| Age | Commit message (Collapse) | Author |
|---|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
rt_if_remove_rtdelete() need to know the table id to be able to correctly
remove nodes.
Problem found by Andrea Parazzini and analyzed by Martin Pelikán.
OK henning@
|
|
the one used by Cisco. It sends a return gre packet inside a gre packet
to the other side and expects it to return.
OK deraadt, reyk additional testing by sthen
|
|
netboot methods using rarp, thus only learning their IP address without
mask. And of course the next step is a broadcast - which goes to the
broadcast address calculated classful. *sigh*. PR6382
instead of storing a second broadcast address per ifaddr as we used to
figure out wether we're dealing with a classful broadcast on the fly. the
math is extremely cheap and all my previous profilings showed that cpu
cycles are basically free, we're constrained by memory access.
excellent analysis by Pascal Lalonde <plalonde at overnet.qc.ca> who also
submitted the PR. claudio ok
|
|
connect() calls. Our network stack does not allow any v4 mapped addresses
so there is no need to allow them in connect(). Found after discussion with
Henning. OK deraadt@
|
|
rt_timer_queue_destroy() did not actually destroy, leading to a potential
memory leak due to misleading nomenclature. Change it to actually destroy,
not just clean, the the rt_timer_queue passed to it and adjust the correct
caller accordingly (i.e., no need to free the mem on our own now).
As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free
cycles, and lets us sneak another bzero -> M_ZERO conversion in.
ok claudio@
|
|
aligned, otherwise we lose on strict alignment architecture. Should fix
problems with gcc4 compiled bsd.rd's that people see on sparc64.
ok millert@, beck@, jsing@
|
|
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@
|
|
OK sthen@
|
|
is defined.
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
removed. Extend carp demote logging to also show the reason for
the demote. Return EINVAL instead of ERANGE if a carpdemote request
is out range. Requested from otto.
OK mcbride, henning.
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
|
|
|
|
faith 1", noticed by Andris Kadar. ok kettenis@ beck@
|
|
ok claudio@ "approved" deraadt@
|
|
address lookups. Found whilst investigating address lookup failures.
ok michele@
|
|
is valid and usable (reject and blackholes are not conidered usable).
TCP has this nasty behaviour to clone routes to disable PMTU and this combined
with dynamic routing resulted in dead sessions when there was a default reject
route installed.
OK henning@, sthen@
|
|
|
|
Found by LLVM/Clang Static Analyzer.
ok krw@ henning@
|
|
With input from oga@ and krw@
ok oga@ krw@ thib@ markus@ mk@
|
|
|
|
1996 with no way to enable but kernel config or code mods and is bound to
classful adressing anyway.
|
|
more here either
|
|
4.3BSD (anno 1986) supported the host part bits all one for broadcast as
well, since that's what everybody agreed on and RFC919 (anno 1984) proposed.
now, roughly a quarter decade later, we can really stop supporting the all
zero variant. sorry to you guys still running 4.2BSD. ok theo ryan
|
|
subnet of the classful network. at least, not since 1992.
ok mpf dlg bob
|
|
we now correctly broadcast packets to all local ports.
OK deraadt@
|
|
many places create a proper API (ifa_add / ifa_del) and use it.
ok theo ryan dlg
|
|
that router vendor doesn't default to classful routing any more, and there
really is no point in having a classful netmask and a subnetmask to split
it. we still do classful guesses on the netmask if it isn't supplied by
userland, but that's about it.
i decided to keep ia_netmask and kill ia_subnetmask which makes this diff
bigish, the classful ia_netmask wasn't really used all that much. the real
changes are in in.c, the rest is mostly s/ia_subnetmask/ia_netmask.
ok claudio dlg ryan
|
|
ok @dlg
|
|
is safe for both hardware devices and virtual devices
ok mpf, kettenis, moaning and groaning and slow acceptance from mcbride
XXX should loop checking for uniqueness after new henning diff goes in
|
|
The demote counter can handle that.
This lets carp hosts with an identical demote count still know which
one is the designated master and prevents them from failing over
asymmetrically.
Since there is a demote handling bug in all releases prior to 4.6,
symmetric failover will only work against 4.6 (and newer) from now on.
OK henning@
|
|
queue length of one - i.e. vlans with the forthcoming change from dlg.
this allows fragmented frames to be sent on such an interface, hoping
that the interface underneath copes correctly - A better fix for this
will be forthcoming soon, but this is good enough for now, and will
allow the change for vlans to use an ifq length of 1.
tested by me and dlg@, ok dlg@, claudio@, deraadt@
|
|
From Gleydson Soares, OK beck@
|
|
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
|
|
|
so put it in struct process instead of struct proc. While at it,
move the p_emul member inside struct proc so that it gets copied
automatically instead of requiring manual assignment.
ok deraadt@
|
|
ok claudio@
|
|
ok claudio@
|
|
Fixes PR6274.
ok claudio@
|
|
kernel stack content instead of proper information; found by Clement LECIGNE
|
|
ok henning@, claudio@ "I think this should go in"
|
|
catch the libc major bump per request from deraadt@
Diff by reyk.
ok guenther@
|
|
different rdomain than the default one. This allows to do MPLS VPNs
without the MPLS madness. OK deraadt@, henning@
|
|
localhost DoS everywhere. To help minimize further issues, make the
mbuf != NULL test explicit instead of implicit in a length test.
Suggestions and initial work by mpf@ and miod@
ok henning@, mpf@, claudio@,
|
|
a twist; ok millert@ kettenis@
|
|
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@
|
|
original packet or they will trigger the diagnostic check in the interface
output routines. OK jsg@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
