cappuccio | |
2000-09-22 | Move the PI_MAGIC define outside the INET6 ifdef block (doh!) | Angelos D. Keromytis | |
2000-09-22 | fix my bug dating back to february the 14th of 1998, | Michael Shalayeff | |
when those wildcard interfaces came up, which were usefull at the times. on the other hand here it is, one cannot bind to the broadcast address, and angelos says ok. | |||
2000-09-21 | calculate maxopd at the right place | Niels Provos | |
2000-09-20 | Add IDENTITY payloads to flow establishment (and cleanup accordingly) | Angelos D. Keromytis | |
-- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm). | |||
2000-09-20 | Don't use LOOPBACK addresses when trying to determine source address | Angelos D. Keromytis | |
to use in locally-generated ICMP messages (thanks to fcusack@fcusack.com) | |||
2000-09-20 | remove unused code | Niels Provos | |
2000-09-20 | correctly calculate mss | Niels Provos | |
2000-09-20 | fix in_pcbrtentry | Niels Provos | |
2000-09-19 | only free tdbi if IPSEC | Theo de Raadt | |
2000-09-19 | SA bundles. | Angelos D. Keromytis | |
2000-09-19 | Lots and lots of changes. | Angelos D. Keromytis | |
2000-09-18 | fix compilation problem on systems w/o inet6. | Federico G. Schwindt | |
2000-09-18 | Path MTU discovery based on NetBSD but with the decision to use the DF | Niels Provos | |
flag delayed to ip_output(). That halves the code and reduces most of the route lookups. okay deraadt@ | |||
2000-09-17 | Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net and | Angelos D. Keromytis | |
mfranz@cisco.com for finding the problem). | |||
2000-09-07 | New timeouts. | Artur Grabowski | |
2000-09-05 | various fixes to SACK and FACK from adesai@cisco.com, tomh@tomh.org and | Niels Provos | |
osuga@mml.yrp.nttdocomo.co.jp | |||
2000-08-19 | - upgrade icmp6 node information query support to 06 draft. | Jun-ichiro itojun Hagino | |
- pedant: possible alignment issue in ALIGN > 8 arch (should be okay for now) (sync with kame) | |||
2000-08-10 | Whoops. Reapply Aaron's detach code fix. inadvertantly whacked in the | Kjell Wooding | |
3.3.18 import. | |||
2000-08-10 | Import ipf 3.3.18. Fixes more problems with the in-kernel FTP proxy, | Kjell Wooding | |
some nat state bugs, and ups the default state table size. See sbin/ipf/HISTORY for details. | |||
2000-08-04 | One parenthesis too many. | Angelos D. Keromytis | |
2000-08-04 | Worked out the logic (thanks to pt98asp@student.hk-r.se and | Angelos D. Keromytis | |
pt98kfr@student.hk-r.se -- I still don't know why rev1.5 didn't work). | |||
2000-08-03 | Back to the submitted patch -- this needs more investigation. | Angelos D. Keromytis | |
2000-08-03 | typo in #define. ICMP6_NI_SUCESS -> SUCCESS. | Jun-ichiro itojun Hagino | |
2000-08-03 | Don't even need to reset ip_sum, if we're not going to compute it here | Angelos D. Keromytis | |
but in ip_output() | |||
2000-08-03 | Avoid unnecessary call to in_cksum(). | Angelos D. Keromytis | |
2000-08-03 | In fact, this is the correct behaviour (or I'm going crazy). | Angelos D. Keromytis | |
2000-08-03 | Careful with ip_off | Angelos D. Keromytis | |
2000-08-03 | Zeroize ip_sum before computing checksum (just general paranoia). | Angelos D. Keromytis | |
2000-08-03 | Correct handling of ip_off (askk@rsn.hk-r.se) | Angelos D. Keromytis | |
2000-07-29 | Don't set the source IP address if doing multicast; this is a quick | Angelos D. Keromytis | |
fix -- the logic has to be reworked to allow for multicast-over-IPsec. Patch from gene@lucky.net. | |||
2000-07-27 | raw6/udp6 sockets are okay with :: in src. | Jun-ichiro itojun Hagino | |
2000-07-27 | be proactive about unspecified IPv6 source address. pcb layer uses | Jun-ichiro itojun Hagino | |
unspecified address (::) to mean "unbounded" or "unconnected", and can be confused by packets from outside. use of :: as source is not documented well in IPv6 specification. not sure if it presents a real threat. the worst case scenario is a DoS against TCP listening socket: - outsider transmit TCP SYN with :: as IPv6 source - receiving side creates TCP control block with: local address = my addres remote address = :: (meaning "unconnected") state = SYN_RCVD note that SYN ACK will not be sent due to ip6_output() filter. this stays until it timeouts. - the TCP control block prevents listening TCP control block from being contacted (DoS). | |||
2000-07-12 | remove m_pulldown statistics, which is highly experimental | Jun-ichiro itojun Hagino | |