Age | Commit message (Collapse) | Author |
|
This provides a similar functionality as ARP balancing,
but also works for traffic that comes across routers.
IPv6 is supported as well.
The configuration scheme will change as soon we have sth better.
Also add support for changing the MAC address on carp(4)
interfaces. (code from mcbride)
Tested by pyr@ and reyk@
OK mcbride@
|
|
arplookup: unable to enter address for xxx.xxx.xxx.xxx
because it is absolutely useless in a modern world with cable modems
which leak arp packets over IP netblock zones; Anyone who used this as
a diagnostic for real problems has other tools to use; from discussion
with kitella, ok claudio
|
|
not used with Heimdal. Add UDP port 749 to DEFBADDYNAMICPORTS_UDP
for consistency with DEFBADDYNAMICPORTS_TCP. We retain some Kerberos
4 ports for people running Heimdal in Kerberos 4 compat mode.
OK deraadt@ beck@
|
|
moving the m_adj() down to prevent so that the ethernet header is preserved.
This fixes tcpdump on bridged gif(4) interfaces. OK mglocker@
|
|
OK mglocker@
|
|
ok kettenis@ cloder@ tom@ henning@
|
|
|
|
and passed around but never used. OK mglocker@
|
|
header.
- ipsec_input: fix mistake in IPv6 next-header chasing.
- ipsec_output: look for the position to insert AH more carefully.
- ip6_output: enable use of AH with extension headers.
avoid tunnellinng when source-routing header is present.
ok by deraad, naddy, hshoexer
|
|
|
|
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo
|
|
to the m_tag_delete_chain() function.
m_tag_free() and m_tag_unlink() are only used by m_tag_delete() and I see
no need to have these functions around.
m_tag_delete_chain() has a second argument to specifiy a starting point
from where the chain should be deleted. This feature is never used and is
more complex because it is not possible to remove a SLIST element without
doing a list walk. Instead use SLIST_FIRST() and SLIST_REMOVE_HEAD() to
remove all items from the list. OK dhartmei@
|
|
|
|
splnet/IF_DEQUEUE/splx; ok various people
|
|
to INET6 too, so move it outside. markus ok
|
|
|
|
(s6_addr16[1] filled)
ok dhartmei
|
|
|
|
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.
bump libc shlib minor for function additions.
tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.
|
|
when sending the synack response. ok markus
|
|
the dest IP; PMTU debugging support; ok hshoexer
|
|
|
|
hook up looking up routes in alternate tables to the packet forwarding path.
alternate routing tables are mintained with route(8), table selection via pf.
mostly hacked on a train ride with ryan some time ago, ok mcbride claudio
|
|
SO_REUSEADDR and multicast/broadcast comes into play. Model the ip_savecontrol
handling after the rip_input version which works.
Problem found by Simon Kelley. OK henning@ michele@
|
|
NULL in any case.
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
and early in the boot process existant. needed by the rc scripts for
carp demotion on the "carp" group. this used to work because pfsync0
was always there and member of said group; it has been broken on pfsync-less
kernels for quite some time. ok mpf mcbride
|
|
this unbreaks TCP for high RTT (~3s); ok mcbride@
|
|
This is for RFC3682 aka the TTL security hack - sender sets TTL to 255,
receiver checks no router on the way (or, no more than expected) reduced
the TTL. carp uses that technique already.
modeled after FreeBSD implementation.
ok claudio djm deraadt
|
|
when set on raw or udp sockets, userland receives the incoming packet's TTL
as ancillary data (cmsg shitz). modeled after the FreeBSD implementation.
ok claudio djm deraadt
|
|
Did these vendors really really really not think? Absolute morons.
|
|
|
|
virtual MAC address is set. Among other things, this makes route6d work
correctly on systems with carp interfaces.
In order to ensure backwards compatibility, we do not include IPv6
link-local addresses in generating the HMAC, but we accept HMACs with AND
without the link-local addresses. They will be added to the HMAC in a future
release.
In short: this change should only affect backwards compatibility for
IPv6 users who are manually adding link-local addresses on carp interfaces.
testing mtu@ todd@
ok mpf@ henning@ deraadt@
|
|
ok mpf@ henning@
|
|
physical interface shares a bridge with the interface that received it.
Patch based on a version from camield@
Fixes PR 5178.
OK mcbride@
|
|
we've won the MASTER election.
This seems to be necessary w/ some wacky L3 switches,
that only learn by looking at ARP packets.
Fixes PR 5148.
OK mcbride@
|
|
code. however, it is still cluttering up the kernel namespace a bit. it is
better gone.
ok claudio@
|
|
the INET6 code. With this it is possible to use e.g. IP_RECVIF to get the
incomming interface. SOCK_RAW is not affected by this.
Problem found and fixed by Michele 'mydecay' Marchetto. OK markus@
|
|
no functional change.
|
|
|
|
|
|
|
|
To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.
To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1
testing norby@
ok claudio@ henning@ hshoexer@
|
|
|
|
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer
|
|
henning@ claudio@ ok
|
|
for clarity.
henning@ claudio@ ok
|
|
henning@ claudio@ ok
|
|
here, make sure they compile with or without IPSEC, you morons!
|
|
As a first user, move the global carp(4) demotion counter
into the interface group. Thus we have the possibility
to define which carp interfaces are demoted together.
Put the demotion counter into the reserved field of the carp header.
With this, we can have carp act smarter if multiple errors occur.
It now always takes over other carp peers, that are advertising
with a higher demote count. As a side effect, we can also have
group failovers without the need of running in preempt mode.
The protocol change does not break compability with older
implementations.
Collaborative work with mcbride@
OK mcbride@, henning@
|