summaryrefslogtreecommitdiff
path: root/sys/netinet
AgeCommit message (Collapse)Author
2000-10-14ASKPOLICY message; used by key management to inquire about policyAngelos D. Keromytis
triggering an ACQUIRE.
2000-10-14implement net.inet.tcp.rstppslimit. rate-limits outbound TCP RST trafficJun-ichiro itojun Hagino
to less than N per 1 second.
2000-10-13validate mbuf chain length on *_ctlinput. remote node may be able toJun-ichiro itojun Hagino
transmit a truncated icmp6 packet and panic the system. sync with kame.
2000-10-13make sure we don't share external mbuf between m and mcopy, in ip_forward().Jun-ichiro itojun Hagino
NetBSD PR 11201.
2000-10-11nuke inp_flags bits for controlling IPv4 mapped address.Jun-ichiro itojun Hagino
we don't support IPv4 mapped address, and there are inconsistent bit manipulation code so it's safer to nuke them.
2000-10-10little bit of sync with kame ($KAME, s/u_char/u_int8_t/)Jun-ichiro itojun Hagino
2000-10-10verify payload of the icmp need fragment message at the tcp layer. okay itojun@Niels Provos
2000-10-10bring in icmp rate limitation code.Jun-ichiro itojun Hagino
make icmp6 rate limitation to latest (uses ppsratecheck only). (sync with netbsd) TODO: tcp SYN rate limit?
2000-10-09AES support.Angelos D. Keromytis
2000-10-09check if we have a tcb connected to the destination quoted in the icmp needNiels Provos
fragment message when doing path mtu discovery. okay angelos@
2000-10-06remove now-obsolete SIOCSIFPHY* handling in in{6,}_control.Jun-ichiro itojun Hagino
sync with kame.
2000-09-29Make sure there's enough data on the mbuf for the TCP/UDP ports (ifAngelos D. Keromytis
applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com
2000-09-29Outgoing packets that hit IPsec will be IPF/IPNAT processed as well onAngelos D. Keromytis
the enc* interface, usually enc0; cedric@wireless-networks.com
2000-09-27Fix checking for incoming packets when the remote gateway has beenAngelos D. Keromytis
fully specified in the flow.
2000-09-26Update to previous fix on ICMP messages coming on unnumberedAngelos D. Keromytis
interfaces: rather than picking *some* non-loopback IP address, do a routing lookup and use as source IP address the address of the outgoing interface. A nice side effect of this is that ICMPs generated as a result of packets received over IPsec will, in the common case, end up going back over IPsec (depends on what the SPD looks like of course). Thanks to fcusack@fcusack.com for testing and commenting on this.
2000-09-25on expiry of pmtu route, retry higher mtu. okay angelos@Niels Provos
2000-09-23Angelos you forgot this one !!Chris Cappuccio
2000-09-22Move the PI_MAGIC define outside the INET6 ifdef block (doh!)Angelos D. Keromytis
2000-09-22fix my bug dating back to february the 14th of 1998,Michael Shalayeff
when those wildcard interfaces came up, which were usefull at the times. on the other hand here it is, one cannot bind to the broadcast address, and angelos says ok.
2000-09-21calculate maxopd at the right placeNiels Provos
2000-09-20Add IDENTITY payloads to flow establishment (and cleanup accordingly)Angelos D. Keromytis
-- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm).
2000-09-20Don't use LOOPBACK addresses when trying to determine source addressAngelos D. Keromytis
to use in locally-generated ICMP messages (thanks to fcusack@fcusack.com)
2000-09-20remove unused codeNiels Provos
2000-09-20correctly calculate mssNiels Provos
2000-09-20fix in_pcbrtentryNiels Provos
2000-09-19only free tdbi if IPSECTheo de Raadt
2000-09-19SA bundles.Angelos D. Keromytis
2000-09-19Lots and lots of changes.Angelos D. Keromytis
2000-09-18fix compilation problem on systems w/o inet6.Federico G. Schwindt
2000-09-18Path MTU discovery based on NetBSD but with the decision to use the DFNiels Provos
flag delayed to ip_output(). That halves the code and reduces most of the route lookups. okay deraadt@
2000-09-17Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net andAngelos D. Keromytis
mfranz@cisco.com for finding the problem).
2000-09-07New timeouts.Artur Grabowski
2000-09-05various fixes to SACK and FACK from adesai@cisco.com, tomh@tomh.org andNiels Provos
osuga@mml.yrp.nttdocomo.co.jp
2000-08-19- upgrade icmp6 node information query support to 06 draft.Jun-ichiro itojun Hagino
- pedant: possible alignment issue in ALIGN > 8 arch (should be okay for now) (sync with kame)
2000-08-10Whoops. Reapply Aaron's detach code fix. inadvertantly whacked in theKjell Wooding
3.3.18 import.
2000-08-10Import ipf 3.3.18. Fixes more problems with the in-kernel FTP proxy,Kjell Wooding
some nat state bugs, and ups the default state table size. See sbin/ipf/HISTORY for details.
2000-08-04One parenthesis too many.Angelos D. Keromytis
2000-08-04Worked out the logic (thanks to pt98asp@student.hk-r.se andAngelos D. Keromytis
pt98kfr@student.hk-r.se -- I still don't know why rev1.5 didn't work).
2000-08-03Back to the submitted patch -- this needs more investigation.Angelos D. Keromytis
2000-08-03typo in #define. ICMP6_NI_SUCESS -> SUCCESS.Jun-ichiro itojun Hagino
2000-08-03Don't even need to reset ip_sum, if we're not going to compute it hereAngelos D. Keromytis
but in ip_output()
2000-08-03Avoid unnecessary call to in_cksum().Angelos D. Keromytis
2000-08-03In fact, this is the correct behaviour (or I'm going crazy).Angelos D. Keromytis
2000-08-03Careful with ip_offAngelos D. Keromytis
2000-08-03Zeroize ip_sum before computing checksum (just general paranoia).Angelos D. Keromytis
2000-08-03Correct handling of ip_off (askk@rsn.hk-r.se)Angelos D. Keromytis
2000-07-29Don't set the source IP address if doing multicast; this is a quickAngelos D. Keromytis
fix -- the logic has to be reworked to allow for multicast-over-IPsec. Patch from gene@lucky.net.
2000-07-27raw6/udp6 sockets are okay with :: in src.Jun-ichiro itojun Hagino
2000-07-27be proactive about unspecified IPv6 source address. pcb layer usesJun-ichiro itojun Hagino
unspecified address (::) to mean "unbounded" or "unconnected", and can be confused by packets from outside. use of :: as source is not documented well in IPv6 specification. not sure if it presents a real threat. the worst case scenario is a DoS against TCP listening socket: - outsider transmit TCP SYN with :: as IPv6 source - receiving side creates TCP control block with: local address = my addres remote address = :: (meaning "unconnected") state = SYN_RCVD note that SYN ACK will not be sent due to ip6_output() filter. this stays until it timeouts. - the TCP control block prevents listening TCP control block from being contacted (DoS).
2000-07-12remove m_pulldown statistics, which is highly experimentalJun-ichiro itojun Hagino